2228 files changed, 74156 insertions, 39932 deletions

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 000000000..0c9701d1c
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,4 @@
+# move whitelist/blacklist to allow/deny
+fe0f975f447d59977d90c3226cc8c623b31b20b3
+# Revert "move whitelist/blacklist to allow/deny"
+f43382f1e9707b4fd5e63c7bfe881912aa4ee994
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 000000000..0f13afc51
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,77 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+### Description
+
+_Describe the bug_
+
+### Steps to Reproduce
+
+_Steps to reproduce the behavior_
+
+1. Run in bash `LANG=C firejail PROGRAM` (`LANG=C` to get English messages that can be understood by everybody)
+2. Click on '....'
+3. Scroll down to '....'
+4. See error `ERROR`
+
+### Expected behavior
+
+_What you expected to happen_
+
+### Actual behavior
+
+_What actually happened_
+
+### Behavior without a profile
+
+_What changed calling `firejail --noprofile /path/to/program` in a terminal?_
+
+### Additional context
+
+_Any other detail that may help to understand/debug the problem_
+
+### Environment
+
+- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
+- Firejail version (`firejail --version`).
+- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`).
+
+### Checklist
+
+- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
+- [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
+- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
+- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).
+- [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
+  - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.
+- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
+
+### Log
+
+<details>
+<summary>Output of <code>firejail /path/to/program</code></summary>
+<p>
+
+```
+output goes here
+```
+
+</p>
+</details>
+
+<details>
+<summary>Output of <code>firejail --debug /path/to/program</code></summary>
+<p>
+
+```
+output goes here
+```
+
+</p>
+</details>
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 000000000..b8fe40acd
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Question
+    url: https://github.com/netblue30/firejail/discussions
+    about: For questions you should use GitHub Discussions.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 000000000..a723cdbde
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,23 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+
+_A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_
+
+### Describe the solution you'd like
+
+_A clear and concise description of what you want to happen._
+
+### Describe alternatives you've considered
+
+_A clear and concise description of any alternative solutions or features you've considered._
+
+### Additional context
+
+_Add any other context or screenshots about the feature request here._
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 000000000..57ac2e9c4
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,18 @@
+
+If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
+
+If you submit a PR for new profiles or changing profiles, please do the following:
+ - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
+   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
+ - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
+ The path to it depends on your distro:
+
+   | Distro | Path |
+   | ------ | ---- |
+   | Arch/Fedora | `/usr/lib64/firejail/sort.py` |
+   | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` |
+   | local git clone | `contrib/sort.py` |
+
+   Note also that the sort.py script exists only since firejail `0.9.61`.
+
+See also [CONTRIBUTING.md](/CONTRIBUTING.md).
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
new file mode 100644
index 000000000..fd1f23954
--- /dev/null
+++ b/.github/workflows/build-extra.yml
@@ -0,0 +1,55 @@
+name: Build-extra CI
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+      - 'src/firecfg/firecfg.config'
+      - '.github/ISSUE_TEMPLATE/*'
+      - '.github/pull_request_template.md'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+      - 'src/firecfg/firecfg.config'
+      - '.github/ISSUE_TEMPLATE/*'
+      - '.github/pull_request_template.md'
+
+jobs:
+  build-clang:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: CC=clang-11 ./configure --enable-fatal-warnings
+    - name: make
+      run: make
+  scan-build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install clang-tools-11
+      run: sudo apt-get install clang-tools-11
+    - name: configure
+      run: CC=clang-11 ./configure --enable-fatal-warnings
+    - name: scan-build
+      run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make
+  cppcheck:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..141e43168
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,35 @@
+name: Build CI
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+
+jobs:
+  build_and_test:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install dependencies
+      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
+    - name: configure
+      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+    - name: make
+      run: make
+    - name: make install
+      run: sudo make install
+    - name: run tests
+      run: SHELL=/bin/bash make test-github
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000..4476963b5
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,75 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+    paths-ignore:
+      - CONTRIBUTING.md
+      - README
+      - README.md
+      - RELNOTES
+      - SECURITY.md
+      - 'etc/**'
+  schedule:
+    - cron: '0 7 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
new file mode 100644
index 000000000..f3ded0f22
--- /dev/null
+++ b/.github/workflows/sort.yml
@@ -0,0 +1,22 @@
+name: sort.py
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'contrib/sort.py'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'contrib/sort.py'
+
+jobs:
+  profile-sort:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
+
diff --git a/.gitignore b/.gitignore
index 0882eeecf..ace86f218 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,30 +2,47 @@
 *.so
 *~
 *.swp
+*.deb
 *.rpm
 *.gcda
 *.gcno
+*.DS_Store
+.directory
+*.man
+.vscode
 Makefile
 autom4te.cache/
 config.log
 config.status
+firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
 firejail-config.5
+firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
+jailcheck.1
+mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
 src/ftee/ftee
+src/fids/fids
 src/tags
 src/faudit/faudit
 src/fnet/fnet
+src/fnetfilter/fnetfilter
+src/fsec-print/fsec-print
 src/fseccomp/fseccomp
+src/fsec-optimize/fsec-optimize
 src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
+src/profstats/profstats
+src/bash_completion/firejail.bash_completion
+src/zsh_completion/_firejail
+src/jailcheck/jailcheck
 uids.h
 seccomp
 seccomp.debug
@@ -33,3 +50,9 @@ seccomp.32
 seccomp.64
 seccomp.block_secondary
 seccomp.mdwx
+seccomp.mdwx.32
+src/common.mk
+aclocal.m4
+__pycache__
+*.pyc
+*.pyo
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 000000000..03e18d269
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,78 @@
+# Basic notes: builds firejail on 5 different systems for 2 package systems:
+# 1. Debian-based systems. Use debian:jessie to ensure reasonable backwards
+# compat and ubuntu:rolling for new setups
+# 2. Redhat-based systems. Use centos:latest for reasonable backwards compat
+# and fedora:latest for new setups
+# 3. Alpine for installing directly from source
+# Also builds apparmor package for Ubuntu LTS
+build_ubuntu_package:
+    image: ubuntu:rolling
+    script:
+        - apt-get update -qq
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 gawk
+        - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
+        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
+
+build_debian_package:
+    image: debian:stretch
+    script:
+        - apt-get update -qq
+        - apt-get install -y -qq build-essential lintian pkg-config gawk
+        - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
+
+build_redhat_package:
+    image: centos:latest
+    script:
+        - dnf update -y
+        - dnf install -y rpm-build gcc make
+        - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+
+build_fedora_package:
+    image: fedora:latest
+    script:
+        - dnf update -y
+        - dnf install -y rpm-build gcc make
+        - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
+
+build_src_package:
+    image: alpine:latest
+    script:
+        - apk update
+        - apk upgrade
+        - apk add build-base linux-headers python3 gawk
+        - ./configure --prefix=/usr && make && make install-strip
+        # - python3 contrib/sort.py etc/*.{profile,inc}
+
+build_apparmor:
+    image: ubuntu:latest
+    script:
+        - apt-get update -qq
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk
+        - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb
+
+debian_ci:
+    image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+    variables:
+        DEBFULLNAME: "$GITLAB_USER_NAME"
+        DEBEMAIL: "$GITLAB_USER_EMAIL"
+    before_script:
+        - git checkout -B ci_build $CI_COMMIT_SHA
+        - gitlab-ci-enable-sid
+        - gitlab-ci-enable-experimental
+        - echo "deb-src http://deb.debian.org/debian sid main" >> /etc/apt/sources.list
+        - echo "deb-src http://deb.debian.org/debian experimental main" >> /etc/apt/sources.list
+        - apt-get update
+        - git config user.email "$GITLAB_USER_NAME" && git config user.name "$GITLAB_USER_EMAIL"
+        - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail)
+        - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.*
+        - rm -rf debian/patches/
+        # next line is a temporary fix for dh_missing failure; remove it after next release
+        - echo "etc/firejail/*.config" >> debian/firejail.install
+        - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar
+        - git add debian && git commit -m "add debian/"
+        - export CI_COMMIT_SHA=$(git rev-parse HEAD)
+    script:
+        - apt-get --no-install-recommends install -y -qq gawk
+        - gitlab-ci-git-buildpackage
+        - gitlab-ci-lintian
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 5dd77e1f5..000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-language: c
-dist: trusty
-sudo: true
-
-script:
-  - sudo apt-get -y install expect csh xzdec
-  - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
-  - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
-  - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
-  - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2
-  - # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 000000000..0f868d6c4
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,46 @@
+Welcome to firejail, and thank you for your interest in contributing!
+
+# Opening an issue:
+We welcome issues, whether to ask a question, provide information, request a new profile or
+feature, or to report a suspected bug or problem.
+
+If you want to request a program profile that we don't already have, please add a comment in
+our [dedicated issue](https://github.com/netblue30/firejail/issues/1139).
+
+When submitting a bug report, please provide the following information so that
+we can handle the report more easily:
+ - firejail version. If you're not sure, open a terminal and type `firejail --version`.
+ - Linux distribution (so that we can try to reproduce it, if necessary).
+ - If you know that the problem did not exist in an earlier version of firejail, please mention it.
+ - If you are reporting that a program does not work with firejail, please also run firejail with
+ the `--noprofile` argument.
+ For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and
+ let us know if it runs correctly or not.
+ - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue.
+
+Please note: if you are running Debian, Ubuntu, Linux Mint, or another related
+distribution and you installed firejail from your distro's repositories, please
+ensure that **both** of the following were installed:
+`firejail` and `firejail-profiles`. A common source of issues is that
+firejail-profiles was not installed when installing firejail.
+
+We take security bugs very seriously. If you believe you have found one, please report it by
+emailing us at netblue30@protonmail.com
+
+# Opening an pull request:
+Pull requests with enhancements, bugfixes or new profiles are very welcome.
+
+If you want to write a new profile, the easiest way to do this is to use the
+[profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).
+If you have already written a profile, please make sure it follows the rules described in the template.
+
+If you add a new command, here's the checklist:
+
+ - [ ] Update manpages: firejail(1) and firejail-profile(5)
+ - [ ] Update shell completions
+ - [ ] Update vim syntax files
+ - [ ] Update --help
+
+# Editing the wiki
+
+You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki).
diff --git a/COPYING b/COPYING
index b6e1c33e0..d159169d1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,12 +1,12 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-                            Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-                    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-                            NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-                     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/Makefile.in b/Makefile.in
index be5ab837f..c94d8c7a4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,9 +1,3 @@
-all: apps man filters
-MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
-
 prefix=@prefix@
 exec_prefix=@exec_prefix@
 bindir=@bindir@
@@ -16,43 +10,75 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 PACKAGE_TARNAME=@PACKAGE_TARNAME@
 DOCDIR=@docdir@
-HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
-HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
 BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
+HAVE_SUID=@HAVE_SUID@
+HAVE_MAN=@HAVE_MAN@
 
-uids.h:; ./mkuid.sh
-
-.PHONY: mylibs $(MYLIBS)
-mylibs: $(MYLIBS) uids.h
-$(MYLIBS):
-        $(MAKE) -C $@
+ifneq ($(HAVE_MAN),no)
+MAN_TARGET = man
+MAN_SRC = src/man
+endif
 
-.PHONY: apps $(APPS)
-apps: $(APPS)
-$(APPS): $(MYLIBS) uids.h
+COMPLETIONDIRS = src/zsh_completion src/bash_completion
+
+.PHONY: all
+all: all_items mydirs $(MAN_TARGET) filters
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
+MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
+
+.PHONY: all_items $(ALL_ITEMS)
+all_items: $(ALL_ITEMS)
+$(ALL_ITEMS): $(MYDIRS)
+        $(MAKE) -C $(dir $@)
+
+.PHONY: mydirs $(MYDIRS)
+mydirs: $(MYDIRS)
+$(MYDIRS):
         $(MAKE) -C $@
 
-$(MANPAGES): $(wildcard src/man/*.txt)
-        ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
+$(MANPAGES): src/man
+        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
 
 man: $(MANPAGES)
 
-filters: src/fseccomp
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
+filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
+seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp
+        src/fsec-optimize/fsec-optimize seccomp
+
+seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp.debug allow-debuggers
+        src/fsec-optimize/fsec-optimize seccomp.debug
+
+seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp secondary 32 seccomp.32
-        src/fseccomp/fseccomp secondary 64 seccomp.64
+        src/fsec-optimize/fsec-optimize seccomp.32
+
+seccomp.block_secondary: src/fseccomp/fseccomp
         src/fseccomp/fseccomp secondary block seccomp.block_secondary
+
+seccomp.mdwx: src/fseccomp/fseccomp
         src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
-endif
 
+seccomp.mdwx.32: src/fseccomp/fseccomp
+        src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
+
+.PHONY: clean
 clean:
-        for dir in $(APPS) $(MYLIBS); do \
+        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir clean; \
         done
+        $(MAKE) -C test clean
         rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
         rm -f $(SECCOMP_FILTERS)
         rm -f test/utils/index.html*
@@ -67,132 +93,114 @@ clean:
         rm -f test/sysutils/firejail_t*
         cd test/compile; ./compile.sh --clean; cd ../..
 
+.PHONY: distclean
 distclean: clean
-        for dir in $(APPS) $(MYLIBS); do \
+        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir distclean; \
         done
-        rm -fr Makefile autom4te.cache config.log config.status config.h uids.h
+        $(MAKE) -C test distclean
+        rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
 
 realinstall:
         # firejail executable
-        install -m 0755 -d $(DESTDIR)/$(bindir)
-        install -c -m 0755 src/firejail/firejail $(DESTDIR)/$(bindir)/.
-        chmod u+s $(DESTDIR)/$(bindir)/firejail
+        install -m 0755 -d $(DESTDIR)$(bindir)
+        install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
+ifeq ($(HAVE_SUID),yes)
+        chmod u+s $(DESTDIR)$(bindir)/firejail
+endif
         # firemon executable
-        install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/.
+        install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
         # firecfg executable
-        install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/.
+        install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+        # jailcheck executable
+        install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
         # libraries and plugins
-        install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
-        install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 src/libpostexecseccomp/libpostexecseccomp.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
-ifeq ($(HAVE_GIT_INSTALL),-DHAVE_GIT_INSTALL)
-        install -c -m 0755 src/fgit/fgit-install.sh $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fgit/fgit-uninstall.sh $(DESTDIR)/$(libdir)/firejail/.
-endif
-
-        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
-        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.64 $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
-endif
+        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+        # plugins w/o read permission (non-dumpable)
+        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+        install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
-        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
+        # contrib scripts
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
+        # vim syntax
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+        install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
 endif
         # documents
-        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
-        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
-        install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
-        install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
-        # etc files
-        ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
-        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
-        for file in .etc/* etc/firejail.config; do \
-                install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
-        done
+        install -m 0755 -d $(DESTDIR)$(DOCDIR)
+        install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
+        # profiles and settings
+        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        rm -fr .etc
+ifeq ($(BUSYBOX_WORKAROUND),yes)
+        ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
+endif
 ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile
         sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
-        install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
+        install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
         sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
-        install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.
+        # install apparmor profile customization file
+        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
 endif
+ifneq ($(HAVE_MAN),no)
         # man pages
-        install -m 0755 -d $(DESTDIR)/$(mandir)/man1
-        install -m 0755 -d $(DESTDIR)/$(mandir)/man5
+        install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
         for man in $(MANPAGES); do \
                 rm -f $$man.gz; \
                 gzip -9n $$man; \
                 case "$$man" in \
-                        *.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \
-                        *.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \
+                        *.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \
+                        *.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \
                 esac; \
         done
         rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
+endif
         # bash completion
-        install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
-        install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
-        install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
-        install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
+        install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        # zsh completion
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
+        install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
 
 install: all
         $(MAKE) realinstall
 
 install-strip: all
-        strip src/firejail/firejail
-        strip src/firemon/firemon
-        strip src/firecfg/firecfg
-        strip src/libtrace/libtrace.so
-        strip src/libtracelog/libtracelog.so
-        strip src/libpostexecseccomp/libpostexecseccomp.so
-        strip src/ftee/ftee
-        strip src/faudit/faudit
-        strip src/fnet/fnet
-        strip src/fseccomp/fseccomp
-        strip src/fcopy/fcopy
-        strip src/fldd/fldd
-        strip src/fbuilder/fbuilder
+        strip $(ALL_ITEMS)
         $(MAKE) realinstall
 
 uninstall:
-        rm -f $(DESTDIR)/$(bindir)/firejail
-        rm -f $(DESTDIR)/$(bindir)/firemon
-        rm -f $(DESTDIR)/$(bindir)/firecfg
-        rm -fr $(DESTDIR)/$(libdir)/firejail
-        rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
+        rm -f $(DESTDIR)$(bindir)/firejail
+        rm -f $(DESTDIR)$(bindir)/firemon
+        rm -f $(DESTDIR)$(bindir)/firecfg
+        rm -fr $(DESTDIR)$(libdir)/firejail
+        rm -fr $(DESTDIR)$(libdir)/jailcheck
+        rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
         for man in $(MANPAGES); do \
-                rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \
-                rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \
+                rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
+                rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
         done
-        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
-        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
-        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
+        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
-DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
-DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
+DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
+DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot"
 
 dist:
         mv config.status config.status.old
+        mv mkdeb.sh mkdeb.sh.old
         make distclean
+        mv mkdeb.sh.old mkdeb.sh
         mv config.status.old config.status
         rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
         mkdir -p $(NAME)-$(VERSION)/test
@@ -206,107 +214,80 @@ dist:
 asc:; ./mkasc.sh $(VERSION)
 
 deb: dist
-        ./mkdeb.sh $(NAME) $(VERSION)
-
-snap: all
-        cd platform/snap; ./snap.sh
+        ./mkdeb.sh
 
-install-snap: snap
-        sudo snap remove faudit; sudo snap install faudit*.snap
+deb-apparmor: dist
+        ./mkdeb.sh -apparmor
 
 test-compile: dist
         cd test/compile; ./compile.sh $(NAME)-$(VERSION)
 
 .PHONY: rpms
-rpms:
+rpms: src/man
         ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
 
 extras: all
         $(MAKE) -C extras/firetools
 
 cppcheck: clean
-        cppcheck --force .
+        cppcheck --force --error-exitcode=1 --enable=warning,performance .
 
 scan-build: clean
-        scan-build make
-
+        NO_EXTRA_CFLAGS="yes" scan-build make
 
 #
 # make test
 #
 
+TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
+TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 
-test-profiles:
-        cd test/profiles; ./profiles.sh | grep TESTING
-
-test-apps:
-        cd test/apps; ./apps.sh | grep TESTING
-
-test-apps-x11:
-        cd test/apps-x11; ./apps-x11.sh | grep TESTING
-
-test-apps-x11-xorg:
-        cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
-
-test-sysutils:
-        cd test/sysutils; ./sysutils.sh | grep TESTING
-
-test-utils:
-        cd test/utils; ./utils.sh | grep TESTING
+$(TEST_TARGETS):
+        $(MAKE) -C test $(subst test-,,$@)
 
-test-environment:
-        cd test/environment; ./environment.sh | grep TESTING
-
-test-filters:
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
-        cd test/filters; ./filters.sh | grep TESTING
-endif
-
-test-arguments:
-        cd test/arguments; ./arguments.sh | grep TESTING
-
-test-fs:
-        cd test/fs; ./fs.sh | grep TESTING
-
-test-fcopy:
-        cd test/fcopy; ./fcopy.sh | grep TESTING
+test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+        echo "TEST COMPLETE"
 
-test: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
+test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
         echo "TEST COMPLETE"
 
-test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments
+test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
         echo "TEST COMPLETE"
 
 ##########################################
 # Individual tests, some of them require root access
-# The tests are very intrussive, by the time you are done
+# The tests are very intrusive, by the time you are done
 # with them you will need to restart your computer.
 ##########################################
 
+# a firejail-test account is required, public/private key setup
+test-ssh:
+        $(MAKE) -C test $(subst test-,,$@)
+
 # requires root access
 test-chroot:
-        cd test/chroot; ./chroot.sh | grep testing
+        $(MAKE) -C test $(subst test-,,$@)
 
 # Huge appimage files, not included in "make dist" archive
 test-appimage:
-        cd test/appimage; ./appimage.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # Root access, network devices are created before the test
 # restart your computer to get rid of these devices
 test-network:
-        cd test/network; ./network.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # requires the same setup as test-network
 test-stress:
-        cd test/stress; ./stress.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
-# Tesets running a root user
+# Tests running a root user
 test-root:
-        cd test/root; su -c ./root.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # OverlayFS is not available on all platforms
 test-overlay:
-        cd test/overlay; ./overlay.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
 
diff --git a/README b/README
index ccc3e2588..a15e493ff 100644
--- a/README
+++ b/README
@@ -9,13 +9,15 @@ Pidgin, Quassel, and XChat.
 Firejail also expands the restricted shell facility found  in  bash  by adding
 Linux  namespace support. It supports sandboxing specific users upon login.
 
-Download: http://sourceforge.net/projects/firejail/files/
+Download: https://sourceforge.net/projects/firejail/files/
 Build and install: ./configure && make && sudo make install
 Documentation and support: https://firejail.wordpress.com/
+Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
+Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
 
-
+Please report all security vulnerabilities at netblue30@protonmail.com
 
 Compile and install mainline version from GitHub:
 
@@ -23,32 +25,64 @@ $ git clone https://github.com/netblue30/firejail.git
 $ cd firejail
 $ ./configure && make && sudo make install-strip
 
-On Debian/Ubuntu you will need to install git and a compiler:
-
-$ sudo apt-get install build-essential
+On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
+development libraries and pkg-config are required when using --apparmor
+./configure option:
 
+$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 
+For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
 
 Maintainer:
-- netblue30 (netblue30@yahoo.com)
+- netblue30 (netblue30@protonmail.com)
 
 Committers
+- chiraag-nataraj (https://github.com/chiraag-nataraj)
+- crass (https://github.com/crass)
+- curiosityseeker (https://github.com/curiosityseeker)
+- glitsj16 (https://github.com/glitsj16)
 - Fred-Barclay (https://github.com/Fred-Barclay)
-- Reiner Herrmann (https://github.com/reinerh)
-- smithsohu (https://github.com/smitsohu)
-- SpotComms (https://github.com/SpotComms)
-- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer
+- Kelvin M. Klann (https://github.com/kmk3)
+- Kristóf Marussy (https://github.com/kris7t)
+- Neo00001 (https://github.com/Neo00001)
+- pirate486743186 (https://github.com/pirate486743186)
+- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer)
+- rusty-snake (https://github.com/rusty-snake)
+- smitsohu (https://github.com/smitsohu)
+- SkewedZeppelin (https://github.com/SkewedZeppelin)
+- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer)
 - Topi Miettinen (https://github.com/topimiettinen)
-- netblue30 (netblue30@yahoo.com)
+- veloute (https://github.com/veloute)
+- Vincent43 (https://github.com/Vincent43)
+- netblue30 (netblue30@protonmail.com)
 
 
 
 Firejail Authors (alphabetical order)
 
+0x7969 (https://github.com/0x7969)
+        - fix wire-desktop.profile
+        - add ferdi.profile
+7twin (https://github.com/7twin_)
+        - fix typos
+        - fix flameshot raw screenshots
+1dnrr (https://github.com/1dnrr)
+        - add pybitmessage profile
+Ádler Jonas Gross (https://github.com/adgross)
+        - AppArmor fix
+Adrian L. Shaw (https://github.com/adrianlshaw)
+        - add profanity profile
+        - add barrirer profile
 Aidan Gauland (https://github.com/aidalgol)
-        - added electron and riot-web profiles
+        - added electron, riot-web and npm profiles
+        - whitelist Bohemia Interactive config dir for Steam
 Akhil Hans Maulloo (https://github.com/kouul)
         - xz profile
+Albin Kauffmann (https://github.com/albinou)
+        - Firefox and Chromium profile fixes
+        - info to allow screen sharing in profiles
+Alex Leahu (https://github.com/alxjsn)
+        - fix screen sharing configuration on Wayland
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
         - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
@@ -58,7 +92,7 @@ Aleksey Manevich (https://github.com/manevich)
         - fix double quotes/single quotes problem
         - big rework of argument processing subsystem
         - --join fixes
-        - spliting up cmdline.c
+        - splitting up cmdline.c
         - Busybox support
         - X11 support rewrite
         - gether shell selection code in one place
@@ -69,19 +103,50 @@ Aleksey Manevich (https://github.com/manevich)
         - x11 xpra, xphyr, none profile commands
         - added --join-or-start command
         - CVE-2016-7545
+Alexander Gerasiov (https://github.com/gerasiov)
+        - read-only ~/.ssh/authorized_keys
+        - profile updates
 Alexander Stein (https://github.com/ajstein)
         - added profile for qutebrowser
+Amin Vakil (https://github.com/aminvakil)
+        - whois profile fix
+        - added profile for strawberry
+        - w3m profile fix
+        - disable seccomp in wireshark profile
+Andreas Hunkeler (https://github.com/Karneades)
+        - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
         - fixing lintian warnings
         - fixed Skype profile
 andrew160 (https://github.com/andrew160)
         - profile and man pages fixes
+Andrew Branson (https://github.com/abranson)
+        - 32bit ARM syscall table
 announ (https://github.com/announ)
         - mpv and youtube-dl profile fixes
+        - git profile fix
+        - evince profile fix
+Anton Shestakov (https://github.com/antonv6)
+        - add whitelist items for uim
 Antonio Russo (https://github.com/aerusso)
         - enumerate root directories in apparmor profile
+        - fix join-or-start
+        - wusc fixes
+        - okular profile fixes
+        - manpage fixes
+aoand (https://github.com/aoand)
+        - seccomp fix: allow numeric syscalls
+Arne Welzel (https://github.com/awelzel)
+        - ignore SIGTTOU during flush_stdin()
+Atrate (https://github.com/Atrate)
+        - BetterDiscord support
+Austin Morton (https://github.com/apmorton)
+        - deterministic-exit-code option
+        - private-cwd options
 Austin S. Hemmelgarn (https://github.com/Ferroin)
         - unbound profile update
+Avi Lumelsky (https://github.com/avilum)
+        - syscall.sh improvements
 avoidr (https://github.com/avoidr)
         - whitelist fix
         - recently-used.xbel fix
@@ -97,23 +162,71 @@ avoidr (https://github.com/avoidr)
         - added mcabber profile
         - fixed mpv profile
         - various other fixes
+backspac (https://github.com/backspac)
+        - firecfg fixes
+        - add steam-runtime alias
 Bader Zaidan (https://github.com/BaderSZ)
         - Telegram profile
+Bandie (https://github.com/Bandie)
+        - fixed riot-desktop
+Barış Ekin Yıldırım (https://github.com/circuitshaker)
+        - removing net none from code.profile
+Bart Bakker (https://github.com/bjpbakker)
+        - multimc5: fix exec of LWJGL libraries
+bbhtt (https://github.com/bbhtt)
+        - improvements to balsa,fractal,gajim,trojita profiles
+        - improvements to nheko, spectral, feh, links, lynx, smplayer profiles
+        - added alacarte, com.github.bleakgrey.tootle, photoflare profiles
+        - add profiles for MS Edge dev build for Linux and Librewolf
+        - fixes to cheese, authenticator, liferea
+        - add profile for straw-viewer
+        - email clients whitelisting and fixes
 Benjamin Kampmann (https://github.com/ligthyear)
         - Forward exit code from child process
+bitfreak25 (https://github.com/bitfreak25)
+        - added PlayOnLinux profile
+        - minetest profile fix
+        - added sylpheed profile
+
+bn0785ac (https://github.com/bn0785ac)
+        - fixed bnox, dnox profiles
+        - support all tor-browser langpacks
+        - chromium canary (inox-family) fixes
+        - allow multithreading for cin and natron
+        - fix dbus access for libreoffice on KDE
+        - fix inox, add snox profile
 BogDan Vatra (https://github.com/bog-dan-ro)
         - zoom profile
+Brad Ackerman
+        - blacklist Bitwarden config in disable-passwdmgr.inc
+briaeros (https://github.com/briaeros)
+        - fix command test in jail_prober.py
+botherer (https://github.com/botherder)
+        - add CoyIM profile
 Bruno Nova (https://github.com/brunonova)
         - whitelist fix
         - bash arguments fix
+Bundy01 (https://github.com/Bundy01)
+        - fixup geary
+        - add gradio profile
+        - update virtualbox.profile
+        - Quodlibet profile
 BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
         - network system fixes
+Carlo Abelli (https://github.com/carloabelli)
+        - fixed udiskie profile
+        - Allow mbind syscall for GIMP
+        - fixed simple-scan
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
+Christian Pinedo (https://github.com/chrpinedo)
+        - added nicotine profile
+        - allow python3 in totem profile
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
+        - tor browser profile fix
 chiraag-nataraj (https://github.com/chiraag-nataraj)
         - support for newer Xpra versions (2.1+)
         - added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
@@ -123,7 +236,18 @@ chiraag-nataraj (https://github.com/chiraag-nataraj)
 Christian Stadelmann (https://github.com/genodeftest)
         - profile fixes
         - evolution profile fix
-curiosity-seeker (https://github.com/curiosity-seeker)
+Clayton Williams (https://github.com/gosre)
+        - addition of RLIMIT_AS
+corecontingency (https://https://github.com/corecontingency)
+        - tighten private-bin and etc for torbrowser-launcher.profile
+        - added i2prouter profile
+        - add several games to steam and disable-programs
+crass (https://github.com/crass)
+        - extract_command_name fixes
+        - update appimage size calculation to newest code from libappimage
+        - firejail should look for processes with names exactly named
+curiosity-seeker (https://github.com/curiosity-seeker - old)
+curiosityseeker (https://github.com/curiosityseeker - new)
         - tightening unbound and dnscrypt-proxy profiles
         - correct and tighten QuiteRss profile
         - dnsmasq profile
@@ -134,36 +258,90 @@ curiosity-seeker (https://github.com/curiosity-seeker)
         - added VirtualBox.profile
         - various other profile fixes
         - added digiKam profile
+        - write-protection for thumbnailer dir
+        - added gramps, newsboat, freeoffice-planmaker profiles
+        - added freeoffice-textmaker, freeoffice-presentations profiles
+        - added cantata profile
+        - updated keypassxc profile
+        - added syscalls.sh, which determine the necessary syscalls for a program
+        - fixed conky profile
+        - thunderbird.profile: harden and enable the rules necessary to make Firefox open links
 da2x (https://github.com/da2x)
         - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
         - protect shell startup files
+Danil Semelenov (https://github.com/sgtpep)
+        - blacklist the Electron Cash Wallet
+        - blacklist s3cmd and s3fs configs
+        - blacklist Ethereum, Monero wallets
+        - blacklist Dash Core wallet
 Dara Adib (https://github.com/daradib)
         - ssh profile fix
         - evince profile fix
+        - linphone profile fix
+Dario Pellegrini (https://github.com/dpellegr)
+        - allowing links in netns
+David Thole (https://github.com/TheDarkTrumpet)
+        - added profile for teams-for-linux
+Davide Beatrici (https://github.com/davidebeatrici)
+        - steam.profile: correctly blacklist unneeded directories in user's home
+        - minetest fixes
+        - map /dev/input with "--private-dev", add "--no-input" option to disable it
+        - whitelist /usr/share/TelegramDesktop in telegram.profile
+David Hyrule (https://github.com/Svaag)
+        - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
         - added xpdf profile
+Denys Havrysh (https://github.com/vutny)
+        - update SkypeForLinux profile for latest version
+        - removed outdated Skype profile
 dewbasaur (https://github.com/dewbasaur)
         - block access to history files
         - Firefox PDF.js exploit (CVE-2015-4495) fixes
         - Steam profile
+DiGitHubCap (https://github.com/DiGitHubCap)
+        - deluge profile fix
+        - fix qt5ct colour schemes and QSS
+Disconnect3d (https://github.com/disconnect3d)
+        - code cleanup
+dmfreemon (https://github.com/dmfreemon)
+        - add sandbox name or name of private directory to the window title when xpra is used
+        - handle malloc() failures; use gnu_basename() instead of basenaem()
 dshmgh (https://github.com/dshmgh)
         - overlayfs fix for systems with /home mounted on a separate partition
 Duncan Overbruck (https://github.com/Duncaen)
         - musl libc fix
         - utmp fix
         - fix install for --disable-seccomp software configurations
+Eduard Tolosa (https://github.com/Edu4rdSHL)
+        - fixed and hardened qpdfview.profile
+        - fixed gajim.profile
 emacsomancer (https://github.com/emacsomancer)
         - added profile for Conkeror browser
+Emil Gedda (https://github.com/EmilGedda)
+        - fix multicast CIDR address in nolocal.net
 eventyrer (https://github.com/eventyrer)
         - update gnome-mplayer.profile
+Ethan R (https://github.com/AN3223)
+        - add allow-perl.inc to w3m.profile
 Fabian Würfl (https://github.com/BafDyce)
         - fixed race condition when creating a new directory
         - Liferea profile
 Felipe Barriga Richards (https://github.com/fbarriga)
         - --private-etc fix
+fenuks (https://github.com/fenuks)
+        - fix sound in games using FMOD
+Florian Begusch (https://github.com/florianbegusch)
+        - (la)tex profiles
+        - fixed transmission-common.profile
+        - fixed standardnotes-desktop.profile
+        - fix jailprober.py
+floxo (https://github.com/floxo)
+        - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
         - added --private-template/--private-home
+František Polášek (https://github.com/fandaa)
+        - fix QOwnNotes profile
 fuelflo (https://github.com/fuelflo)
     - added rambox profile
 Fred-Barclay (https://github.com/Fred-Barclay)
@@ -212,13 +390,44 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added BibleTime profile
         - added caja and galculator profiles
         - added Catfish profile
-G4JC (http://sourceforge.net/u/gaming4jc/profile/)
+Frederik Olesen (https://github.com/Freso)
+        - added many vim profiles
+g3ngr33n (https://github.com/g3ngr33n)
+        - fix musl compilation
+G4JC (https://sourceforge.net/u/gaming4jc/profile/)
         - ARM support
         - profile fixes
 Gaman Gabriel (https://github.com/stelariusinfinitek)
         - inox profile
 geg2048 (https://github.com/geg2048)
         - kwallet profile fixes
+glitsj16 (https://github.com/glitsj16)
+        - evince-previewer, evince-thumbnailer profiles
+        - gnome-recipes, gnome-logs profiles
+        - fixed private-lib for gnome-calculator
+        - gunzip, bunzip2 profiles
+        - enchant, enchat-2, enchant-lsmod, enchant-lsmod-2 profiles
+        - atool, soundconvertor, mpd, gnome-calculator, makepkg profile fixes
+        - acat, adiff, als, apack, arepack, aunpack profiles,
+        - fix sqlitebrowser blacklist
+        - spelling fixes
+        - bitblbee profile fixes
+        - fix firefox common addons
+        - many profile fixes
+        - profile fixes: file, strings, claws-mail,
+        - new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
+        - new profiles: devilspie, devilspie2, easystroke, github-desktop, min
+        - new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
+        - new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
+        - new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
+        - new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
+        - new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
+        - new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
+        - new profiles: masterpdfeditor
+gm10 (https://github.com/gm10)
+        - get_user() do not use the unreliable getlogin()
+GovanifY (https://github.com/GovanifY)
+        - Blacklisting openrc paths by defaults
 graywolf (https://github.com/graywolf)
         - spelling fix
 greigdp (https://github.com/greigdp)
@@ -226,18 +435,32 @@ greigdp (https://github.com/greigdp)
         - fixed spotify profile
         - added Slack profile
         - add Spotify profile
+grizzlyuser (https://github.com/grizzlyuser)
+        - added support for youtube-dl in smplayer profile
 GSI (https://github.com/GSI)
         - added Uzbl browser profile
+haarp (https://github.com/haarp)
+        - Allow sound for hexchat
 hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
+Hans-Christoph Steiner (https://github.com/eighthave)
+        - added xournal profile
+Harald Kubota (https://github.com/haraldkubota)
+        - zsh completion
 hawkey116477 (https://github.com/hawkeye116477)
         - added Waterfox profile
         - updated Cyberfox profile
         - updated Waterfox profile
 Helmut Grohne (https://github.com/helmutg)
         -  compiler support in the build system - Debian bug #869707
+hhzek0014 (https://github.com/hhzek0014)
+        - updated  bibletime.profile
+hlein (https://github.com/hlein)
+        - strip out \r's from jail prober
 Holger Heinz (https://github.com/hheinz)
         - manpage work
+Haowei Yu (https://github.com/sfc-gh-hyu)
+        - add configure options when building rpm
 Icaro Perseo (https://github.com/icaroperseo)
         - Icecat profile
         - several profile fixes
@@ -247,17 +470,47 @@ iiotx (https://github.com/iiotx)
         - use generic.profile by default
 Impyy (https://github.com/Impyy)
         - added mumble profile
+intika (https://github.com/intika)
+        - added musixmatch profile
+irandms (https://github.com/irandms)
+        - man firecfg fixes
 irregulator (https://github.com/irregulator)
         - thunderbird profile fixes for debian stretch
 Irvine (https://github.com/Irvinehimself)
         - added conky profile
+        - added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
+Ivan (https://github.com/ordinary-dev)
+        - fix telegram profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
         - cpio profile
 James Elford (https://github.com/jelford)
         - pass password manager support
-        - removed shell none from ssh-agent configuration, fixing the infinit loop
+        - removed shell none from ssh-agent configuration, fixing the infinite loop
+        - added gcloud profile
+        - blacklist sensitive cloud provider files in disable-common
+Jean Lucas (https://github.com/flacks)
+        - fix Discord profile
+        - add AnyDesk profile
+        - add WebStorm profile
+        - add XMind profile
+        - add Whalebird profile
+        - add zulip profile
+        - add nvm to list of disabled interpreters
+        - fixes for tor-browser-* profiles
+        - alias for riot-desktop
+        - add gnome-mpv profile
+        - fix wire profile
+        - fix itch profile
+        - add Beaker profile
+        - fixes for gnome-music
+        - allow reading of system-wide Flatpak locale in gajim profile
+Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
+        - fixed spotify.profile
+Jeff Squyres (https://github.com/jsquyres)
+        - various manpage fixes
+        - cmdline.c: optionally quote the resulting command line
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -270,6 +523,19 @@ Joan Figueras (https://github.com/figue)
         - added cyberfox profile
 John Mullee (https://github.com/jmullee)
         - fix empty-string assignment in whitelisting code
+Jonas Heinrich (https://github.com/onny)
+        - added signal-desktop profile
+        - fixed franz profile
+Jose Riha (https://github.com/jose1711)
+        - added meteo-qt profile
+        - created qgis, links, xlinks profiles
+        - extended profile.template with comments
+        - some typo and comment fixes in profile.template
+        - Make it possible for cheese app to save pictures too
+        - Add davfs2 secrets file to blacklist
+        - Add profile for udiskie
+        - fix udiskie.profile
+        - improve hints for allowing browser access to Gnome extensions connector
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -282,6 +548,8 @@ juan (https://github.com/nyancat18)
         - profile hardening
 Kaan Genç (https://github.com/SeriousBug)
         - dynamic allocation of noblacklist buffer
+Karoshi42 (https://github.com/karoshi42)
+        - update dino-im.profile
 KellerFuchs (https://github.com/KellerFuchs)
         - nonewpriv support, extended profiles for this feature
         - make `restricted-network` prevent use of netfilter
@@ -290,8 +558,35 @@ KellerFuchs (https://github.com/KellerFuchs)
         - added support for .local profile files in /etc/firejail
         - fixed Cryptocat profile
         - make ~/.local read-only
+Kelvin (https://github.com/kmk3)
+        - disable ldns utilities, dnssec-*, khost, unbound-host
+        - sort DNS / RUNUSER paths
+        - improve bug_report.md
+        - fix keypassxc
+        - blacklist oksh shell in disable-shell.inc
+Kishore96in (https://github.com/Kishore96in)
+        - added falkon profile
+        - kxmlgui fixes
+        - okular profile fixes
+        -  jitsi-meet-desktop profile
+        - konversatin profile fix
+        - added Neochat profile
+        - added whitelist-1793-workaround.inc
 KOLANICH (https://github.com/KOLANICH)
         - added symlink fixer fix_private-bin.py in contrib section
+        - update fix_private-bin.py
+        - fix meld
+kortewegdevries (https://github.com/kortewegdevries)
+        - a whole bunch of new profiles and fixes
+        - whitelisting evolution, kmail
+Kristóf Marussy (https://github.com/kris7t)
+        - dns support
+kuesji koesnu (https://github.com/kuesji)
+        - unit suffixes for rlimit-fsize and rlimit-as
+        - util.c and firejail.h fixes
+        - better parser for size strings
+Kunal Mehta (https://github.com/legoktm)
+        - converted all links to https in manpages
 laniakea64 (https://github.com/laniakea64)
         - added fj-mkdeb.py script to build deb packages
 Lari Rauno (https://github.com/tuutti)
@@ -302,6 +597,21 @@ LaurentGH (https://github.com/LaurentGH)
         - allow private-bin parameters to be absolute paths
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
+Liorst4 (https://github.com/Liorst4)
+        - Preserve CFLAGS given to configure in common.mk.in
+        - fix emacs config to load as read-write
+        - disable browser drm by default
+        - minetest fixes
+Lockdis (https://github.com/Lockdis)
+        - Added crow, nyx, and google-earth-pro profiles
+Lukáš Krejčí (https://github.com/lskrejci)
+        - fixed parsing of --keep-var-tmp
+luzpaz (https://github.com/luzpaz)
+        - code spelling fixes
+lxeiqr (https://github.com/lxeiqr)
+        - fix sndio support
+Mace Muilman (https://github.com/mace015)
+        - google-chrome{,beta,unstable} flags
 maces (https://github.com/maces)
         - Franz messenger profile
 Madura A (https://github.com/manushanga)
@@ -309,6 +619,8 @@ Madura A (https://github.com/manushanga)
 mahdi1234 (https://github.com/mahdi1234)
         - cherrytree profile
         - Seamonkey profiles
+Manuel Dipolt (https://github.com/xeniter)
+        - stack alignment for the ARM Architecture
 Martin Carpenter (https://github.com/mcarpenter)
         - security audit and bug fixes
         - Centos 6.x support
@@ -321,31 +633,92 @@ Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
 Matthew Gyurgyik (https://github.com/pyther)
         - rpm spec and several fixes
-melvinvermeeren (https://github.com/melvinvermeeren)
+Matthew Cline (https://github.com/matthew-cline)
+        - steam profile and dropbox profile fixes
+matu3ba (https://github.com/matu3ba)
+        - evince hardening, dbus removed
+        - fix dia profile
+        - several template fixes
+maxice8 (https://github.com/maxice8)
+        - fixed missing header
+Melvin Vermeeren (https://github.com/melvinvermeeren)
         - added teamspeak3 profile
+        - added --noautopulse command line option
 Michael Haas (https://github.com/mhaas)
         - bugfixes
+Michael Hoffmann (https://github.com/brisad)
+        - added support for subdirs in private-etc
 Mike Frysinger (vapier@gentoo.org)
         - Gentoo compile patch
+minus7 (https://github.com/minus7)
+        - fix hanging arp_check
+mirabellette (https://github.com/mirabellette)
+        - add comment to thunderbird.profile to allow Firefox to load profiles
 mjudtmann (https://github.com/mjudtmann)
         - lock firejail configuration in disable-mgmt.inc
 mustaqimM (https://github.com/mustaqimM)
-    - added profile for Nylas Mail
+        - added profile for Nylas Mail
 n1trux (https://github.com/n1trux)
         - fix flashpeak-slimjet profile typos
-netblue30 (netblue30@yahoo.com)
+nblock (https://github.com/nblock)
+        - cmus: allow access to resolv.conf
+neirenoir (https://github.com/neirenoir) and noir <noir@neire.dev>
+        - fixed Blender profile being unable to import numpy
+Neo00001 (https://github.com/Neo00001)
+        - add vmware profile
+        - update virtualbox profile
+        - update telegram profile
+        - add spectacle profile
+        - add kdiff3 profile
+NetSysFire (https://github.com/NetSysFire)
+        - update weechat profile
+Nick Fox (https://github.com/njfox)
+        - add a profile alias for code-oss
+        - add code-oss config directory
+        - fix wire-desktop.profile on arch
+NickMolloy (https://github.com/NickMolloy)
+        - ARP address length fix
+Nico (https://github.com/dr460nf1r3)
+        - added FireDragon profile
+Nicola Davide Mannarelli (https://github.com/nidamanx)
+        - fix "Could not create AF_NETLINK socket"
+        - added nextcloud profiles
+        - Firefox, KeepassXC, Telegram fixes
 Niklas Haas (https://github.com/haasn)
         - blacklisting for keybase.io's client
+Niklas Goerke (https://github.com/Niklas974)
+        - update QOwnNotes profile
+Nikos Chantziaras (https://github.com/realnc)
+        - fix audio support for Discord
+nolanl (https://github.com/nolanl)
+        - added localtime to signal-desktop's profile
 nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
+OndrejMalek (https://github.com/OndrejMalek)
+        - various manpage fixes
+Ondřej Nový (https://github.com/onovy)
+        -  allow video for Signal profile
+        - added Mattermost desktop profile
+        - hardened Zoom profile
+        - hardened Signal desktop profile
+Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
+        - prevent thunderbird conflicts when firefox is running
+        - add join-or-start to pluma to open multiple files in tabs
+        - fixes to keepassxc, thunderbird and pluma
 Panzerfather (https://github.com/Panzerfather)
         - allow eog to access user's trash
-Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/)
+Patrick Schleizer (https://github.com/adrelanos)
+        - fix tb-starter-wrapper profile
+Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
         - user namespace implementation
+Paul Moore <pmoore@redhat.com>
+        -src/fsec-print/print.c extracted from libseccomp software package
 Paupiah Yash (https://github.com/CaffeinatedStud)
         - gzip  profile
+Pawel (https://github.com/grimskies)
+        - make --join return exit code of the invoked program
 Peter Millerchip (https://github.com/pmillerchip)
         - memory allocation fix
         - --private.keep to --private-home transition
@@ -359,18 +732,43 @@ Peter Hogg (https://github.com/pigmonkey)
         - bitlbee profile fixes
         - mutt profile fixes
         - fixes for youtube-dl in mpv profile
+Peter Sanford (https://github.com/psanford)
+        - fix QtWebEngine in zoom
 Petter Reinholdtsen (pere@hungry.com)
         - Opera profile patch
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
         - fix quiterss profile
         - added profile for gnome-ring
+pholodniak (https://github.com/pholodniak)
+        - profstats fixes
+pianoslum (https://github.com/pianoslum)
+        - nodbus breaking evince two-page-view warning
 pirate486743186 (https://github.com/pirate486743186)
         - KMail profile
+        - mpsyt profile
+        - fix youtube-dl and mpv
+        - fix gnome-mpv profile
+        - fix gunzip profile
+        - reorganizing youtube-viewers
+        - fix pluma profile
+        - whitelist /var/lib/aspell
+        - mcomix fixes
+        - fixing engrampa profile
+        - adding qcomicbook and pipe-viewer in disable-programs
+        - newsboat/newsbeuter profiles
+        - fix atril profile
+        - reorganizing links browsers
+        - added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles
+        - w3m, zahura, profile.template fixes
 Pixel Fairy (https://github.com/xahare)
         - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
 PizzaDude (https://github.com/pizzadude)
         - add mpv support to smplayer
         - added profile for torbrowser-launcher
+        - added profile for sayonara and qmmp
+        - remove tracelog from Firefox profile
+polyzen (https://github.com/polyzen)
+        - fixed wusc issue with mpv/Vulkan
 probonopd (https://github.com/probonopd)
         - automatic build on Travis CI
 pshpsh (https://github.com/pshpsh)
@@ -381,6 +779,11 @@ pszxzsd (https://github.com/pszxzsd)
         -uGet profile
 pwnage-pineapple (https://github.com/pwnage-pineapple)
         - update Okular profile
+Quentin Minster (https://github.com/laomaiweng)
+        - propagate --quiet to children Firejail'ed processes
+        - nodbus enhancements/bugfixes
+        - added vim syntax and ftdetect files
+        - Allow exec from /usr/libexec & co. with AppArmor
 Rafael Cavalcanti (https://github.com/rccavalcanti)
         - chromium profile fixes for Arch Linux
 Rahiel Kasim (https://github.com/rahiel)
@@ -390,8 +793,14 @@ Rahiel Kasim (https://github.com/rahiel)
         - added telegram-desktop profile
 Rahul Golam (https://github.com/technoLord)
         - strings profile
+RandomVoid (https://github.com/RandomVoid)
+        - fix building C# projects in Godot
+        - fix Lutris profile
+        - fix running games with enabled Feral GameMode in Lutris
 Raphaël Droz (https://github.com/drzraf)
         - zoom profile fixes
+realaltffour (https://github.com/realaltffour)
+        - add lynx support to newsboat profile
 Reiner Herrmann (https://github.com/reinerh)
         - a number of build patches
         - man page fixes
@@ -405,16 +814,50 @@ Reiner Herrmann (https://github.com/reinerh)
 Remco Verhoef (https://github.com/nl5887)
         - add overlay configuration to profiles
         - prevent running shells recursively
+RD PROJEKT (https://github.com/RDProjekt)
+        - noblacklist support for /sys/module directory
+        - whitelist support for /sys/module directory
+        - support AMD GPU by OpenCL in Blender
 rogshdo (https://github.com/rogshdo)
         - BitlBee profile
+rootalc (https://github.com/rootalc)
+        - add nolocal6.net filter
 Ruan (https://github.com/ruany)
         - fixed hexchat profile
+rusty-snake (https://github.com/rusty-snake)
+        - added profiles: thunderbird-wayland, supertuxkart, ghostwriter
+        - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
+        - added profiles: gajim-history-manager, freemind, nomacs, kid3
+        - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
+        - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
+        - added profiles: ktouch, yelp, klatexformula, klatexformula_cmdl
+        - added profiles: pandoc, gnome-sound-recorder, godot, newsbeuter
+        - added profiles: keepassxc-cli, keepassxc-proxy, rhythmbox-client
+        - added profiles: zeal, gnome-characters, gnome-character-map
+        - many profile fixing and hardening
+        - some typo fixes
+        - added profile templates
+        - added sort.py to contrib
+sak96 (https://github.com/sak96)
+        - discord profile fixes
+Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
+        - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
         - rewrite globbing code to fix various minor issues
         - added noblacklist command for profile files
         - various enhancements and bug fixes
+Sebastian Hafner (https://github.com/DropNib)
+        - profile support for allow-debuggers
+Senemu (https://github.com/Senemu)
+        - protection for .pythonrc.py
+        - fixed evince
 Sergey Alirzaev (https://github.com/l29ah)
         - firejail.h enum fix
+        - firefox-common-addons.inc: + tridactyl
+Slava Monich (https://github.com/monich)
+        - added configure option to disable man pages
+Tobias Schmidl (https://github.com/schtobia)
+        - added profile for webui-aria2
 Simon Peter (https://github.com/probonopd)
         - set $APPIMAGE and $APPDIR environment variables
         - AppImage version detection
@@ -423,7 +866,11 @@ Simon Peter (https://github.com/probonopd)
 sinkuu (https://github.com/sinkuu)
         - blacklisting kwalletd
         - fix symlink invocation for programs placing symlinks in $PATH
-smithsohu (https://github.com/smitsohu)
+Simo Piiroinen (https://github.com/spiiroin)
+        - Jolla/SailfishOS patches
+slowpeek (https://github.com/slowpeek)
+        - refine appimage example in docs
+smitsohu (https://github.com/smitsohu)
         - read-only kde4 services directory
         - enhanced mediathekview profile
         - added tuxguitar profile
@@ -439,7 +886,11 @@ smithsohu (https://github.com/smitsohu)
 soredake (https://github.com/soredake)
         - fix steam startup with >=llvm-4
         - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
-SpotComms (https://github.com/SpotComms)
+        - fix keepassxc.profile
+        - fix qtox.profile
+        - add localtime to private-etc to make qtox show correct time
+        - fixes for the keepassxc 2.2.5 version
+SkewedZeppelin (https://github.com/SkewedZeppelin)
         - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
         - added PDFSam, Pithos, and Xonotic profiles
         - disabled Go, Rust, and OpenSSL in disable-devel.conf
@@ -470,7 +921,7 @@ SpotComms (https://github.com/SpotComms)
         - hardern /var
         - profile standard layout
         - Spotify and itch.io profile fixes
-sshirokov (http://sourceforge.net/u/yshirokov/profile/)
+sshirokov (https://sourceforge.net/u/yshirokov/profile/)
         - Patch to output "Reading profile" to stderr instead of stdout
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
@@ -505,6 +956,12 @@ startx2017 (https://github.com/startx2017)
         - handbrake profile
         - mplayer and smplayer profiles
         - kwrite and geary profiles
+StelFux (https://github.com/StelFux)
+        - Fix youtube video in totem
+the-antz (https://github.com/the-antz)
+        - Fix libx265 encoding in ffmpeg profile
+        - Fix Firefox profile
+        - Profile tweaks
 thewisenerd (https://github.com/thewisenerd)
         - allow multiple private-home commands
         - use $SHELL variable if the shell is not specified
@@ -519,10 +976,17 @@ Thomas Jarosch (https://github.com/thomasjfox)
         - added lstat() / lstat64() support to libtrace
         - include mkuid.sh in make dist
         - cppcheck bugfixes
+Timo Hardebusch (https://github.com/tihadot)
+        - add signal-cli profile
+        - KeePassXC: added a warning regarding tray icon
+tinmanx (https://github.com/tinmanx)
+        - remove network access from cherrytree.profile
 Tom Mellor (https://github.com/kalegrill)
         - mupen64plus profile
 Tomasz Jan Góralczyk (https://github.com/tjg)
         - fixed Steam profile
+Tomi Leppänen (https://github.com/Tomin1)
+        - Jolla/SailfishOS patches
 Topi Miettinen (https://github.com/topimiettinen)
         - improved seccomp printing
         - improve mount handling, fix /run/user handling
@@ -530,8 +994,15 @@ Topi Miettinen (https://github.com/topimiettinen)
         - seccomp default list update
         - improve loading of seccomp filter and memory-deny-write-execute feature
         - private-lib feature
+        - make --nodbus block also system D-Bus socket
+Ted Robertson  (https://github.com/tredondo)
+        - webstorm profile fixes
+        - added bcompare profile
+        - various documentation fixes
 user1024 (user1024@tut.by)
         - electron profile whitelisting
+        - fixed Rocket.Chat profile
+        - nheko profile
 valoq (https://github.com/valoq)
         - lots of profile fixes
         - added support for /srv in --whitelist feature
@@ -559,21 +1030,47 @@ Vasya Novikov (https://github.com/vn971)
         - fixed firecfg clean/clear issue
         - found the ugliest bug so far
         - seccomp debug description in man page
+        - seccomp syscall list update for glibc 2.26-10
 Veeti Paananen (https://github.com/veeti)
         - fixed Spotify profile
+veloute (https://github.com/veloute)
+        - added standardnotes profile
+        - added flameshot profile
+        - added jdownloader profile
+        - fixed discord profile
+        - fixes for various profiles
+        - removed vim and ranger from firecfg
+        - fixing keepassxc auto-type, noexec /tmp
+        - fix ipc-namespace prblem in file-roller
+        - fix exiftool, viewnior, aria2c, ffmpegthumbnailer
+        - fix pavucontrol (ipcnamespace)
+        - fix gnuchess
+        - add anki profile
+Vincent43 (https://github.com/Vincent43)
+        - apparmor enhancements
+Vincent Blillault (https://github.com/Feandil)
+        - fix mumble profile
 vismir2 (https://github.com/vismir2)
         - feh, ranger, 7z, keepass, keepassx and zathura profiles
         - claws-mail, mutt, git, emacs, vim profiles
         - lots of profile fixes
         -  support for truecrypt and zuluCrypt
+viq (https://github.com/viq)
+        - discord-canary profile
 Vladimir Gorelov (https://github.com/larkvirtual)
         - added Yandex browser profile
 Vladimir Schowalter (https://github.com/VladimirSchowalter20)
         - apparmor profile enhancements
         - various KDE profile enhancements
         read-only kde5 services directory
+Vladislav Nepogodin (https://github.com/vnepogodin)
+        - added Librewolf profiles
+        - added Sway profile
+        - fix CLion profile
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
+Ypnose (https://github.com/Ypnose)
+        - disable-shell.inc: add mksh shell
 yumkam (https://github.com/yumkam)
         - add compile-time option to restrict --net= to root only
         - man page fixes
@@ -596,4 +1093,7 @@ Zack Weinberg (https://github.com/zackw)
           with firejail --x11
         - support for xpra-extra-params in firejail.config
 
-Copyright (C) 2014-2017 Firejail Authors
+zupatisc (https://github.com/zupatisc)
+        - patch-util fix
+
+Copyright (C) 2014-2021 Firejail Authors
diff --git a/README.md b/README.md
index 57f9a3e25..0623d9463 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,8 @@
 # Firejail
-[![Build Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail)
+[![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
+[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
+[![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
+[![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
 
 Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
 the running environment of untrusted applications using Linux namespaces, seccomp-bpf
@@ -16,8 +19,47 @@ The sandbox is lightweight, the overhead is low. There are no complicated config
 no socket connections open, no daemons running in the background. All security features are
 implemented directly in Linux kernel and available on any Linux computer.
 
-[![About Firejail](video.png)](http://www.youtube.com/watch?v=Yk1HVPOeoTc)
+<table><tr>
 
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U
+" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg"
+alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+</td>
+
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
+" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
+alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+</td>
+
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
+" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
+alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
+</td>
+
+
+</tr><tr>
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
+" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
+alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
+
+</td>
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
+" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
+alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
+
+</td>
+<td>
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
+" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
+alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
+
+</td>
+</tr></table>
 
 Project webpage: https://firejail.wordpress.com/
 
@@ -27,26 +69,75 @@ Features: https://firejail.wordpress.com/features-3/
 
 Documentation: https://firejail.wordpress.com/documentation-2/
 
-FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
+FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
+
+Wiki: https://github.com/netblue30/firejail/wiki
+
+GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
+
+Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA
+
+Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/
+
+## Security vulnerabilities
+
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
+
+`````
+Security Advisory - Feb 8, 2021
+
+Summary: A vulnerability resulting in root privilege escalation was discovered in
+Firejail's OverlayFS code,
+
+Versions affected: Firejail software versions starting with 0.9.30.
+Long Term Support (LTS) Firejail branch is not affected by this bug.
+
+Workaround: Disable overlayfs feature at runtime.
+In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no".
+
+      $ grep overlayfs /etc/firejail/firejail.config
+      # Enable or disable overlayfs features, default enabled.
+      overlayfs no
 
-Travis-CI status: https://travis-ci.org/netblue30/firejail
+Fix: The bug is fixed in Firejail version 0.9.64.4
 
+GitHub commit: (file configure.ac)
+https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
+
+Credit:  Security researcher Roman Fiedler analyzed the code and discovered the vulnerability.
+Functional PoC exploit code was provided to Firejail development team.
+A description of the problem is here on Roman's blog:
+
+https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
+https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
+`````
+
+## Installing
+
+Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+
+The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package.
+
+You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
 
-## Compile and install
 `````
 $ git clone https://github.com/netblue30/firejail.git
 $ cd firejail
 $ ./configure && make && sudo make install-strip
 `````
-On Debian/Ubuntu you will need to install git and a compiler:
+On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
+development libraries and pkg-config are required when using `--apparmor`
+./configure option:
 `````
-$ sudo apt-get install git build-essential
+$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 `````
+For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 
+Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 
 ## Running the sandbox
 
-To start the sandbox, prefix your command with “firejail”:
+To start the sandbox, prefix your command with `firejail`:
 
 `````
 $ firejail firefox            # starting Mozilla Firefox
@@ -54,7 +145,7 @@ $ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
-Run "firejail --list" in a terminal to list all active sandboxes. Example:
+Run `firejail --list` in a terminal to list all active sandboxes. Example:
 `````
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
@@ -93,92 +184,87 @@ If you keep additional Firejail security profiles in a public repository, please
 * https://github.com/triceratops1/fe
 
 Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
-`````
 
-`````
-# Current development version: 0.9.51
+You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
 
-## Whitelisting /var
+We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
 
-Add "include /etc/firejail/whitelist-var-common.inc" to an application profile and test it. If it's working,
-send a pull request. I did it so far for some more common applications like Firefox, Chromium etc.
+## Latest released version: 0.9.66
 
-## Profile build  tool
-`````
-$ firejail --build appname
-`````
-The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
-
-Example:
-`````
-$ firejail --build /usr/bin/vlc ~/Videos/test.mp4
-
-[...]
-
-############################################
-# /usr/bin/vlc profile
-############################################
-# Persistent global definitions
-# include /etc/firejail/globals.local
+## Current development version: 0.9.67
 
-### basic blacklisting
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
+Milestone page: https://github.com/netblue30/firejail/milestone/1
+Release discussion: https://github.com/netblue30/firejail/issues/3696
 
-### home directory whitelisting
-whitelist ~/Videos
-whitelist ~/.local/share/vlc
-whitelist ~/.config/vlc
-include /etc/firejail/whitelist-common.inc
+Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change!
 
-### filesystem
-private-tmp
-private-dev
-private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux,
-whitelist /var/lib/menu-xdg
-# private-bin vlc,
+The old whitelist/blacklist will remain as aliasses for the next one or two releases
+in order to give users a chance to switch their local profiles.
+The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
 
-### security filters
-caps.drop all
-nonewprivs
-seccomp
-# seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create
-# 76 syscalls total
-# Probably you will need to add more syscalls to seccomp.keep. Look for
-# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while
-# running your sandbox.
+### Intrusion Detection System ###
 
-### network
-protocol unix,netlink,
-net none
+We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config),
+and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids.
+The program runs as regular user, each user has his own file in /var/lib/firejail.
 
-### environment
-shell none
-$
+Initialize the database:
 `````
-
-## New command line options
+$ firejail --ids-init
+Loading /etc/firejail/ids.config config file
+500 1000 1500 2000
+2457 files scanned
+IDS database initialized
 `````
-      --writable-run-user
-              This    options    disables   the   default   blacklisting   of
-              run/user/$UID/systemd and /run/user/$UID/gnupg.
 
-              Example:
-              $ sudo firejail --writable-run-user
+Later, we check it:
 `````
-
-## New profiles:
-
-terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu,
-amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter,
-calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
-calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
-imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
-ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
-aosp, pdfmod, gnome-ring
+$ firejail --ids-check
+Loading /etc/firejail/ids.config config file
+500 1000 1500
+Warning: modified /home/netblue/.bashrc
+2000
+2457 files scanned: modified 1, permissions 0, new 0, removed 0
+`````
+The program will print the files that have been modified since the database was created, or the files with different access permissions.
+New files and deleted files are also flagged.
+
+Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped.
+The program can also be run as root (sudo firejail --ids-init/--ids-check).
+
+### Profile Statistics
+
+A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
+```
+$ sudo cp src/profstats/profstats /etc/firejail/.
+$ cd /etc/firejail
+$ ./profstats *.profile
+    profiles                    1150
+    include local profile       1150   (include profile-name.local)
+    include globals             1120   (include globals.local)
+    blacklist ~/.ssh            1026   (include disable-common.inc)
+    seccomp                     1050
+    capabilities                1146
+    noexec                      1030   (include disable-exec.inc)
+    noroot                      959
+    memory-deny-write-execute   253
+    apparmor                    681
+    private-bin                 667
+    private-dev                 1009
+    private-etc                 523
+    private-tmp                 883
+    whitelist home directory    547
+    whitelist var               818   (include whitelist-var-common.inc)
+    whitelist run/user          616   (include whitelist-runuser-common.inc
+                                        or blacklist ${RUNUSER})
+    whitelist usr/share         591   (include whitelist-usr-share-common.inc
+    net none                    391
+    dbus-user none              641
+    dbus-user filter            105
+    dbus-system none            792
+    dbus-system filter          7
+```
+
+### New profiles:
+
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp
diff --git a/RELNOTES b/RELNOTES
index 4c272ccee..86c4a6104 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,10 +1,376 @@
-firejail (0.9.51) baseline; urgency=low
-  * work in progress!
+firejail (0.9.67) baseline; urgency=low
+  * work in progress
+  * deprecated --disable-whitelist at compile time
+  * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * remove (some) environment variables with auth-tokens
+  * new includes: whitelist-run-common.inc, disable-X11.inc
+  * removed includes: disable-passwordmgr.inc
+  * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
+  * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
+  * new profiles: yt-dlp
+ -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
+
+firejail (0.9.66) baseline; urgency=low
+  * deprecated --audit options, relpaced by jailcheck utility
+  * deprecated follow-symlink-as-user from firejail.config
+  * new firejail.config settings: private-bin, private-etc
+  * new firejail.config settings: private-opt, private-srv
+  * new firejail.config settings: whitelist-disable-topdir
+  * new firejail.config settings: seccomp-filter-add
+  * removed kcmp syscall from seccomp default filter
+  * rename --noautopulse to keep-config-pulse
+  * filtering environment variables
+  * zsh completion
+  * command line: --mkdir, --mkfile
+  * --protocol now accumulates
+  * Jolla/SailfishOS patches
+  * private-lib rework
+  * whitelist rework
+  * jailtest utility for testing running sandboxes
+  * capabilities list update
+  * faccessat2 syscall support
+  * --private-dev keeps /dev/input
+  * added --noinput to disable /dev/input
+  * add support for subdirs in --private-etc
+  * compile time: --enable-force-nonewprivs
+  * compile time: --disable-output
+  * compile time: --enable-lts
+  * subdirs support in private-etc
+  * input devices support in private-dev, --no-input
+  * support trailing comments on profile lines
+  * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
+  * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
+  * avidemux, calligragemini, vmware-player, vmware-workstation
+  * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr
+  * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum
+  * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum
+  * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway
+  * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper,
+  * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
+  * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
+  * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
+  * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
+  * links2, xlinks2, googler, ddgr, tin
+ -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
+
+firejail (0.9.64.4) baseline; urgency=low
+  * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
+ -- netblue30 <netblue30@yahoo.com>  Sun, 7 Feb 2021 09:00:00 -0500
+
+firejail (0.9.64.2) baseline; urgency=low
+  * allow --tmpfs inside $HOME for unprivileged users
+  * --disable-usertmpfs  compile time option
+  * allow AF_BLUETOOTH via --protocol=bluetooth
+  * Setup guide for new users: contrib/firejail-welcome.sh
+  * implement netns in profiles
+  * added nolocal6.net IPv6 network filter
+  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
+  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
+  * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo
+  * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi
+  * new profiles: guvcview, pkglog, kdiff3, CoyIM
+ -- netblue30 <netblue30@yahoo.com>  Tue, 26 Jan 2021 09:00:00 -0500
+
+firejail (0.9.64) baseline; urgency=low
+  * replaced --nowrap option with --wrap in firemon
+  * The blocking action of seccomp filters has been changed from
+    killing the process to returning EPERM to the caller. To get the
+    previous behaviour, use --seccomp-error-action=kill or
+    syscall:kill syntax when constructing filters, or override in
+    /etc/firejail/firejail.config file.
+  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
+    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
+    With this version nodbus is deprecated, in favor of dbus-user none and
+    dbus-system none and will be removed in a future version.
+  * DHCP client support
+  * firecfg only fix dektop-files if started with sudo
+  * SELinux labeling support
+  * custom 32-bit seccomp filter support
+  * restrict ${RUNUSER} in several profiles
+  * blacklist shells such as bash in several profiles
+  * whitelist globbing
+  * mkdir and mkfile support for /run/user directory
+  * support ignore for include
+  * --include on the command line
+  * splitting up media players whitelists in whitelist-players.inc
+  * new condition: HAS_NOSOUND
+  * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
+  * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
+  * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
+  * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
+  * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
+  * new profiles: presentations18, presentations18free, textmaker18, teams
+  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
+  * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
+  * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
+  * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
+  * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
+  * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
+  * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
+  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
+  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
+  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
+  * new profiles: swell-foop, fdns, five-or-more, steam-runtime
+  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
+  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
+  * new profiles: gapplication, openarena_ded, element-desktop, cawbird
+  * new profiles: freetube, strawberry, jitsi-meet-desktop
+  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
+  * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
+  * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
+  * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
+  * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
+  * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
+  * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
+  * new profiles: qrencode, ytmdesktop, twitch
+  * new profiles: xournalpp, chromium-freeworld, equalx
+ -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 08:00:00 -0500
+
+firejail (0.9.62) baseline; urgency=low
+  * added file-copy-limit in /etc/firejail/firejail.config
+  * profile templates (/usr/share/doc/firejail)
+  * allow-debuggers support in profiles
+  * several seccomp enhancements
+  * compiler flags autodetection
+  * move chroot entirely from path based to file descriptor based mounts
+  * whitelisting /usr/share in a large number of profiles
+  * new scripts in conrib: gdb-firejail.sh and sort.py
+  * enhancement: whitelist /usr/share in some profiles
+  * added signal mediation ot apparmor profile
+  * new conditions: HAS_X11, HAS_NET
+  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
+  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
+  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
+  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
+  * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
+  * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
+  * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
+  * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
+  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
+  * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
+  * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
+  * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
+  * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
+  * new profiles: electron-mail, gist, gist-paste
+ -- netblue30 <netblue30@yahoo.com>  Sat, 28 Dec 2019 08:00:00 -0500
+
+firejail (0.9.60) baseline; urgency=low
+  * security bug reported by Austin Morton:
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+  * memory-deny-write-execute now also blocks memfd_create
+  * add private-cwd option to control working directory within jail
+  * blocking system D-Bus socket with --nodbus
+  * bringing back Centos 6 support
+  * drop support for flatpak/snap packages
+  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
+  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
+  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
+  * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
+  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
+  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
+  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
+  * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
+  * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
+  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
+  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
+  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
+  * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
+  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
+  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
+  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
+  * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
+ -- netblue30 <netblue30@yahoo.com>  Sun, 26 May 2019 08:00:00 -0500
+
+firejail (0.9.58,2) baseline; urgency=low
+  * cgroup flag in /etc/firejail/firejail.config file
+  * name-change flag in /etc/firejail.config file
+  * --name rework
+  * new profiles: klavaro, vscodium
+  * browser profiles fixes
+  * various other bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Fri, 8 Feb 2019 08:00:00 -0500
+
+firejail (0.9.58) baseline; urgency=low
+  * --disable-mnt rework
+  * --net.print command
+  * GitLab CI/CD integration: disto specific builds
+  * profile parser enhancements and conditional handling support
+     for HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F
+  * profile name support
+  * added explicit nonewprivs support to join option
+  * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
+  * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
+  * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
+  * new profiles: lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep
+  * new profiles: lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat
+  * new profiles: xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore
+  * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
+  * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
+  * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
+  * new profiles: feedreader, ocenaudio, mpsyt, thunderbird-wayland
+  * new profiles: supertuxkart, ghostwriter, gajim-history-manager
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Sat, 26 Jan 2019 08:00:00 -0500
+
+firejail (0.9.56) baseline; urgency=low
+  * modif: removed CFG_CHROOT_DESKTOP configuration option
+  * modif: removed compile time --enable-network=restricted
+  * modif: removed compile time --disable-bind
+  * modif: --net=none allowed even if networking was disabled at compile
+     time or at run time
+  * modif: allow system users to run the sandbox
+  * support wireless devices in --net option
+  * support tap devices in --net option (tunneling support)
+  * allow IP address configuration if the parent interface specified
+     by --net is not configured (--netmask)
+  * support for firetunnel utility
+  * disable U2F devices (--nou2f)
+  * add --private-cache to support private ~/.cache
+  * support full paths in private-lib
+  * globbing support in private-lib
+  * support for local user directories in firecfg (--bindir)
+  * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint,
+  * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio,
+  * new profiles: standardnotes-desktop, shellcheck, patch, flameshot,
+  * new profiles: rview, rvim, vimcat, vimdiff, vimpager, vimtutor, xxd,
+  * new profiles: Beaker, electrum, clamtk, pybitmessage, dig, whois,
+  * new profiles: jdownloader, Fluxbox, Blackbox, Awesome, i3
+  * new profiles: start-tor-browser.desktop
+ -- netblue30 <netblue30@yahoo.com>  Tue, 18 Sep 2018 08:00:00 -0500
+
+firejail (0.9.54) baseline; urgency=low
+  * modif: --force removed
+  * modif: --csh, --zsh removed
+  * modif: --debug-check-filename removed
+  * modif: --git-install and --git-uninstall removed
+  * modif: support for private-bin, private-lib and shell none has been
+     disabled while running AppImage archives in order to be able to use
+     our regular profile files with AppImages.
+  * modif: restrictions for /proc, /sys and /run/user directories
+     are moved from AppArmor profile into firejail executable
+  * modif: unifying Chromium and Firefox browsers profiles.
+     All users of Firefox-based browsers who use addons and plugins
+     that read/write from ${HOME} will need to uncomment the includes for
+     firefox-common-addons.inc in firefox-common.profile.
+  * modif: split disable-devel.inc into disable-devel and
+     disable-interpreters.inc
+  * Firejail user access database (/etc/firejail/firejail.users,
+     man firejail-users)
+  * add --noautopulse to disable automatic ~/.config/pulse (for complex setups)
+  * Spectre mitigation patch for gcc and clang compiler
+  * D-Bus handling (--nodbus)
+  * AppArmor support for overlayfs and chroot sandboxes
+  * AppArmor support for AppImages
+  * Enable AppArmor by default for a large number of programs
+  * firejail --apparmor.print option
+  * firemon --apparmor option
+  * apparmor yes/no flag in /etc/firejail/firejail.config
+  * seccomp syscall list update for glibc 2.26-10
+  * seccomp disassembler for --seccomp.print option
+  * seccomp machine code optimizer for default seccomp filters
+  * IPv6 DNS support
+  * whitelist support for overlay and chroot sandboxes
+  * private-dev support for overlay and chroot sandboxes
+  * private-tmp support for overlay and chroot sandboxes
+  * added sandbox name support in firemon
+  * firemon/prctl enhancements
+  * noblacklist support for /sys/module directory
+  * whitelist support for /sys/module directory
+  * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
+  * new profiles: discord-canary, pycharm-community, pycharm-professional,
+  * new profiles: pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, kaffeine,
+  * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes,
+  * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer,
+  * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud,
+  * new profiles: musixmatch, gunzip, bunzip2, enchant-lsmod, enchant-lsmod-2,
+  * new profiles: enchant, enchant-2, Discord, acat, adiff, als, apack,
+  * new profiles: arepack, aunpack profiles, ppsspp, scallion, clion,
+  * new profiles: baloo_filemetadata_temp_extractor, AnyDesk, webstorm, xmind,
+  * new profiles: qmmp, sayonara
+ -- netblue30 <netblue30@yahoo.com>  Wed, 16 May 2018 08:00:00 -0500
+
+firejail (0.9.52) baseline; urgency=low
+  * modif: --allow-private-blacklists was deprecated; blacklisting,
+    read-only, read-write, tmpfs and noexec are allowed in
+    private home directories
+  * modif: remount-proc-sys deprecated from firejail.config
+  * modif: follow-symlink-private-bin deprecated from firejail.config
+  * modif: --profile-path was deprecated
   * enhancement: support Firejail user config directory in firecfg
   * enhancement: disable DBus activation in firecfg
+  * enhancement; enumerate root directories in apparmor profile
+  * enhancement: /etc and /usr/share whitelisting support
+  * enhancement: globbing support for --private-bin
+  * feature: systemd-resolved integration
+  * feature: whitelisting /var directory in most profiles
+  * feature: GTK2, GTK3 and Qt4 private-lib support
+  * feature: --debug-private-lib
+  * feature: test deployment of private-lib for the following
+    applications: evince, galculator, gnome-calculator,
+    leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
+    atril, mate-color-select, tar, file, strings, gpicview,
+    eom, eog, gedit, pluma
   * feature: --writable-run-user
+  * feature: --rlimit-as
+  * feature: --rlimit-cpu
+  * feature: --timeout
   * feature: profile build tool (--build)
- -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
+  * feature: --netfilter.print
+  * feature: --netfilter6.print
+  * feature: netfilter template support
+  * new profiles: upstreamed many profiles from the following sources:
+     https://github.com/chiraag-nataraj/firejail-profiles,
+     https://github.com/nyancat18/fe,
+     https://aur.archlinux.org/packages/firejail-profiles.
+  * new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
+      clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
+      brackets, calligra, calligraauthor, calligraconverter, calligraflow,
+      calligraplan, calligraplanwork, calligrasheets, calligrastage,
+      calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
+      google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
+      mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
+      Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
+      cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
+      xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
+      kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
+      cower (Arch), kdeinit4
+ -- netblue30 <netblue30@yahoo.com>  Thu, 7 Dec 2017 08:00:00 -0500
+
+firejail (0.9.50) baseline; urgency=low
+  * modif: --output split in two commands, --output and --output-stderr
+  * feature: per-profile disable-mnt (--disable-mnt)
+  * feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
+  * feature: private /lib directory (--private-lib)
+  * feature: disable CDROM/DVD drive (--nodvd)
+  * feature: disable DVB devices (--notv)
+  * feature: --profile.print
+  * enhancement: print all seccomp filters under --debug
+  * enhancement: /proc/sys mounting
+  * enhancement: rework IP address assignment for --net options
+  * enhancement: support for newer Xpra versions (2.1+) -
+     set xpra-attach yes in /etc/firejail/firejail.config
+  * enhancement: all profiles use a standard layout style
+  * enhancement: create /usr/local for firecfg if the directory doesn't exist
+  * enhancement: allow full paths in --private-bin
+  * seccomp feature: --memory-deny-write-execute
+  * seccomp feature: seccomp post-exec
+  * seccomp feature: block secondary architecture (--seccomp.block_secondary)
+  * seccomp feature: seccomp syscall groups
+  * seccomp enhancement: print all seccomp filters under --debug
+  * seccomp enhancement: default seccomp list update
+  * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
+  * new profiles: Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
+  * new profiles: Android Studio, electron, riot-web, Extreme Tux Racer,
+  * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
+  * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
+  * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter
+  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
+  * new profiles: sqlitebrowse, Yandex Browser, minetest
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Sat, 30 Sep 2017 08:00:00 -0500
 
 firejail (0.9.50~rc1) baseline; urgency=low
   * release pending!
@@ -17,7 +383,7 @@ firejail (0.9.50~rc1) baseline; urgency=low
   * feature: --profile.print
   * enhancement: print all seccomp filters under --debug
   * enhancement: /proc/sys mounting
-  * enhancement: rework IP address assingment for --net options
+  * enhancement: rework IP address assignment for --net options
   * enhancement: support for newer Xpra versions (2.1+) -
      set xpra-attach yes in /etc/firejail/firejail.config
   * enhancement: all profiles use a standard layout style
@@ -239,7 +605,7 @@ firejail (0.9.42) baseline; urgency=low
   * feature: option to fix desktop files (firecfg --fix)
   * compile time: Busybox support (--enable-busybox-workaround)
   * compile time: disable overlayfs (--disable-overlayfs)
-  * compile time: disable whitlisting (--disable-whitelist)
+  * compile time: disable whitelisting (--disable-whitelist)
   * compile time: disable global config (--disable-globalcfg)
   * run time: enable/disable overlayfs (overlayfs yes/no)
   * run time: enable/disable  quiet as default (quiet-by-default yes/no)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..ef9b9b5fb
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported by us    | EOL                | Supported by distribution                                                         |
+| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
+| 0.9.66  | :heavy_check_mark: |                    | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable)          |
+| 0.9.64  | :x:                |                    | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 |
+| 0.9.62  | :x:                |                    | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10                                 |
+| 0.9.60  | :x:                | 29 Dec 2019        |                                                                                   |
+| 0.9.58  | :x:                |                    | :white_check_mark: Debian 9 **backports**, Debian 10                              |
+| 0.9.56  | :x:                | 27 Jan 2019        |                                                                                   |
+| 0.9.54  | :x:                | 18 Sep 2018        |                                                                                   |
+| 0.9.52  | :x:                |                    | :white_check_mark: Ubuntu 18.04 LTS                                               |
+| 0.9.50  | :x:                | 12 Dec 2017        |                                                                                   |
+| 0.9.48  | :x:                | 09 Sep 2017        |                                                                                   |
+| 0.9.46  | :x:                | 12 Jun 2017        |                                                                                   |
+| 0.9.44  | :x:                |                    | :white_check_mark: Debian 9                                                       |
+| 0.9.42  | :x:                | 22 Oct 2016        |                                                                                   |
+| 0.9.40  | :x:                | 09 Sep 2016        |                                                                                   |
+| 0.9.38  | :x:                |                    | :white_check_mark: Ubuntu 16.04 LTS                                               |
+| <0.9.38 | :x:                | Before 05 Feb 2016 |                                                                                   |
+
+## Security vulnerabilities
+
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com
diff --git a/configure b/configure
index f64aa2dac..33a4ca9fb 100755
--- a/configure
+++ b/configure
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.51.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.67.
 #
-# Report bugs to <netblue30@yahoo.com>.
+# Report bugs to <netblue30@protonmail.com>.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -267,10 +267,10 @@ fi
     $as_echo "$0: be upgraded to zsh 4.3.4 or later."
   else
     $as_echo "$0: Please tell bug-autoconf@gnu.org and
-$0: netblue30@yahoo.com about your system, including any
-$0: error possibly output before this message. Then install
-$0: a modern shell, or manually run the script under such a
-$0: shell if you do have one."
+$0: netblue30@protonmail.com about your system, including
+$0: any error possibly output before this message. Then
+$0: install a modern shell, or manually run the script
+$0: under such a shell if you do have one."
   fi
   exit 1
 fi
@@ -580,10 +580,10 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.51'
-PACKAGE_STRING='firejail 0.9.51'
-PACKAGE_BUGREPORT='netblue30@yahoo.com'
-PACKAGE_URL='http://firejail.wordpress.com'
+PACKAGE_VERSION='0.9.67'
+PACKAGE_STRING='firejail 0.9.67'
+PACKAGE_BUGREPORT='netblue30@protonmail.com'
+PACKAGE_URL='https://firejail.wordpress.com'
 
 ac_unique_file="src/firejail/main.c"
 # Factoring default headers for most tests.
@@ -624,28 +624,39 @@ ac_includes_default="\
 
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
-HAVE_SECCOMP_H
+EGREP
+GREP
+CPP
+HAVE_LTS
+HAVE_FORCE_NONEWPRIVS
 HAVE_CONTRIB_INSTALL
-HAVE_GIT_INSTALL
 HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
-HAVE_WHITELIST
+HAVE_SUID
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
 HAVE_NETWORK
 HAVE_GLOBALCFG
-HAVE_BIND
 HAVE_CHROOT
-HAVE_SECCOMP
 HAVE_PRIVATE_HOME
+HAVE_FIRETUNNEL
+HAVE_GAWK
+HAVE_MAN
+HAVE_USERTMPFS
+HAVE_OUTPUT
 HAVE_OVERLAYFS
+HAVE_DBUSPROXY
 EXTRA_LDFLAGS
-EGREP
-GREP
-CPP
+EXTRA_CFLAGS
+HAVE_SELINUX
 HAVE_APPARMOR
+AA_LIBS
+AA_CFLAGS
+PKG_CONFIG_LIBDIR
+PKG_CONFIG_PATH
+PKG_CONFIG
 RANLIB
 INSTALL_DATA
 INSTALL_SCRIPT
@@ -699,23 +710,28 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_analyzer
 enable_apparmor
-enable_overlayfs
+enable_selinux
+enable_dbusproxy
+enable_output
+enable_usertmpfs
+enable_man
+enable_firetunnel
 enable_private_home
-enable_seccomp
 enable_chroot
-enable_bind
 enable_globalcfg
 enable_network
 enable_userns
 enable_x11
 enable_file_transfer
-enable_whitelist
+enable_suid
 enable_fatal_warnings
 enable_busybox_workaround
 enable_gcov
-enable_git_install
 enable_contrib_install
+enable_force_nonewprivs
+enable_lts
 '
       ac_precious_vars='build_alias
 host_alias
@@ -725,6 +741,11 @@ CFLAGS
 LDFLAGS
 LIBS
 CPPFLAGS
+PKG_CONFIG
+PKG_CONFIG_PATH
+PKG_CONFIG_LIBDIR
+AA_CFLAGS
+AA_LIBS
 CPP'
 
 
@@ -1276,7 +1297,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.51 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.67 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1338,7 +1359,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.51:";;
+     short | recursive ) echo "Configuration of firejail 0.9.67:";;
    esac
   cat <<\_ACEOF
 
@@ -1346,28 +1367,32 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-analyzer       enable GCC static analyzer
   --enable-apparmor       enable apparmor
-  --disable-overlayfs     disable overlayfs
+  --enable-selinux        SELinux labeling support
+  --disable-dbusproxy     disable dbus proxy
+  --disable-output        disable --output logging
+  --disable-usertmpfs     disable tmpfs as regular user
+  --disable-man           disable man pages
+  --disable-firetunnel    disable firetunnel
   --disable-private-home  disable private home feature
-  --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
-  --disable-bind          disable bind
   --disable-globalcfg     if the global config file firejail.cfg is not
                           present, continue the program using defaults
   --disable-network       disable network
-  --enable-network=restricted
-                          restrict --net= to root only
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
-  --disable-whitelist     disable whitelist
+  --disable-suid          install as a non-SUID executable
   --enable-fatal-warnings -W -Wall -Werror
   --enable-busybox-workaround
                           enable busybox workaround
   --enable-gcov           Gcov instrumentation
-  --enable-git-install    enable git install feature
   --enable-contrib-install
                           install contrib scripts
+  --enable-force-nonewprivs
+                          enable force nonewprivs
+  --enable-lts            enable long-term support software version (LTS)
 
 Some influential environment variables:
   CC          C compiler command
@@ -1377,13 +1402,20 @@ Some influential environment variables:
   LIBS        libraries to pass to the linker, e.g. -l<library>
   CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
               you have headers in a nonstandard directory <include dir>
+  PKG_CONFIG  path to pkg-config utility
+  PKG_CONFIG_PATH
+              directories to add to pkg-config's search path
+  PKG_CONFIG_LIBDIR
+              path overriding pkg-config's built-in search path
+  AA_CFLAGS   C compiler flags for AA, overriding pkg-config
+  AA_LIBS     linker flags for AA, overriding pkg-config
   CPP         C preprocessor
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <netblue30@yahoo.com>.
-firejail home page: <http://firejail.wordpress.com>.
+Report bugs to <netblue30@protonmail.com>.
+firejail home page: <https://firejail.wordpress.com>.
 _ACEOF
 ac_status=$?
 fi
@@ -1446,7 +1478,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.51
+firejail configure 0.9.67
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1498,6 +1530,52 @@ fi
 
 } # ac_fn_c_try_compile
 
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+         test "$cross_compiling" = yes ||
+         test -x conftest$ac_exeext
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+        ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_link
+
 # ac_fn_c_try_cpp LINENO
 # ----------------------
 # Try to preprocess conftest.$ac_ext, and return whether this succeeded.
@@ -1605,9 +1683,9 @@ $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
 $as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## ---------------------------------- ##
-## Report this to netblue30@yahoo.com ##
-## ---------------------------------- ##"
+( $as_echo "## --------------------------------------- ##
+## Report this to netblue30@protonmail.com ##
+## --------------------------------------- ##"
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
@@ -1698,57 +1776,11 @@ $as_echo "$ac_res" >&6; }
   eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 
 } # ac_fn_c_check_header_compile
-
-# ac_fn_c_try_link LINENO
-# -----------------------
-# Try to link conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_link ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  rm -f conftest.$ac_objext conftest$ac_exeext
-  if { { ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_link") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-         test "$cross_compiling" = yes ||
-         test -x conftest$ac_exeext
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-        ac_retval=1
-fi
-  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-  # interfere with the next link command; also delete a directory that is
-  # left behind by Apple's compiler.  We do this before executing the actions.
-  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-  as_fn_set_status $ac_retval
-
-} # ac_fn_c_try_link
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.51, which was
+It was created by firejail $as_me 0.9.67, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2097,7 +2129,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
-#AC_CONFIG_HEADERS([config.h])
+
 
 
 ac_ext=c
@@ -2889,7 +2921,6 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-#AC_PROG_CXX
 ac_aux_dir=
 for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
   if test -f "$ac_dir/install-sh"; then
@@ -3105,21 +3136,799 @@ else
 fi
 
 
+HAVE_SPECTRE="no"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mindirect-branch=thunk" >&5
+$as_echo_n "checking whether C compiler accepts -mindirect-branch=thunk... " >&6; }
+if ${ax_cv_check_cflags___mindirect_branch_thunk+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -mindirect-branch=thunk"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___mindirect_branch_thunk=yes
+else
+  ax_cv_check_cflags___mindirect_branch_thunk=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5
+$as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; }
+if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then :
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
+
+else
+  :
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5
+$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; }
+if ${ax_cv_check_cflags___mretpoline+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -mretpoline"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___mretpoline=yes
+else
+  ax_cv_check_cflags___mretpoline=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
+$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
+if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
+
+else
+  :
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5
+$as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; }
+if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fstack-clash-protection"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___fstack_clash_protection=yes
+else
+  ax_cv_check_cflags___fstack_clash_protection=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5
+$as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; }
+if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then :
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
+
+else
+  :
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5
+$as_echo_n "checking whether C compiler accepts -fstack-protector-strong... " >&6; }
+if ${ax_cv_check_cflags___fstack_protector_strong+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fstack-protector-strong"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ax_cv_check_cflags___fstack_protector_strong=yes
+else
+  ax_cv_check_cflags___fstack_protector_strong=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5
+$as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; }
+if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then :
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
+
+else
+  :
+fi
+
+
+# Check whether --enable-analyzer was given.
+if test "${enable_analyzer+set}" = set; then :
+  enableval=$enable_analyzer;
+fi
+
+if test "x$enable_analyzer" = "xyes"; then :
+
+        EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
+
+fi
+
 HAVE_APPARMOR=""
 # Check whether --enable-apparmor was given.
 if test "${enable_apparmor+set}" = set; then :
   enableval=$enable_apparmor;
 fi
 
+
+
+
+
+
+
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+        if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PKG_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
+$as_echo "$PKG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKG_CONFIG"; then
+  ac_pt_PKG_CONFIG=$PKG_CONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $ac_pt_PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
+if test -n "$ac_pt_PKG_CONFIG"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+  if test "x$ac_pt_PKG_CONFIG" = x; then
+    PKG_CONFIG=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKG_CONFIG=$ac_pt_PKG_CONFIG
+  fi
+else
+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
+fi
+
+fi
+if test -n "$PKG_CONFIG"; then
+        _pkg_min_version=0.9.0
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
+        if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+        else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                PKG_CONFIG=""
+        fi
+fi
 if test "x$enable_apparmor" = "xyes"; then :
 
         HAVE_APPARMOR="-DHAVE_APPARMOR"
 
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
+$as_echo_n "checking for AA... " >&6; }
+
+if test -n "$AA_CFLAGS"; then
+    pkg_cv_AA_CFLAGS="$AA_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libapparmor\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libapparmor") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_AA_CFLAGS=`$PKG_CONFIG --cflags "libapparmor" 2>/dev/null`
+                      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$AA_LIBS"; then
+    pkg_cv_AA_LIBS="$AA_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libapparmor\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libapparmor") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_AA_LIBS=`$PKG_CONFIG --libs "libapparmor" 2>/dev/null`
+                      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+                AA_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libapparmor" 2>&1`
+        else
+                AA_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libapparmor" 2>&1`
+        fi
+        # Put the nasty error message in config.log where it belongs
+        echo "$AA_PKG_ERRORS" >&5
+
+        as_fn_error $? "Package requirements (libapparmor) were not met:
+
+$AA_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables AA_CFLAGS
+and AA_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+        { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables AA_CFLAGS
+and AA_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+        AA_CFLAGS=$pkg_cv_AA_CFLAGS
+        AA_LIBS=$pkg_cv_AA_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+        EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"
+fi
+
+
+fi
+
+HAVE_SELINUX=""
+# Check whether --enable-selinux was given.
+if test "${enable_selinux+set}" = set; then :
+  enableval=$enable_selinux;
+fi
+
+if test "x$enable_selinux" = "xyes"; then :
+
+        HAVE_SELINUX="-DHAVE_SELINUX"
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux "
+
+
+fi
+
+
+
+
+
+HAVE_DBUSPROXY=""
+# Check whether --enable-dbusproxy was given.
+if test "${enable_dbusproxy+set}" = set; then :
+  enableval=$enable_dbusproxy;
+fi
+
+if test "x$enable_dbusproxy" != "xno"; then :
+
+        HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+
+
+fi
+
+# overlayfs features temporarily disabled pending fixes
+HAVE_OVERLAYFS=""
+
+#
+#AC_ARG_ENABLE([overlayfs],
+#    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+#AS_IF([test "x$enable_overlayfs" != "xno"], [
+#       HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+#       AC_SUBST(HAVE_OVERLAYFS)
+#])
+
+HAVE_OUTPUT=""
+# Check whether --enable-output was given.
+if test "${enable_output+set}" = set; then :
+  enableval=$enable_output;
+fi
+
+if test "x$enable_output" != "xno"; then :
+
+        HAVE_OUTPUT="-DHAVE_OUTPUT"
+
+
+fi
+
+HAVE_USERTMPFS=""
+# Check whether --enable-usertmpfs was given.
+if test "${enable_usertmpfs+set}" = set; then :
+  enableval=$enable_usertmpfs;
+fi
+
+if test "x$enable_usertmpfs" != "xno"; then :
+
+        HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+
+
+fi
+
+HAVE_MAN="no"
+# Check whether --enable-man was given.
+if test "${enable_man+set}" = set; then :
+  enableval=$enable_man;
+fi
+
+if test "x$enable_man" != "xno"; then :
+
+        HAVE_MAN="-DHAVE_MAN"
+
+        # Extract the first word of "gawk", so it can be a program name with args.
+set dummy gawk; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_HAVE_GAWK+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$HAVE_GAWK"; then
+  ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_HAVE_GAWK="yes"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
+fi
+fi
+HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
+if test -n "$HAVE_GAWK"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
+$as_echo "$HAVE_GAWK" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+        if test "x$HAVE_GAWK" != "xyes"; then :
+  as_fn_error $? "\"*** gawk not found ***\"" "$LINENO" 5
+fi
+
+fi
+
+HAVE_FIRETUNNEL=""
+# Check whether --enable-firetunnel was given.
+if test "${enable_firetunnel+set}" = set; then :
+  enableval=$enable_firetunnel;
+fi
+
+if test "x$enable_firetunnel" != "xno"; then :
+
+        HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
+
+
+fi
+
+HAVE_PRIVATEHOME=""
+# Check whether --enable-private-home was given.
+if test "${enable_private_home+set}" = set; then :
+  enableval=$enable_private_home;
+fi
+
+if test "x$enable_private_home" != "xno"; then :
+
+        HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
+
+
+fi
+
+HAVE_CHROOT=""
+# Check whether --enable-chroot was given.
+if test "${enable_chroot+set}" = set; then :
+  enableval=$enable_chroot;
+fi
+
+if test "x$enable_chroot" != "xno"; then :
+
+        HAVE_CHROOT="-DHAVE_CHROOT"
+
+
+fi
+
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+
+if test "x$enable_globalcfg" != "xno"; then :
+
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+
+
+fi
+
+HAVE_NETWORK=""
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+
+if test "x$enable_network" != "xno"; then :
+
+        HAVE_NETWORK="-DHAVE_NETWORK"
+
+
+fi
+
+HAVE_USERNS=""
+# Check whether --enable-userns was given.
+if test "${enable_userns+set}" = set; then :
+  enableval=$enable_userns;
+fi
+
+if test "x$enable_userns" != "xno"; then :
+
+        HAVE_USERNS="-DHAVE_USERNS"
+
+
+fi
+
+HAVE_X11=""
+# Check whether --enable-x11 was given.
+if test "${enable_x11+set}" = set; then :
+  enableval=$enable_x11;
+fi
+
+if test "x$enable_x11" != "xno"; then :
+
+        HAVE_X11="-DHAVE_X11"
+
+
+fi
+
+HAVE_FILE_TRANSFER=""
+# Check whether --enable-file-transfer was given.
+if test "${enable_file_transfer+set}" = set; then :
+  enableval=$enable_file_transfer;
+fi
+
+if test "x$enable_file_transfer" != "xno"; then :
+
+        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
+
+
+fi
 
+HAVE_SUID=""
+# Check whether --enable-suid was given.
+if test "${enable_suid+set}" = set; then :
+  enableval=$enable_suid;
 fi
 
+if test "x$enable_suid" = "xno"; then :
+  HAVE_SUID="no"
+else
+  HAVE_SUID="yes"
+
+fi
+
+
+HAVE_FATAL_WARNINGS=""
+# Check whether --enable-fatal_warnings was given.
+if test "${enable_fatal_warnings+set}" = set; then :
+  enableval=$enable_fatal_warnings;
+fi
+
+if test "x$enable_fatal_warnings" = "xyes"; then :
+
+        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
+
+
+fi
+
+BUSYBOX_WORKAROUND="no"
+# Check whether --enable-busybox-workaround was given.
+if test "${enable_busybox_workaround+set}" = set; then :
+  enableval=$enable_busybox_workaround;
+fi
+
+if test "x$enable_busybox_workaround" = "xyes"; then :
+
+        BUSYBOX_WORKAROUND="yes"
+
+
+fi
+
+
+HAVE_GCOV=""
+# Check whether --enable-gcov was given.
+if test "${enable_gcov+set}" = set; then :
+  enableval=$enable_gcov;
+fi
+
+if test "x$enable_gcov" = "xyes"; then :
+
+        HAVE_GCOV="--coverage -DHAVE_GCOV "
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage "
+
+
+fi
+
+HAVE_CONTRIB_INSTALL="yes"
+# Check whether --enable-contrib-install was given.
+if test "${enable_contrib_install+set}" = set; then :
+  enableval=$enable_contrib_install;
+fi
+
+if test "x$enable_contrib_install" = "xno"; then :
+  HAVE_CONTRIB_INSTALL="no"
+else
+  HAVE_CONTRIB_INSTALL="yes"
+
+fi
+
+
+HAVE_FORCE_NONEWPRIVS=""
+# Check whether --enable-force-nonewprivs was given.
+if test "${enable_force_nonewprivs+set}" = set; then :
+  enableval=$enable_force_nonewprivs;
+fi
+
+if test "x$enable_force_nonewprivs" = "xyes"; then :
+
+        HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
+
+
+fi
+
+HAVE_LTS=""
+# Check whether --enable-lts was given.
+if test "${enable_lts+set}" = set; then :
+  enableval=$enable_lts;
+fi
+
+if test "x$enable_lts" = "xyes"; then :
+
+        HAVE_LTS="-DHAVE_LTS"
 
 
+        HAVE_DBUSPROXY=""
+
+
+        HAVE_OVERLAYFS=""
+
+
+        HAVE_OUTPUT=""
+
+
+        HAVE_USERTMPFS=""
+
+
+        HAVE_MAN="-DHAVE_MAN"
+
+
+        HAVE_FIRETUNNEL=""
+
+
+        HAVE_PRIVATEHOME=""
+
+
+        HAVE_CHROOT=""
+
+
+        HAVE_GLOBALCFG=""
+
+
+        HAVE_USERNS=""
+
+
+        HAVE_X11=""
+
+
+        HAVE_FILE_TRANSFER=""
+
+
+        HAVE_SUID="yes"
+
+
+        BUSYBOX_WORKAROUND="no"
+
+
+        HAVE_CONTRIB_INSTALL="no",
+
+
+fi
+
+
+
+
+# checking pthread library
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
+$as_echo_n "checking for main in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread_main=yes
+else
+  ac_cv_lib_pthread_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
+$as_echo "$ac_cv_lib_pthread_main" >&6; }
+if test "x$ac_cv_lib_pthread_main" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+
+  LIBS="-lpthread $LIBS"
+
+else
+  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
+fi
+
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -3517,289 +4326,6 @@ fi
 done
 
 
-if test "x$enable_apparmor" = "xyes"; then :
-
-        ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default"
-if test "x$ac_cv_header_sys_apparmor_h" = xyes; then :
-
-else
-  as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5
-fi
-
-
-
-fi
-if test "x$enable_apparmor" = "xyes"; then :
-
-        EXTRA_LDFLAGS+="-lapparmor "
-
-fi
-
-
-HAVE_OVERLAYFS=""
-# Check whether --enable-overlayfs was given.
-if test "${enable_overlayfs+set}" = set; then :
-  enableval=$enable_overlayfs;
-fi
-
-if test "x$enable_overlayfs" != "xno"; then :
-
-        HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-
-
-fi
-
-HAVE_PRIVATEHOME=""
-# Check whether --enable-private-home was given.
-if test "${enable_private_home+set}" = set; then :
-  enableval=$enable_private_home;
-fi
-
-if test "x$enable_private_home" != "xno"; then :
-
-        HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
-
-
-fi
-
-HAVE_SECCOMP=""
-# Check whether --enable-seccomp was given.
-if test "${enable_seccomp+set}" = set; then :
-  enableval=$enable_seccomp;
-fi
-
-if test "x$enable_seccomp" != "xno"; then :
-
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-
-
-fi
-
-HAVE_CHROOT=""
-# Check whether --enable-chroot was given.
-if test "${enable_chroot+set}" = set; then :
-  enableval=$enable_chroot;
-fi
-
-if test "x$enable_chroot" != "xno"; then :
-
-        HAVE_CHROOT="-DHAVE_CHROOT"
-
-
-fi
-
-HAVE_BIND=""
-# Check whether --enable-bind was given.
-if test "${enable_bind+set}" = set; then :
-  enableval=$enable_bind;
-fi
-
-if test "x$enable_bind" != "xno"; then :
-
-        HAVE_BIND="-DHAVE_BIND"
-
-
-fi
-
-HAVE_GLOBALCFG=""
-# Check whether --enable-globalcfg was given.
-if test "${enable_globalcfg+set}" = set; then :
-  enableval=$enable_globalcfg;
-fi
-
-if test "x$enable_globalcfg" != "xno"; then :
-
-        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
-
-
-fi
-
-HAVE_NETWORK=""
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-
-if test "x$enable_network" != "xno"; then :
-
-        HAVE_NETWORK="-DHAVE_NETWORK"
-        if test "x$enable_network" = "xrestricted"; then :
-
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-
-fi
-
-
-fi
-
-HAVE_USERNS=""
-# Check whether --enable-userns was given.
-if test "${enable_userns+set}" = set; then :
-  enableval=$enable_userns;
-fi
-
-if test "x$enable_userns" != "xno"; then :
-
-        HAVE_USERNS="-DHAVE_USERNS"
-
-
-fi
-
-HAVE_X11=""
-# Check whether --enable-x11 was given.
-if test "${enable_x11+set}" = set; then :
-  enableval=$enable_x11;
-fi
-
-if test "x$enable_x11" != "xno"; then :
-
-        HAVE_X11="-DHAVE_X11"
-
-
-fi
-
-HAVE_FILE_TRANSFER=""
-# Check whether --enable-file-transfer was given.
-if test "${enable_file_transfer+set}" = set; then :
-  enableval=$enable_file_transfer;
-fi
-
-if test "x$enable_file_transfer" != "xno"; then :
-
-        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
-
-
-fi
-
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
-  enableval=$enable_whitelist;
-fi
-
-if test "x$enable_whitelist" != "xno"; then :
-
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-
-
-fi
-
-HAVE_FATAL_WARNINGS=""
-# Check whether --enable-fatal_warnings was given.
-if test "${enable_fatal_warnings+set}" = set; then :
-  enableval=$enable_fatal_warnings;
-fi
-
-if test "x$enable_fatal_warnings" = "xyes"; then :
-
-        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
-
-
-fi
-
-BUSYBOX_WORKAROUND="no"
-# Check whether --enable-busybox-workaround was given.
-if test "${enable_busybox_workaround+set}" = set; then :
-  enableval=$enable_busybox_workaround;
-fi
-
-if test "x$enable_busybox_workaround" = "xyes"; then :
-
-        BUSYBOX_WORKAROUND="yes"
-
-
-fi
-
-
-HAVE_GCOV=""
-# Check whether --enable-gcov was given.
-if test "${enable_gcov+set}" = set; then :
-  enableval=$enable_gcov;
-fi
-
-if test "x$enable_gcov" = "xyes"; then :
-
-        HAVE_GCOV="--coverage -DHAVE_GCOV "
-        EXTRA_LDFLAGS+="-lgcov --coverage "
-
-
-fi
-
-
-HAVE_GIT_INSTALL=""
-# Check whether --enable-git-install was given.
-if test "${enable_git_install+set}" = set; then :
-  enableval=$enable_git_install;
-fi
-
-if test "x$enable_git_install" = "xyes"; then :
-
-        HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
-
-
-fi
-
-HAVE_CONTRIB_INSTALL="yes"
-# Check whether --enable-contrib-install was given.
-if test "${enable_contrib_install+set}" = set; then :
-  enableval=$enable_contrib_install;
-fi
-
-if test "x$enable_contrib_install" = "xno"; then :
-  HAVE_CONTRIB_INSTALL="no"
-else
-  HAVE_CONTRIB_INSTALL="yes"
-
-fi
-
-
-# checking pthread library
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
-$as_echo_n "checking for main in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_main=yes
-else
-  ac_cv_lib_pthread_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
-$as_echo "$ac_cv_lib_pthread_main" >&6; }
-if test "x$ac_cv_lib_pthread_main" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
-fi
-
 ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default"
 if test "x$ac_cv_header_pthread_h" = xyes; then :
 
@@ -3810,20 +4336,21 @@ fi
 
 ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
 if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
-  HAVE_SECCOMP_H="-DHAVE_SECCOMP_H"
+
 else
-  HAVE_SECCOMP_H=""
+  as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5
 fi
 
 
 
-
 # set sysconfdir
 if test "$prefix" = /usr; then
-        sysconfdir="/etc"
+        test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
+ac_config_files="$ac_config_files mkdeb.sh"
+
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4367,7 +4894,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.51, which was
+This file was extended by firejail $as_me 0.9.67, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4414,14 +4941,14 @@ Usage: $0 [OPTION]... [TAG]...
 Configuration files:
 $config_files
 
-Report bugs to <netblue30@yahoo.com>.
-firejail home page: <http://firejail.wordpress.com>."
+Report bugs to <netblue30@protonmail.com>.
+firejail home page: <https://firejail.wordpress.com>."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.51
+firejail config.status 0.9.67
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -4532,21 +5059,32 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 for ac_config_target in $ac_config_targets
 do
   case $ac_config_target in
+    "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;;
     "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
     "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
     "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
     "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
+    "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;;
     "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
     "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
     "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
     "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
     "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
+    "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
-    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
     "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
     "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
     "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
+    "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
+    "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
+    "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
+    "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;;
+    "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
+    "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
+    "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
+    "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -4965,6 +5503,11 @@ which seems to be undefined.  Please make sure it is defined" >&2;}
 
   esac
 
+
+  case $ac_file$ac_mode in
+    "mkdeb.sh":F) chmod +x mkdeb.sh ;;
+
+  esac
 done # for ac_tag
 
 
@@ -5002,27 +5545,48 @@ $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
 
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   seccomp: $HAVE_SECCOMP"
-echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   bind: $HAVE_BIND"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   git install support: $HAVE_GIT_INSTALL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
+
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        cat <<\EOF
+
+
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/configure.ac b/configure.ac
index 900c8b959..5fde6d402 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,38 +1,124 @@
+#
+# Note:
+#
+# If for any reason autoconf fails, run "autoreconf -i --install " and try again.
+# This is how the error looks like on Arch Linux:
+#        ./configure: line 3064: syntax error near unexpected token `newline'
+#        ./configure: line 3064: `AX_CHECK_COMPILE_FLAG('
+#
+# We rely solely on autoconf, without automake. Apparently, in this case
+# the macros from m4 directory are not picked up by default by automake.
+# "autoreconf -i --install" seems to fix the problem.
+#
+
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.51, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT([firejail],[0.9.67],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
 AC_CONFIG_SRCDIR([src/firejail/main.c])
-#AC_CONFIG_HEADERS([config.h])
 
+AC_CONFIG_MACRO_DIR([m4])
 
 AC_PROG_CC
-#AC_PROG_CXX
 AC_PROG_INSTALL
 AC_PROG_RANLIB
 
+HAVE_SPECTRE="no"
+AX_CHECK_COMPILE_FLAG(
+    [-mindirect-branch=thunk],
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"]
+)
+AX_CHECK_COMPILE_FLAG(
+    [-mretpoline],
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"]
+)
+AX_CHECK_COMPILE_FLAG(
+    [-fstack-clash-protection],
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"]
+)
+AX_CHECK_COMPILE_FLAG(
+    [-fstack-protector-strong],
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"]
+)
+
+AC_ARG_ENABLE([analyzer],
+    AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer]))
+AS_IF([test "x$enable_analyzer" = "xyes"], [
+        EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
+])
+
 HAVE_APPARMOR=""
 AC_ARG_ENABLE([apparmor],
     AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
 AS_IF([test "x$enable_apparmor" = "xyes"], [
         HAVE_APPARMOR="-DHAVE_APPARMOR"
+        PKG_CHECK_MODULES([AA], libapparmor,
+            [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"])
         AC_SUBST(HAVE_APPARMOR)
 ])
 
-
-AS_IF([test "x$enable_apparmor" = "xyes"], [
-        AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR(
-        [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )])
-])
-AS_IF([test "x$enable_apparmor" = "xyes"], [
-        EXTRA_LDFLAGS+="-lapparmor "
+HAVE_SELINUX=""
+AC_ARG_ENABLE([selinux],
+    AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
+AS_IF([test "x$enable_selinux" = "xyes"], [
+        HAVE_SELINUX="-DHAVE_SELINUX"
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux "
+        AC_SUBST(HAVE_SELINUX)
 ])
+
+AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
 
+
+HAVE_DBUSPROXY=""
+AC_ARG_ENABLE([dbusproxy],
+    AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
+AS_IF([test "x$enable_dbusproxy" != "xno"], [
+        HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+        AC_SUBST(HAVE_DBUSPROXY)
+])
+
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
-AC_ARG_ENABLE([overlayfs],
-    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
-AS_IF([test "x$enable_overlayfs" != "xno"], [
-        HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
-        AC_SUBST(HAVE_OVERLAYFS)
+AC_SUBST(HAVE_OVERLAYFS)
+#
+#AC_ARG_ENABLE([overlayfs],
+#    AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
+#AS_IF([test "x$enable_overlayfs" != "xno"], [
+#       HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
+#       AC_SUBST(HAVE_OVERLAYFS)
+#])
+
+HAVE_OUTPUT=""
+AC_ARG_ENABLE([output],
+    AS_HELP_STRING([--disable-output], [disable --output logging]))
+AS_IF([test "x$enable_output" != "xno"], [
+        HAVE_OUTPUT="-DHAVE_OUTPUT"
+        AC_SUBST(HAVE_OUTPUT)
+])
+
+HAVE_USERTMPFS=""
+AC_ARG_ENABLE([usertmpfs],
+    AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+AS_IF([test "x$enable_usertmpfs" != "xno"], [
+        HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+        AC_SUBST(HAVE_USERTMPFS)
+])
+
+HAVE_MAN="no"
+AC_ARG_ENABLE([man],
+    AS_HELP_STRING([--disable-man], [disable man pages]))
+AS_IF([test "x$enable_man" != "xno"], [
+        HAVE_MAN="-DHAVE_MAN"
+        AC_SUBST(HAVE_MAN)
+        AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no])
+        AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR("*** gawk not found ***")])
+])
+
+HAVE_FIRETUNNEL=""
+AC_ARG_ENABLE([firetunnel],
+    AS_HELP_STRING([--disable-firetunnel], [disable firetunnel]))
+AS_IF([test "x$enable_firetunnel" != "xno"], [
+        HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
+        AC_SUBST(HAVE_FIRETUNNEL)
 ])
 
 HAVE_PRIVATEHOME=""
@@ -43,14 +129,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [
         AC_SUBST(HAVE_PRIVATE_HOME)
 ])
 
-HAVE_SECCOMP=""
-AC_ARG_ENABLE([seccomp],
-    AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
-AS_IF([test "x$enable_seccomp" != "xno"], [
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-        AC_SUBST(HAVE_SECCOMP)
-])
-
 HAVE_CHROOT=""
 AC_ARG_ENABLE([chroot],
     AS_HELP_STRING([--disable-chroot], [disable chroot]))
@@ -59,14 +137,6 @@ AS_IF([test "x$enable_chroot" != "xno"], [
         AC_SUBST(HAVE_CHROOT)
 ])
 
-HAVE_BIND=""
-AC_ARG_ENABLE([bind],
-    AS_HELP_STRING([--disable-bind], [disable bind]))
-AS_IF([test "x$enable_bind" != "xno"], [
-        HAVE_BIND="-DHAVE_BIND"
-        AC_SUBST(HAVE_BIND)
-])
-
 HAVE_GLOBALCFG=""
 AC_ARG_ENABLE([globalcfg],
     AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults]))
@@ -78,13 +148,8 @@ AS_IF([test "x$enable_globalcfg" != "xno"], [
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
     AS_HELP_STRING([--disable-network], [disable network]))
-AC_ARG_ENABLE([network],
-    AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only]))
 AS_IF([test "x$enable_network" != "xno"], [
         HAVE_NETWORK="-DHAVE_NETWORK"
-        AS_IF([test "x$enable_network" = "xrestricted"], [
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-        ])
         AC_SUBST(HAVE_NETWORK)
 ])
 
@@ -112,13 +177,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
         AC_SUBST(HAVE_FILE_TRANSFER)
 ])
 
-HAVE_WHITELIST=""
-AC_ARG_ENABLE([whitelist],
-    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
-AS_IF([test "x$enable_whitelist" != "xno"], [
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-        AC_SUBST(HAVE_WHITELIST)
-])
+HAVE_SUID=""
+AC_ARG_ENABLE([suid],
+    AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
+AS_IF([test "x$enable_suid" = "xno"],
+        [HAVE_SUID="no"],
+        [HAVE_SUID="yes"]
+)
+AC_SUBST(HAVE_SUID)
 
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
@@ -142,19 +208,10 @@ AC_ARG_ENABLE([gcov],
     AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
 AS_IF([test "x$enable_gcov" = "xyes"], [
         HAVE_GCOV="--coverage -DHAVE_GCOV "
-        EXTRA_LDFLAGS+="-lgcov --coverage "
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage "
         AC_SUBST(HAVE_GCOV)
 ])
 
-
-HAVE_GIT_INSTALL=""
-AC_ARG_ENABLE([git-install],
-    AS_HELP_STRING([--enable-git-install], [enable git install feature]))
-AS_IF([test "x$enable_git_install" = "xyes"], [
-        HAVE_GIT_INSTALL="-DHAVE_GIT_INSTALL"
-        AC_SUBST(HAVE_GIT_INSTALL)
-])
-
 HAVE_CONTRIB_INSTALL="yes"
 AC_ARG_ENABLE([contrib-install],
     AS_HELP_STRING([--enable-contrib-install], [install contrib scripts]))
@@ -164,42 +221,130 @@ AS_IF([test "x$enable_contrib_install" = "xno"],
 )
 AC_SUBST(HAVE_CONTRIB_INSTALL)
 
+HAVE_FORCE_NONEWPRIVS=""
+AC_ARG_ENABLE([force-nonewprivs],
+    AS_HELP_STRING([--enable-force-nonewprivs], [enable force nonewprivs]))
+AS_IF([test "x$enable_force_nonewprivs" = "xyes"], [
+        HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
+        AC_SUBST(HAVE_FORCE_NONEWPRIVS)
+])
+
+HAVE_LTS=""
+AC_ARG_ENABLE([lts],
+    AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)]))
+AS_IF([test "x$enable_lts" = "xyes"], [
+        HAVE_LTS="-DHAVE_LTS"
+        AC_SUBST(HAVE_LTS)
+
+        HAVE_DBUSPROXY=""
+        AC_SUBST(HAVE_DBUSPROXY)
+
+        HAVE_OVERLAYFS=""
+        AC_SUBST(HAVE_OVERLAYFS)
+
+        HAVE_OUTPUT=""
+        AC_SUBST(HAVE_OUTPUT)
+
+        HAVE_USERTMPFS=""
+        AC_SUBST(HAVE_USERTMPFS)
+
+        HAVE_MAN="-DHAVE_MAN"
+        AC_SUBST(HAVE_MAN)
+
+        HAVE_FIRETUNNEL=""
+        AC_SUBST(HAVE_FIRETUNNEL)
+
+        HAVE_PRIVATEHOME=""
+        AC_SUBST(HAVE_PRIVATE_HOME)
+
+        HAVE_CHROOT=""
+        AC_SUBST(HAVE_CHROOT)
+
+        HAVE_GLOBALCFG=""
+        AC_SUBST(HAVE_GLOBALCFG)
+
+        HAVE_USERNS=""
+        AC_SUBST(HAVE_USERNS)
+
+        HAVE_X11=""
+        AC_SUBST(HAVE_X11)
+
+        HAVE_FILE_TRANSFER=""
+        AC_SUBST(HAVE_FILE_TRANSFER)
+
+        HAVE_SUID="yes"
+        AC_SUBST(HAVE_SUID)
+
+        BUSYBOX_WORKAROUND="no"
+        AC_SUBST(BUSYBOX_WORKAROUND)
+
+        HAVE_CONTRIB_INSTALL="no",
+        AC_SUBST(HAVE_CONTRIB_INSTALL)
+])
+
+
+
+
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="")
-AC_SUBST(HAVE_SECCOMP_H)
+AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
 
 # set sysconfdir
 if test "$prefix" = /usr; then
-        sysconfdir="/etc"
+        test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
-src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
-
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   seccomp: $HAVE_SECCOMP"
-echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   bind: $HAVE_BIND"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   git install support: $HAVE_GIT_INSTALL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo
+AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
+AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
+src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
+src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
+src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
+src/jailcheck/Makefile src/fids/Makefile])
+AC_OUTPUT
+
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
+
+if test "$HAVE_LTS" = -DHAVE_LTS; then
+        cat <<\EOF
+
+
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/contrib/firejail-welcome.sh b/contrib/firejail-welcome.sh
new file mode 100755
index 000000000..6eebc67c5
--- /dev/null
+++ b/contrib/firejail-welcome.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# This file is part of Firejail project
+# Copyright (C) 2020-2021 Firejail Authors
+# License GPL v2
+
+if ! command -v zenity >/dev/null; then
+        echo "Please install zenity."
+        exit 1
+fi
+if ! command -v sudo >/dev/null; then
+        echo "Please install sudo."
+        exit 1
+fi
+
+export LANG=en_US.UTF8
+
+zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <<EOM
+Welcome to firejail!
+
+This is a quick setup guide for newbies.
+
+Profiles for programs can be found in /etc/firejail. Own customizations should go in a file named
+<profile-name>.local in ~/.config/firejal.
+
+Firejail's own configuration can be found at /etc/firejail/firejail.config.
+
+Please note that running this script a second time can set new options, but does not unset options
+set in a previous run.
+
+Website: https://firejail.wordpress.com
+Bug-Tracker: https://github.com/netblue30/firejail/issues
+Documentation:
+- https://github.com/netblue30/firejail/wiki
+- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
+- https://firejail.wordpress.com/documentation-2
+- man:firejail(1) and man:firejail-profile(5)
+
+PS: If you have any improvements for this script, open an issue or pull request.
+EOM
+[[ $? -eq 1 ]] && exit 0
+
+sed_scripts=()
+
+read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <<EOM
+<big><b>Should browsers be allowed to access u2f hardware?</b></big>
+EOM
+
+read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <<EOM
+<big><b>Should browsers be able to play DRM content?</b></big>
+
+\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME,
+is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary
+DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to
+allow their execution. Clearly, this may help an attacker to start malicious code.
+
+NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME.
+
+HINT: If <tt>/home</tt> has its own partition, you can mount it <tt>nodev,nosuid</tt> for all programs.
+EOM
+
+read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <<EOM
+You maybe want to set some of these advanced options.
+EOM
+
+read -r -d $'\0' MSG_Q_RUN_FIRECFG <<EOM
+<big><b>Should most programs be started in firejail by default?</b></big>
+EOM
+
+read -r -d $'\0' MSG_I_ROOT_REQUIRED <<EOM
+In order to apply these changes, root privileges are required.
+You will now be asked to enter your password.
+EOM
+
+read -r -d $'\0' MSG_I_FINISH <<EOM
+🥳
+EOM
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_DISABLE_U2F"; then
+        sed_scripts+=("-e s/# browser-disable-u2f yes/browser-disable-u2f no/")
+fi
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_BROWSER_ALLOW_DRM"; then
+        sed_scripts+=("-e s/# browser-allow-drm no/browser-allow-drm yes/")
+fi
+
+advanced_options=$(zenity --title=firejail-welcome.sh --list --width=800 --height=200 \
+        --text="$MSG_L_ADVANCED_OPTIONS" --multiple --checklist --separator=" " \
+        --column="" --column=Option --column=Description <<EOM
+
+force-nonewprivs
+Always set nonewprivs, this is a strong mitigation against exploits in firejail. However some programs like chromium or wireshark maybe don't work anymore.
+
+restricted-network
+Restrict all network related commands except 'net none' to root only.
+
+seccomp-error-action=kill
+Kill programs which violate seccomp rules (default: return a error).
+EOM
+)
+
+if [[ $advanced_options == *force-nonewprivs* ]]; then
+        sed_scripts+=("-e s/# force-nonewprivs no/force-nonewprivs yes/")
+fi
+if [[ $advanced_options == *restricted-network* ]]; then
+        sed_scripts+=("-e s/# restricted-network no/restricted-network yes/")
+fi
+if [[ $advanced_options == *seccomp-error-action=kill* ]]; then
+        sed_scripts+=("-e s/# seccomp-error-action EPERM/seccomp-error-action kill/")
+fi
+
+if zenity --title=firejail-welcome.sh --question --ellipsize --text="$MSG_Q_RUN_FIRECFG"; then
+        run_firecfg=true
+fi
+
+zenity --title=firejail-welcome.sh --info --ellipsize --text="$MSG_I_ROOT_REQUIRED"
+
+passwd=$(zenity --title=firejail-welcome.sh --password --cancel-label=OK)
+if [[ -n "${sed_scripts[*]}" ]]; then
+        sudo -S -p "" -- sed -i "${sed_scripts[@]}" /etc/firejail/firejail.config <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+if [[ "$run_firecfg" == "true" ]]; then
+        sudo -S -p "" -- firecfg <<<"$passwd" || { zenity --title=firejail-welcome.sh --error; exit 1; };
+fi
+sudo -k
+unset passwd
+
+zenity --title=firejail-welcome.sh --info --icon-name=security-medium-symbolic --text="$MSG_I_FINISH"
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 86fd3d16b..961646aa4 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -1,5 +1,4 @@
-#!/usr/bin/python3
-
+#!/usr/bin/env python3
 __author__ = "KOLANICH"
 __copyright__ = """This is free and unencumbered software released into the public domain.
 
@@ -24,134 +23,175 @@ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
 ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
 
-For more information, please refer to <http://unlicense.org/>"""
+For more information, please refer to <https://unlicense.org/>"""
 __license__ = "Unlicense"
 
-import sys, os, glob, re
-
-privRx=re.compile("^(?:#\s*)?private-bin")
-
-def fixSymlinkedBins(files, replMap):
-        """
-        Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap
-        replMap is a dict where key is the marker filename and value is the filename to add
-        """
-
-        rxs=dict()
-        for (old,new) in replMap.items():
-                rxs[old]=re.compile("\\b"+old+"\\b")
-                rxs[new]=re.compile("\\b"+new+"\\b")
-        #print(rxs)
-
-        for filename in files:
-                lines=None
-                with open(filename,"r") as file:
-                        lines=file.readlines()
-
-                shouldUpdate=False
-                for (i,line) in enumerate(lines):
-                        if privRx.search(line):
-                                for (old,new) in replMap.items():
-                                        if rxs[old].search(line) and not rxs[new].search(line):
-                                                lines[i]=rxs[old].sub(old+","+new, line)
-                                                shouldUpdate=True
-                                                print(lines[i])
-
-                if shouldUpdate:
-                        with open(filename,"w") as file:
-                                file.writelines(lines)
-                        pass
-
-def createSetOfBinaries(files):
-        """
-        Creates a set of binaries mentioned in private-bin directives of files.
-        """
-        s=set()
-        for filename in files:
-                lines=None
-                with open(filename,"r") as file:
-                        for line in file:
-                                if privRx.search(line):
-                                        bins=line.split(",")
-                                        bins[0]=bins[0].split(" ")[-1]
-                                        bins = [n.strip() for n in bins]
-                                        s=s|set(bins)
-        return s
-
-def createSymlinkTable(binDirs, binariesSet):
-        """
-        creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary.
-        binDirs are folders to look into for binaries symlinks
-        binariesSet is a set of binaries to be checked if they are actually a symlinks
-        """
-        m=dict()
-        toProcess=binariesSet
-        while len(toProcess)!=0:
-                additional=set()
-                for sh in toProcess:
-                        for bD in binDirs:
-                                p=bD+os.path.sep+sh
-                                if os.path.exists(p):
-                                        if os.path.islink(p):
-                                                m[sh]=os.readlink(p)
-                                                additional.add(m[sh].split(" ")[0])
-                                        else:
-                                                pass
-                                        break
-                toProcess=additional
-        return m
-
-def doTheFixes(profilesPath, binDirs):
-        """
-        Fixes private-bin in .profiles for firejail. The pipeline is as follows:
-        discover files -> discover mentioned binaries ->
-        discover the ones which are symlinks ->
-        make a look-up table for fix ->
-        filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) ->
-        apply fix
-        """
-        files=glob.glob(profilesPath+os.path.sep+"*.profile")
-        bins=createSetOfBinaries(files)
-        #print("The binaries used are:")
-        #print(bins)
-        stbl=createSymlinkTable(binDirs,bins)
-        print("The replacement table is:")
-        print(stbl)
-        stbl={a[0]:a[1] for a in stbl.items() if a[0].find(os.path.sep) < 0 and a[1].find(os.path.sep)<0}
-        print("Filtered replacement table is:")
-        print(stbl)
-        fixSymlinkedBins(files,stbl)
+import typing
+import sys, os, re
+from collections import OrderedDict
+from pathlib import Path
+from shutil import which
+
+privRx = re.compile(r"^(#\s*)?(private-bin)(\s+)(.+)$")
+
+
+def fixSymlinkedBins(files: typing.List[Path], replMap: typing.Dict[str, str]) -> None:
+    """
+    Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap
+    replMap is a dict where key is the marker filename and value is the filename to add
+    """
+
+    for filename in files:
+        lines = filename.read_text(encoding="utf-8").split("\n")
+
+        shouldUpdate = False
+        for (i, line) in enumerate(lines):
+            m = privRx.match(line)
+            if m:
+                lineUpdated = False
+                mBins = OrderedDict((sb, sb) for sb in (b.strip() for b in m.group(4).split(",")))
+
+                for (old, new) in replMap.items():
+                    if old in mBins:
+                        #print(old, "->", new)
+                        if new not in mBins:
+                            mBins[old] = old + "," + new
+                            lineUpdated = True
+
+                if lineUpdated:
+                    comment = m.group(1)
+                    if comment is None:
+                        comment = ""
+                    lines[i] = comment + m.group(2) + m.group(3) + ",".join(mBins.values())
+                    shouldUpdate = True
+
+        if shouldUpdate:
+            filename.write_text("\n".join(lines), encoding="utf-8")
+
+
+def createSetOfBinaries(files: typing.List[Path]) -> typing.Set[str]:
+    """
+    Creates a set of binaries mentioned in private-bin directives of files.
+    """
+    s = set()
+    for filename in files:
+        with open(filename, "r") as file:
+            for line in file:
+                m = privRx.match(line)
+                if m:
+                    bins = m.group(4).split(",")
+                    bins = [n.strip() for n in bins]
+                    s = s | set(bins)
+    return s
+
+def getExecutableNameFromLink(p: Path) -> str:
+    return os.readlink(str(p)).split(" ")[0]
+
+
+forbiddenExecutables= ["firejail"]
+
+def populateForbiddenExecutables():
+    forbiddenSymlinks = []
+    for e in forbiddenExecutables:
+        r = which(e)
+        if r is not None:
+            yield r
+
+forbiddenSymlinks = set(populateForbiddenExecutables())
+
+
+def createSymlinkTable(binDirs: typing.Iterable[Path], binariesSet: typing.Set[str]) -> typing.Mapping[str, str]:
+    """
+    creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary.
+    binDirs are folders to look into for binaries symlinks
+    binariesSet is a set of binaries to be checked if they are actually a symlinks
+    """
+    m = dict()
+    toProcess = binariesSet
+    while len(toProcess) != 0:
+        additional = set()
+        for binName in toProcess:
+            for binaryDir in binDirs:
+                p = binaryDir / binName
+                if p.is_symlink():
+                    res = []
+                    nm = getExecutableNameFromLink(p)
+                    if nm in forbiddenSymlinks:
+                        continue
+                    m[binName] = nm
+                    additional.add(nm)
+                    break
+
+        toProcess = additional
+    return m
+
+
+def doTheFixes(profilesPath: Path, binDirs: typing.Iterable[Path]) -> None:
+    """
+    Fixes private-bin in .profiles for firejail. The pipeline is as follows:
+    discover files -> discover mentioned binaries ->
+    discover the ones which are symlinks ->
+    make a look-up table for fix ->
+    filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) ->
+    apply fix
+    """
+    files = list(profilesPath.glob("**/*.profile"))
+    bins = createSetOfBinaries(files)
+    #print("The binaries used are:")
+    #print(bins)
+    stbl = createSymlinkTable(binDirs, bins)
+    print("The replacement table is:")
+    print(stbl)
+    for k, v in tuple(stbl.items()):
+        if k.find(os.path.sep) < 0 and v.find(os.path.sep) < 0:
+            pass
+        else:
+            del stbl[k]
+
+    print("Filtered replacement table is:")
+    print(stbl)
+    fixSymlinkedBins(files, stbl)
+
+
+thisDir = Path(__file__).absolute().parent
+defaultProfilesPath = (thisDir.parent / "etc")
+
 
 def printHelp():
-        print("python3 "+os.path.basename(__file__)+" <dir with .profile files>\nThe default dir is "+defaultProfilesPath+"\n"+doTheFixes.__doc__)
-
-def main():
-        """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
-        print(repr(sys.argv))
-        defaultProfilesPath="../etc"
-        if len(sys.argv)>2 or (len(sys.argv)==2 and (sys.argv[1] == '-h' or sys.argv[1] == '--help') ):
-                printHelp()
-                exit(1)
-
-        profilesPath=None
-        if len(sys.argv)==2:
-                if os.path.isdir(sys.argv[1]):
-                        profilesPath=os.path.abspath(sys.argv[1])
-                else:
-                        if os.path.exists(sys.argv[1]):
-                                print(sys.argv[1]+" is not a dir")
-                        else:
-                                print(sys.argv[1]+" does not exist")
-                        printHelp()
-                        exit(1)
-        else:
-                print("Using default profiles dir: " + defaultProfilesPath)
-                profilesPath=defaultProfilesPath
-
-        binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"]
-        print("Binaries dirs are:")
-        print(binDirs)
-        doTheFixes(profilesPath, binDirs)
+    print("python3 " + str(thisDir) +
+          " <dir with .profile files>\nThe default dir is " +
+          str(defaultProfilesPath) + "\n" + doTheFixes.__doc__)
+
+
+def main() -> None:
+    """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
+    if len(sys.argv) > 2 or (len(sys.argv) == 2 and
+                             (sys.argv[1] == "-h" or sys.argv[1] == "--help")):
+        printHelp()
+        sys.exit(1)
+
+    profilesPath = None
+    if len(sys.argv) == 2:
+        if os.path.isdir(sys.argv[1]):
+            profilesPath = os.path.abspath(sys.argv[1])
+        else:
+            if os.path.exists(sys.argv[1]):
+                print(sys.argv[1] + " is not a dir")
+            else:
+                print(sys.argv[1] + " does not exist")
+            printHelp()
+            sys.exit(1)
+    else:
+        print("Using default profiles dir: ", defaultProfilesPath)
+        profilesPath = defaultProfilesPath
+
+    binDirs = ("/bin", "/usr/bin", "/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin")
+    binDirs = type(binDirs)(Path(p) for p in binDirs)
+
+    print("Binaries dirs are:")
+    print(binDirs)
+    doTheFixes(profilesPath, binDirs)
+
 
 if __name__ == "__main__":
-        main()
+    main()
diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py
index 3cc13b758..b4a947535 100755
--- a/contrib/fj-mkdeb.py
+++ b/contrib/fj-mkdeb.py
@@ -1,45 +1,54 @@
 #!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
-# This script is automate the workaround for https://github.com/netblue30/firejail/issues/772
+# This script automates the workaround for https://github.com/netblue30/firejail/issues/772
+
+import os, shlex, subprocess, sys
 
-import os, re, shlex, subprocess, sys
 
 def run(srcdir, args):
-  if srcdir: os.chdir(srcdir)
+    if srcdir: os.chdir(srcdir)
 
-  dry_run=False
-  escaped_args=[]
-  # We need to modify the list as we go.  So be sure to copy the list to be iterated!
-  for a in args[:]:
-    if a.startswith('--prefix'):
-      # prefix should ALWAYS be /usr here.  Discard user-set values
-      args.remove(a)
-    elif a == '--only-fix-mkdeb':
-      # for us, not configure
-      dry_run=True
-      args.remove(a)
-    else:
-      escaped_args.append(shlex.quote(a))
+    if not (os.path.isfile('./mkdeb.sh.in')):
+        print('Error: Not a firejail source tree?  Exiting.')
+        return 1
+
+    dry_run = False
+    escaped_args = []
+    # We need to modify the list as we go.  So be sure to copy the list to be iterated!
+    for a in args[:]:
+        if a.startswith('--prefix'):
+            # prefix should ALWAYS be /usr here.  Discard user-set values
+            args.remove(a)
+        elif a == '--only-fix-mkdeb':
+            # for us, not configure
+            dry_run = True
+            args.remove(a)
+        else:
+            escaped_args.append(shlex.quote(a))
 
-  # Fix up mkdeb.sh to include custom configure options.
-  with open('mkdeb.sh', 'rb') as f:
-    sh=str(f.read(), 'utf_8')
-  rx=re.compile(r'^\./configure\s.*$', re.M)
-  with open('mkdeb.sh', 'wb') as f:
-    f.write(bytes(rx.sub('./configure --prefix=/usr '+(' '.join(escaped_args)), sh), 'utf_8'))
+    # Run configure to generate mkdeb.sh.
+    first_config = subprocess.call(['./configure', '--prefix=/usr'] + args)
+    if first_config != 0:
+        return first_config
 
-  if dry_run: return 0
+    # Fix up dynamically-generated mkdeb.sh to include custom configure options.
+    with open('mkdeb.sh', 'rb') as f:
+        sh = str(f.read(), 'utf_8')
+    with open('mkdeb.sh', 'wb') as f:
+        f.write(bytes(sh.replace('./configure $CONFIG_ARGS',
+                                 './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8'))
 
-  # now run configure && make
-  if subprocess.call(['./configure', '--prefix=/usr']+args) == 0:
-    subprocess.call(['make', 'deb'])
+    if dry_run: return 0
 
-  return 0
+    return subprocess.call(['make', 'deb'])
 
 
 if __name__ == '__main__':
-  if len(sys.argv) == 2 and sys.argv[1] == '--help':
-    print('''Build a .deb of firejail with custom configure options
+    if len(sys.argv) == 2 and sys.argv[1] == '--help':
+        print('''Build a .deb of firejail with custom configure options
 
 usage:
 {script} [--fj-src=SRCDIR] [--only-fix-mkdeb] [CONFIGURE_OPTIONS [...]]
@@ -51,24 +60,26 @@ usage:
  --only-fix-mkdeb: don't run configure or make after modifying mkdeb.sh
  CONFIGURE_OPTIONS: arguments for configure
 '''.format(script=sys.argv[0]))
-    sys.exit(0)
-  else:
-    # Find the source directory
-    srcdir=None
-    args=sys.argv[1:]
-    for a in args:
-      if a.startswith('--fj-src='):
-        args.remove(a)
-        srcdir=a[9:]
-        break
-    if not(srcdir):
-      # srcdir not manually specified, try to auto-detect
-      srcdir=os.path.dirname(os.path.abspath(sys.argv[0]+'/..'))
-      if not(os.path.isfile(srcdir+'/mkdeb.sh')):
-        # Script is probably installed.  Check the cwd.
-        if os.path.isfile('./mkdeb.sh'):
-          srcdir=None
-        else:
-          print('Error: Could not find the firejail source tree.  Exiting.')
-          sys.exit(1)
-    sys.exit(run(srcdir, args))
+        sys.exit(0)
+    else:
+        # Find the source directory
+        srcdir = None
+        args = sys.argv[1:]
+        for a in args:
+            if a.startswith('--fj-src='):
+                args.remove(a)
+                srcdir = a[9:]
+                break
+        if not (srcdir):
+            # srcdir not manually specified, try to auto-detect
+            srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..'))
+            if not (os.path.isfile(srcdir + '/mkdeb.sh.in')):
+                # Script is probably installed.  Check the cwd.
+                if os.path.isfile('./mkdeb.sh.in'):
+                    srcdir = None
+                else:
+                    print(
+                        'Error: Could not find the firejail source tree.  Exiting.'
+                    )
+                    sys.exit(1)
+        sys.exit(run(srcdir, args))
diff --git a/contrib/fjclip.py b/contrib/fjclip.py
index b45959841..3e99d71e9 100755
--- a/contrib/fjclip.py
+++ b/contrib/fjclip.py
@@ -1,6 +1,8 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
-import re
 import sys
 import subprocess
 import fjdisplay
@@ -23,7 +25,7 @@ if sys.argv[1] == '-':
     clipin_raw = sys.stdin.read()
 else:
     display = fjdisplay.getdisplay(sys.argv[1])
-    clipin_raw = subprocess.check_output(['xsel','-b','--display',display])
+    clipin_raw = subprocess.check_output(['xsel', '-b', '--display', display])
 
 clipin = clipin_raw.strip()
 
@@ -31,5 +33,6 @@ if sys.argv[2] == '-':
     print(clipin)
 else:
     display = fjdisplay.getdisplay(sys.argv[2])
-    clipout = subprocess.Popen(['xsel','-b','-i','--display',display],stdin=subprocess.PIPE)
+    clipout = subprocess.Popen(['xsel', '-b', '-i', '--display', display],
+                               stdin=subprocess.PIPE)
     clipout.communicate(clipin)
diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py
index 3f409545f..294bde997 100755
--- a/contrib/fjdisplay.py
+++ b/contrib/fjdisplay.py
@@ -1,4 +1,7 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 import re
 import sys
@@ -8,23 +11,25 @@ usage = """fjdisplay.py name-of-firejail
 returns the display in the form of ':NNN'
 """
 
+
 def getfirejails():
-    output = subprocess.check_output(['firemon','--x11'])
+    output = subprocess.check_output(['firemon', '--x11'])
     firejails = {}
     name = ''
     for line in output.split('\n'):
-        namematch = re.search('--name=(\w+\S*)',line)
+        namematch = re.search('--name=(\w+\S*)', line)
         if namematch:
-          name = namematch.group(1)
-        displaymatch = re.search('DISPLAY (:\d+)',line)
+            name = namematch.group(1)
+        displaymatch = re.search('DISPLAY (:\d+)', line)
         if displaymatch:
-          firejails[name] = displaymatch.group(1)
+            firejails[name] = displaymatch.group(1)
     return firejails
 
+
 def getdisplay(name):
     firejails = getfirejails()
     fjlist = '\n'.join(firejails.keys())
-    namere = re.compile('^'+name+'.*', re.MULTILINE)
+    namere = re.compile('^' + name + '.*', re.MULTILINE)
     matchingjails = namere.findall(fjlist)
     if len(matchingjails) == 1:
         return firejails[matchingjails[0]]
@@ -33,6 +38,7 @@ def getdisplay(name):
     else:
         raise NameError("ambiguous firejail name")
 
+
 if __name__ == '__main__':
     if '-h' in sys.argv or '--help' in sys.argv or len(sys.argv) > 2:
         print(usage)
@@ -40,4 +46,4 @@ if __name__ == '__main__':
     if len(sys.argv) == 1:
         print(getfirejails())
     if len(sys.argv) == 2:
-        print (getdisplay(sys.argv[1]))
+        print(getdisplay(sys.argv[1]))
diff --git a/contrib/fjresize.py b/contrib/fjresize.py
index 3997cf280..d656f5c91 100755
--- a/contrib/fjresize.py
+++ b/contrib/fjresize.py
@@ -1,4 +1,7 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 import sys
 import fjdisplay
@@ -6,20 +9,26 @@ import subprocess
 
 usage = """usage: fjresize.py firejail-name displaysize
 resize firejail xephyr windows.
-fjdisplay.py with no other arguments will list running named firejails with displays.
+fjdisplay.py with no other arguments will list running named firejails with
+displays.
 fjresize.py with only a firejail name will list valid resolutions.
-names can be shortend as long its unambiguous.
+names can be shortened as long as it's unambiguous.
 note: you may need to move the xephyr window for the resize to take effect
 example:
     fjresize.py browser 1280x800
 """
 
-
 if len(sys.argv) == 2:
-    out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1])])
+    out = subprocess.check_output(
+        ['xrandr', '--display',
+         fjdisplay.getdisplay(sys.argv[1])])
     print(out)
 elif len(sys.argv) == 3:
-    out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1]),'--output','default','--mode',sys.argv[2]])
+    out = subprocess.check_output([
+        'xrandr', '--display',
+        fjdisplay.getdisplay(sys.argv[1]), '--output', 'default', '--mode',
+        sys.argv[2]
+    ])
     print(out)
 else:
     print(usage)
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
new file mode 100755
index 000000000..941fc45ef
--- /dev/null
+++ b/contrib/gdb-firejail.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+set -x
+
+# gdb setuid helper script.
+# This script forks a background process as the current user which will
+# immediately send itself a `STOP` signal.  Then gdb running as root will
+# attach to that process, which will send it the `CONT` signal to continue
+# execution.  Then the backgrounded process will exec the program with the
+# given arguments.  This will allow the root gdb to trace the unprivileged
+# setuid firejail process from the absolute beginning.
+
+if [ -z "${1##*/firejail}" ]; then
+    FIREJAIL=$1
+else
+    # First argument is not named firejail, then add default unless environment
+    # variable already set.
+    set -- ${FIREJAIL:=$(which firejail)} "$@"
+fi
+
+bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
+sudo gdb -e  "$FIREJAIL" -p "$!"
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
new file mode 100755
index 000000000..f89f97ac4
--- /dev/null
+++ b/contrib/jail_prober.py
@@ -0,0 +1,206 @@
+#!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+"""
+Figure out which profile options may be causing a particular program to break
+when run in firejail.
+
+Instead of having to comment out each line in a profile by hand, and then
+enable each line individually until the bad line or lines are found, this
+largely automates the process. Users only have to provide the path to the
+profile, program name, and answer 'y' for yes or 'n' for no when prompted.
+
+After completion, you'll be provided with some information to copy and then
+paste into a GitHub issue in the Firejail project repository:
+https://github.com/netblue30/firejail/issues
+
+Paths to the profile should be absolute. If the program is in your path, then
+you only have to type the profile name. Else, you'll need to provide the
+absolute path to the profile.
+
+Examples:
+python jail_prober.py /etc/firejail/spotify.profile spotify
+python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox
+"""
+
+import sys
+import os
+import subprocess
+
+
+def check_params(profile_path):
+    """
+    Ensure the path to the profile is valid and that an actual profile has been
+    passed (as opposed to a config or .local file).
+
+    Args:
+        profile_path:       The absolute path to the problematic profile
+
+    Raises:
+        FileNotFoundError:  If the provided path isn't real
+
+        ValueError:         If the provided path is real but doesn't point to
+                            a Firejail profile
+    """
+    if not os.path.isfile(profile_path):
+        raise FileNotFoundError('The path %s is not a valid system path.' %
+                                profile_path)
+    if not profile_path.endswith('.profile'):
+        raise ValueError('%s is not a valid Firejail profile.' % profile_path)
+
+
+def get_args(profile_path):
+    """
+    Read the profile, stripping out comments and newlines
+
+    Args:
+        profile_path:   The absolute path to the problematic profile.
+
+    Returns:
+        A list containing all active profile arguments
+    """
+    with open(profile_path, 'r') as f:
+        profile = f.readlines()
+        profile = [
+            arg.strip() for arg in profile
+            if not arg.startswith('#') and arg.strip() != ''
+        ]
+
+    return profile
+
+
+def absolute_include(word):
+    home = os.environ['HOME']
+    path = home + '/.config/firejail/'
+
+    option, filename = word.split('=')
+    absolute_filename = path + filename
+
+    if not os.path.isfile(absolute_filename):
+        absolute_filename = '${CFG}/' + filename
+
+    return option + '=' + absolute_filename
+
+
+def arg_converter(arg_list, style):
+    """
+    Convert between firejail command-line arguments (--example=something) and
+    profile arguments (example something)
+
+    Args:
+        arg_list:   A list of firejail arguments
+
+        style:      String, one of {'to_profile', 'to_commandline'}. Whether to
+                    convert arguments to command-line form or profile form
+    """
+    if style == 'to_profile':
+        old_sep = '='
+        new_sep = ' '
+        prefix = ''
+    elif style == 'to_commandline':
+        old_sep = ' '
+        new_sep = '='
+        prefix = '--'
+    new_args = [prefix + word.replace(old_sep, new_sep) for word in arg_list]
+    # Additional strip of '--' if converting to profile form
+    if style == 'to_profile':
+        new_args = [word[2:] for word in new_args]
+
+    elif style == 'to_commandline':
+        new_args = [
+            absolute_include(word) if word.startswith('--include')
+            else word
+            for word in new_args
+        ]
+
+    return new_args
+
+
+def run_firejail(program, all_args):
+    """
+    Attempt to run the program in firejail, incrementally adding to the number
+    of firejail arguments. Initial run has no additional params besides
+    noprofile.
+
+    Args:
+        program:    String, the program name. If it doesn't exist in $PATH then
+                    the full path to the program should be provided
+
+        all_args:   List, all Firejail arguments to try, in command-line format
+                    (i.e. prefixed by '--')
+
+    Returns:
+        good_args:  List, all Firejail arguments that the user has reported to
+                    not adversely affect the program
+
+        bad_args:   List, all Firejail arguments that the user has reported to
+                    break the program
+    """
+    good_args = ['firejail', '--noprofile', program]
+    bad_args = []
+    all_args.insert(0, "")
+    print('Attempting to run %s in Firejail' % program)
+    for arg in all_args:
+        if arg:
+            print('Running with', arg)
+        else:
+            print('Running without profile')
+        #We are adding the argument in a copy of the actual list to avoid modify it now.
+        myargs = good_args.copy()
+        if arg:
+            myargs.insert(-1, arg)
+        subprocess.call(myargs)
+        ans = input('Did %s run correctly? [y]/n ' % program)
+        if ans in ['n', 'N']:
+            bad_args.append(arg)
+        elif arg:
+            good_args.insert(-1, arg)
+        print('\n')
+    # Don't include 'firejail', '--noprofile', or program name in arguments
+    good_args = good_args[2:-1]
+
+    return good_args, bad_args
+
+
+def main():
+    try:
+        profile_path = sys.argv[1]
+        program = sys.argv[2]
+    except IndexError:
+        print('USAGE: jail_prober.py <PROFILE-PATH> <PROGRAM>')
+        sys.exit()
+    # Quick error check and extract arguments
+    check_params(profile_path)
+    profile = get_args(profile_path)
+    all_args = arg_converter(profile, 'to_commandline')
+    # Find out which profile options break the program when running in firejail
+    good_args, bad_args = run_firejail(program, all_args)
+
+    good_args = arg_converter(good_args, 'to_profile')
+    bad_args = arg_converter(bad_args, 'to_profile')
+
+    print('\n###########################')
+    print('Debugging completed.')
+    print(
+        'Please copy the following and report it to the Firejail development',
+        'team on GitHub at %s \n\n' %
+        'https://github.com/netblue30/firejail/issues')
+
+    subprocess.call(['firejail', '--version'])
+
+    print('These profile options break the program.')
+    print('```')
+    for item in bad_args:
+        print(item)
+    print('```\n\n\n')
+
+    print('This is a minimal working profile:')
+    print('```')
+    for item in good_args:
+        print(item)
+    print('```')
+
+
+if __name__ == '__main__':
+    main()
diff --git a/contrib/sort.py b/contrib/sort.py
new file mode 100755
index 000000000..4af9c674c
--- /dev/null
+++ b/contrib/sort.py
@@ -0,0 +1,108 @@
+#!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+"""
+Sort the items of multi-item options in profiles, the following options are supported:
+  private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop, seccomp.drop, protocol
+
+Usage:
+    $ ./sort.py /path/to/profile [ /path/to/profile2 /path/to/profile3 ... ]
+Keep in mind that this will overwrite your profile(s).
+
+Examples:
+    $ ./sort.py MyAwesomeProfile.profile
+    $ ./sort.py new_profile.profile second_new_profile.profile
+    $ ./sort.py ~/.config/firejail/*.{profile,inc,local}
+    $ sudo ./sort.py /etc/firejail/*.{profile,inc,local}
+
+Exit-Codes:
+  0: No Error; No Profile Fixed.
+  1: Error, one or more profiles were not processed correctly.
+  101: No Error; One or more profile were fixed.
+"""
+
+# Requirements:
+#  python >= 3.6
+from sys import argv, exit as sys_exit
+
+
+def sort_alphabetical(raw_items):
+    items = raw_items.split(",")
+    items.sort(key=lambda s: s.casefold())
+    return ",".join(items)
+
+
+def sort_protocol(protocols):
+    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+
+    # shortcut for common protocol lines
+    if protocols in ("unix", "unix,inet,inet6"):
+        return protocols
+
+    fixed_protocols = ""
+    for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"):
+        for prefix in ("", "-", "+", "="):
+            if f",{prefix}{protocol}," in f",{protocols},":
+                fixed_protocols += f"{prefix}{protocol},"
+    return fixed_protocols[:-1]
+
+
+def fix_profile(filename):
+    with open(filename, "r+") as profile:
+        lines = profile.read().split("\n")
+        was_fixed = False
+        fixed_profile = []
+        for lineno, line in enumerate(lines):
+            if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
+                fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
+            elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
+                fixed_line = f"{line[:13]}{sort_alphabetical(line[13:])}"
+            elif line[:10] in ("caps.drop ", "caps.keep "):
+                fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}"
+            elif line[:8] == "protocol":
+                fixed_line = f"protocol {sort_protocol(line[9:])}"
+            elif line[:8] == "seccomp ":
+                fixed_line = f"{line[:8]}{sort_alphabetical(line[8:])}"
+            else:
+                fixed_line = line
+            if fixed_line != line:
+                was_fixed = True
+                print(
+                    f"{filename}:{lineno + 1}:-{line}\n"
+                    f"{filename}:{lineno + 1}:+{fixed_line}"
+                )
+            fixed_profile.append(fixed_line)
+        if was_fixed:
+            profile.seek(0)
+            profile.truncate()
+            profile.write("\n".join(fixed_profile))
+            profile.flush()
+            print(f"[ Fixed ] {filename}")
+            return 101
+        return 0
+
+
+def main(args):
+    exit_code = 0
+    print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...")
+    for filename in args:
+        try:
+            if exit_code not in (1, 101):
+                exit_code = fix_profile(filename)
+            else:
+                fix_profile(filename)
+        except FileNotFoundError:
+            print(f"[ Error ] Can't find `{filename}'")
+            exit_code = 1
+        except PermissionError:
+            print(f"[ Error ] Can't read/write `{filename}'")
+            exit_code = 1
+        except Exception as err:
+            print(f"[ Error ] An error occurred while processing `{filename}': {err}")
+            exit_code = 1
+    return exit_code
+
+
+if __name__ == "__main__":
+    sys_exit(main(argv[1:]))
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh
new file mode 100755
index 000000000..728ff5a78
--- /dev/null
+++ b/contrib/syscalls.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt"
+SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt"
+
+if [ $# -eq 0 ]
+then
+  echo
+  echo "   *** No program specified!!! ***"
+  echo
+  echo -e "Make this file executable and execute it as:\\n"
+  echo -e "\\e[96m   syscalls.sh /full/path/to/program\\n"
+  echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n"
+  echo -e "\\e[96m   ./syscalls.sh /full/path/to/program\\n"
+  echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls."
+  echo
+  exit 0
+else
+  strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE"
+  echo
+  echo -e "\e[39mThese are the sorted syscalls:\n\e[93m"
+  cat "$SYSCALLS_OUTPUT_FILE"
+  echo
+  echo -e "\e[39mThe sorted syscalls were saved to:\n\e[96m$SYSCALLS_OUTPUT_FILE\n\e[39m"
+  exit 0
+fi
diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh
index 9d1567c0e..4c715aaf7 100755
--- a/contrib/update_deb.sh
+++ b/contrib/update_deb.sh
@@ -1,12 +1,24 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
 # Purpose: Fetch, compile, and install firejail from GitHub source. For
-#                       Debian-based distros only (Ubuntu, Mint, etc).
+# Debian-based distros only (Ubuntu, Mint, etc).
 set -e
-git clone --depth=1 https://www.github.com/netblue30/firejail.git
+
+git clone --depth=1 https://github.com/netblue30/firejail.git
 cd firejail
-./configure --prefix=/usr
+./configure --enable-apparmor --prefix=/usr
+
+# Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920
+sed -i \
+    -e "s/# cgroup .*/cgroup no/" \
+    -e "s/# restricted-network .*/restricted-network yes/" \
+    etc/firejail.config
+
 make deb
 sudo dpkg -i firejail*.deb
-echo "Firejail was updated!"
+echo "Firejail updated."
 cd ..
 rm -rf firejail
diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim
new file mode 100644
index 000000000..2edc741da
--- /dev/null
+++ b/contrib/vim/ftdetect/firejail.vim
@@ -0,0 +1,6 @@
+autocmd BufNewFile,BufRead /etc/firejail/*.profile      setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.local        setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.inc          setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.local   setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     setfiletype firejail
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
new file mode 100644
index 000000000..d07690ee2
--- /dev/null
+++ b/contrib/vim/syntax/firejail.vim
@@ -0,0 +1,100 @@
+" Vim syntax file
+" Language: Firejail security sandbox profile
+" URL: https://github.com/netblue30/firejail
+
+if exists("b:current_syntax")
+  finish
+endif
+
+
+syn iskeyword @,48-57,_,.,-
+
+
+syn keyword fjTodo TODO FIXME XXX NOTE contained
+syn match fjComment "#.*$" contains=fjTodo
+
+"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
+syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
+syn match fjCapabilityList /,/ nextgroup=fjCapability contained
+
+syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
+syn match fjProtocolList /,/ nextgroup=fjProtocol contained
+
+" Syscalls grabbed from: src/include/syscall*.h
+" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' '
+syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
+" Syscall groups grabbed from: src/fseccomp/syscall.c
+" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|'
+syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
+syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
+" Errnos grabbed from: src/fseccomp/errno.c
+" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|'
+syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
+syn match fjSyscallList /,/ nextgroup=fjSyscall contained
+
+syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
+
+syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
+syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
+
+syn keyword fjAll all contained
+syn keyword fjNone none contained
+syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
+
+" Variable names grabbed from: src/firejail/macros.c
+" Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|'
+syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
+
+" Commands grabbed from: src/firejail/profile.c
+" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
+syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
+syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
+syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
+syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
+syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
+syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
+syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
+syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
+syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
+" Commands that can't be inside a ?CONDITIONAL: statement
+syn match fjCommandNoCond /include / skipwhite contained
+syn match fjCommandNoCond /quiet$/ contained
+
+" Conditionals grabbed from: src/firejail/profile.c
+" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
+syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
+
+" A line is either a command, a conditional or a comment
+syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
+
+hi def link fjTodo Todo
+hi def link fjComment Comment
+hi def link fjCommand Statement
+hi def link fjCommandNoCond Statement
+hi def link fjConditional Macro
+hi def link fjVar Identifier
+hi def link fjCapability Type
+hi def link fjProtocol Type
+hi def link fjSyscall Type
+hi def link fjSyscallErrno Constant
+hi def link fjX11Sandbox Type
+hi def link fjEnvVar Type
+hi def link fjRmenvVar Type
+hi def link fjAll Type
+hi def link fjNone Type
+hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
+
+
+let b:current_syntax = "firejail"
diff --git a/etc-fixes/0.9.38/firefox.profile b/etc-fixes/0.9.38/firefox.profile
new file mode 100644
index 000000000..00244aaa4
--- /dev/null
+++ b/etc-fixes/0.9.38/firefox.profile
@@ -0,0 +1,32 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+noblacklist ${HOME}/.mozilla
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+
+#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+
+protocol unix,inet,inet6,netlink
+netfilter
+# tracelog
+noroot
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/dwhelper
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+include /etc/firejail/whitelist-common.inc
+
+# experimental features
+#private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/atom.profile b/etc-fixes/0.9.52/atom.profile
index db3cbc687..87ffdced9 100644
--- a/etc/atom.profile
+++ b/etc-fixes/0.9.52/atom.profile
@@ -5,25 +5,23 @@ include /etc/firejail/atom.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-noblacklist ~/.atom
-noblacklist ~/.config/Atom
+# blacklist /run/user/*/bus
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
+# net none
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 nosound
 notv
 novideo
-protocol unix,inet,inet6,netlink
-seccomp
-# net none
 shell none
 
 private-dev
diff --git a/etc-fixes/0.9.52/firefox.profile b/etc-fixes/0.9.52/firefox.profile
new file mode 100644
index 000000000..6a9ff977e
--- /dev/null
+++ b/etc-fixes/0.9.52/firefox.profile
@@ -0,0 +1,99 @@
+# Firejail profile for firefox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+# noblacklist ${HOME}/.local/share/gnome-shell/extensions
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+#seccomp - replaced with seccomp.drop for Firefox 60
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+shell none
+#tracelog - disabled for Firefox 60
+
+disable-mnt
+# firefox requires a shell to launch on Arch.
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+# private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gedit.profile b/etc-fixes/0.9.52/gedit.profile
index dc903bc2e..8dd71a196 100644
--- a/etc/gedit.profile
+++ b/etc-fixes/0.9.52/gedit.profile
@@ -5,6 +5,7 @@ include /etc/firejail/gedit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+# blacklist /run/user/*/bus - makes settings immutable
 
 noblacklist ${HOME}/.config/enchant
 noblacklist ${HOME}/.config/gedit
@@ -35,7 +36,8 @@ tracelog
 
 # private-bin gedit
 private-dev
-# private-etc fonts
+# private-etc alternatives,fonts
+#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/libreoffice.profile b/etc-fixes/0.9.52/libreoffice.profile
index 214b49c65..bbc52ff5e 100644
--- a/etc/libreoffice.profile
+++ b/etc-fixes/0.9.52/libreoffice.profile
@@ -7,7 +7,7 @@ include /etc/firejail/globals.local
 
 noblacklist ${HOME}/.java
 noblacklist /usr/local/sbin
-noblacklist ~/.config/libreoffice
+noblacklist ${HOME}/.config/libreoffice
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -21,13 +21,13 @@ machine-id
 netfilter
 nodvd
 nogroups
-nonewprivs
+#nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
-seccomp
+#protocol unix,inet,inet6
+#seccomp
 shell none
-tracelog
+#tracelog
 
 private-dev
 private-tmp
diff --git a/etc-fixes/0.9.56/brave-browser.profile b/etc-fixes/0.9.56/brave-browser.profile
new file mode 100644
index 000000000..6e3a5df28
--- /dev/null
+++ b/etc-fixes/0.9.56/brave-browser.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for brave
+# This file is overwritten after every install/update
+
+
+# Redirect
+include /etc/firejail/brave.profile
diff --git a/etc-fixes/0.9.56/brave.profile b/etc-fixes/0.9.56/brave.profile
new file mode 100644
index 000000000..4c59c103f
--- /dev/null
+++ b/etc-fixes/0.9.56/brave.profile
@@ -0,0 +1,24 @@
+# Firejail profile for brave
+# This file is overwritten after every install/update
+# Description: Web browser that blocks ads and trackers by default.
+# Persistent local customizations
+include brave.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.config/BraveSoftware
+# brave uses gpg for built-in password manager
+noblacklist ${HOME}/.gnupg
+
+mkdir ${HOME}/.config/brave
+mkdir ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/brave
+whitelist ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.gnupg
+
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
+
+# Redirect
+include /etc/firejail/chromium-common.profile
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
new file mode 100644
index 000000000..9bc35da5a
--- /dev/null
+++ b/etc-fixes/0.9.58/atom.profile
@@ -0,0 +1,36 @@
+
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile
new file mode 100644
index 000000000..c8929127b
--- /dev/null
+++ b/etc-fixes/0.9.60/atom.profile
@@ -0,0 +1,37 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.pythonrc.py
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
new file mode 100644
index 000000000..9f85a0e00
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/README
@@ -0,0 +1,11 @@
+These are patches for various Firejail versions for the security bug reported by Austin Morton
+on May 21, 2019:
+
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+
+The original discussion thread: https://github.com/netblue30/firejail/issues/2718
+The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
+
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
new file mode 100644
index 000000000..59782461e
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
diff --git a/etc/0ad.profile b/etc/0ad.profile
deleted file mode 100644
index 9ca9834a8..000000000
--- a/etc/0ad.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for 0ad
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/0ad.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/0ad
-noblacklist ~/.config/0ad
-noblacklist ~/.local/share/0ad
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/0ad
-mkdir ~/.config/0ad
-mkdir ~/.local/share/0ad
-whitelist ~/.cache/0ad
-whitelist ~/.config/0ad
-whitelist ~/.local/share/0ad
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
deleted file mode 100644
index 964a9e5fa..000000000
--- a/etc/2048-qt.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for 2048-qt
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/2048-qt.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/2048-qt
-noblacklist ~/.config/xiaoyong
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/7z.profile b/etc/7z.profile
deleted file mode 100644
index ea67bbe19..000000000
--- a/etc/7z.profile
+++ /dev/null
@@ -1,23 +0,0 @@
-# Firejail profile for 7z
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/7z.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-private-dev
-
-include /etc/firejail/default.profile
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
deleted file mode 100644
index 202bc26f4..000000000
--- a/etc/Cyberfox.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for cyberfox
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/cyberfox.profile
diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile
deleted file mode 100644
index 01e338ef2..000000000
--- a/etc/FossaMail.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for fossamail
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/fossamail.profile
diff --git a/etc/Gitter.profile b/etc/Gitter.profile
deleted file mode 100644
index b12dbd450..000000000
--- a/etc/Gitter.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for Gitter
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/gitter.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
deleted file mode 100644
index 924f74389..000000000
--- a/etc/Mathematica.profile
+++ /dev/null
@@ -1,28 +0,0 @@
-# Firejail profile for Mathematica
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/Mathematica.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.Mathematica
-noblacklist ${HOME}/.Wolfram Research
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.Mathematica
-mkdir ~/.Wolfram Research
-whitelist ~/.Mathematica
-whitelist ~/.Wolfram Research
-whitelist ~/Documents/Wolfram Mathematica
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-nodvd
-nonewprivs
-noroot
-notv
-seccomp
diff --git a/etc/Natron.profile b/etc/Natron.profile
deleted file mode 100644
index b21790fe4..000000000
--- a/etc/Natron.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for natron
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/natron.profile
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
deleted file mode 100644
index df6557a90..000000000
--- a/etc/Telegram.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for telegram
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/telegram.profile
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
deleted file mode 100644
index f4a5c9f54..000000000
--- a/etc/Thunar.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for Thunar
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/Thunar.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ~/.config/Thunar
-noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/Viber.profile b/etc/Viber.profile
deleted file mode 100644
index 03e5f1086..000000000
--- a/etc/Viber.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for Viber
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/Viber.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.ViberPC
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.ViberPC
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-bin sh,bash,dash,dig,awk,Viber
-private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile
deleted file mode 100644
index dedf448ae..000000000
--- a/etc/VirtualBox.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for virtualbox
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/virtualbox.profile
diff --git a/etc/Wire.profile b/etc/Wire.profile
deleted file mode 100644
index 26b683f84..000000000
--- a/etc/Wire.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for wire
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/wire.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
deleted file mode 100644
index 3251ef8aa..000000000
--- a/etc/abrowser.profile
+++ /dev/null
@@ -1,48 +0,0 @@
-# Firejail profile for abrowser
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/abrowser.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/mozilla
-noblacklist ~/.mozilla
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/mozilla/abrowser
-mkdir ~/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/mozilla/abrowser
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.mozilla
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/akregator.profile b/etc/akregator.profile
deleted file mode 100644
index f2e5ea341..000000000
--- a/etc/akregator.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for akregator
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/akregator.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/akregatorrc
-noblacklist ${HOME}/.local/share/akregator
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkfile ${HOME}/.config/akregatorrc
-mkdir ${HOME}/.local/share/akregator
-whitelist ${HOME}/.config/akregatorrc
-whitelist ${HOME}/.local/share/akregator
-include /etc/firejail/whitelist-common.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/amarok.profile b/etc/amarok.profile
deleted file mode 100644
index 79343fcdf..000000000
--- a/etc/amarok.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for amarok
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/amarok.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-# seccomp
-shell none
-
-# private-bin amarok
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/apktool.profile b/etc/apktool.profile
deleted file mode 100644
index 650c20de7..000000000
--- a/etc/apktool.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for apktool
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/apktool.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin apktool,bash,dash,java,dirname,basename,expr,sh
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
new file mode 100644
index 000000000..ca32f5b0d
--- /dev/null
+++ b/etc/apparmor/firejail-default
@@ -0,0 +1,141 @@
+#########################################
+# Generic Firejail AppArmor profile
+#########################################
+
+# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
+# and <abstractions/dbus-session-strict>.
+#include <tunables/global>
+
+##########
+# A simple PID declaration based on Ubuntu's @{pid}
+# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
+# We don't know if this definition is available outside Debian and Ubuntu, so
+# we declare our own here.
+##########
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
+
+profile firejail-default flags=(attach_disconnected,mediate_deleted) {
+
+##########
+# Allow D-Bus access. It may negatively affect security. Comment those lines or
+# use 'nodbus' option in profile if you don't need D-Bus functionality.
+##########
+#include <abstractions/dbus-strict>
+#include <abstractions/dbus-session-strict>
+dbus,
+# Add rule in order to avoid dbus-*=filter breakage (#3432)
+owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
+
+##########
+# With ptrace it is possible to inspect and hijack running programs.
+##########
+# Uncomment this line to allow all ptrace access
+#ptrace,
+# Allow obtaining some process information, but not ptrace(2)
+ptrace (read,readby) peer=@{profile_name},
+
+##########
+# Allow read access to whole filesystem and control it from firejail.
+##########
+/{,**} rklm,
+
+##########
+# Allow write access to paths writable in firejail which aren't used for
+# executing programs. /run, /proc and /sys are handled separately.
+# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
+##########
+/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
+
+##########
+# Whitelist writable paths under /run, /proc and /sys.
+##########
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
+owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
+
+# Allow writing to /var/mail and /var/spool/mail (for mail clients)
+# Uncomment to enable
+#owner /var/{mail,spool/mail}/** w,
+
+# Allow writing to removable media
+owner /{,var/}run/media/** w,
+
+# Allow logging Firejail blacklist violations to journal
+/{,var/}run/systemd/journal/socket w,
+/{,var/}run/systemd/journal/dev-log w,
+
+# Allow access to cups printing socket.
+/{,var/}run/cups/cups.sock w,
+
+# Allow access to pcscd socket (smartcards)
+/{,var/}run/pcscd/pcscd.comm w,
+
+# Needed for browser self-sandboxing
+owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
+
+# Needed for electron apps
+/proc/@{PID}/comm w,
+# Needed for nslookup, dig, host
+/proc/@{PID}/task/@{PID}/comm w,
+
+# Used by chromium
+owner /proc/@{PID}/oom_score_adj w,
+owner /proc/@{PID}/clear_refs w,
+
+##########
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
+# or similar to /etc/apparmor.d/local/firejail-default (without the quotes).
+##########
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
+#/{,run/firejail/mnt/oroot/}home/** ix,
+
+# Appimage support
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
+
+##########
+# Blacklist specific sensitive paths.
+##########
+deny /**/.fscrypt/ rw,
+deny /**/.fscrypt/** rwklmx,
+deny /**/.snapshots/ rw,
+deny /**/.snapshots/** rwklmx,
+
+##########
+# Allow all networking functionality, and control it from Firejail.
+##########
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+# needed for wireshark, tcpdump etc
+network bluetooth,
+network packet,
+
+##########
+# There is no equivalent in Firejail for filtering signals.
+##########
+signal (send) peer=@{profile_name},
+signal (receive),
+
+##########
+# We let Firejail deal with capabilities, but ensure that
+# some AppArmor related capabilities will not be available.
+##########
+# The list of recognized capabilities varies from one apparmor version to another.
+# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
+# We allow all caps by default and remove the  ones we don't like:
+capability,
+deny capability audit_write,
+deny capability audit_control,
+deny capability mac_override,
+deny capability mac_admin,
+
+# Site-specific additions and overrides. See local/README for details.
+#include <local/firejail-default>
+}
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
new file mode 100644
index 000000000..3dfd3d0ea
--- /dev/null
+++ b/etc/apparmor/firejail-local
@@ -0,0 +1,15 @@
+# Site-specific additions and overrides for 'firejail-default'.
+# For more details, please see /etc/apparmor.d/local/README.
+
+# Here are some examples to allow running programs from home directory.
+# Don't enable all of these, just pick a specific one or write a custom rule
+# instead as done below for torbrowser-launcher.
+#owner @HOME/** ix,
+#owner @HOME/bin/** ix
+#owner @HOME/.local/bin/** ix
+
+# Uncomment to opt-in to apparmor for brave + tor
+#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,
+
+# Uncomment to opt-in to apparmor for torbrowser-launcher
+#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
deleted file mode 100644
index d8ed64811..000000000
--- a/etc/arch-audit.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for arch-audit
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/arch-audit.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist /var/lib/pacman
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private
-private-bin arch-audit
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ardour4.profile b/etc/ardour4.profile
deleted file mode 100644
index 7d1163174..000000000
--- a/etc/ardour4.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for ardour5
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/ardour5.profile
diff --git a/etc/ardour5.profile b/etc/ardour5.profile
deleted file mode 100644
index 69b3dde46..000000000
--- a/etc/ardour5.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for ardour5
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/ardour5.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.config/ardour4
-noblacklist ${HOME}/.config/ardour5
-noblacklist ${HOME}/.lv2
-noblacklist ${HOME}/.vst
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix
-seccomp
-shell none
-
-#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm
-private-dev
-#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/arduino.profile b/etc/arduino.profile
deleted file mode 100644
index b529ec266..000000000
--- a/etc/arduino.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for arduino
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/arduino.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.arduino15
-noblacklist ${HOME}/.java
-noblacklist ${HOME}/Arduino
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ark.profile b/etc/ark.profile
deleted file mode 100644
index ba9cb1134..000000000
--- a/etc/ark.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for ark
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/ark.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/arkrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin
-private-dev
-# private-etc
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/arm.profile b/etc/arm.profile
deleted file mode 100644
index afb6d465a..000000000
--- a/etc/arm.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for arm
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/arm.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.arm
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.arm
-whitelist ${HOME}/.arm
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-# private-bin arm,tor,sh,bash,dash,python2,python2.7,ps,lsof,ldconfig
-private-dev
-private-etc tor,passwd
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
deleted file mode 100644
index 4869ef4ea..000000000
--- a/etc/atom-beta.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for atom-beta
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/atom-beta.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.atom
-noblacklist ~/.config/Atom
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
-private-tmp
diff --git a/etc/atool.profile b/etc/atool.profile
deleted file mode 100644
index c2e772f9d..000000000
--- a/etc/atool.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for atool
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/atool.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin atool
-private-dev
-private-etc none
-private-tmp
diff --git a/etc/atril.profile b/etc/atril.profile
deleted file mode 100644
index 052b41655..000000000
--- a/etc/atril.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for atril
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/atril.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/atril
-noblacklist ~/.local/share
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin atril, atril-previewer, atril-thumbnailer
-private-dev
-private-etc fonts,ld.so.cache
-# atril needs access to /tmp/mozilla* to work in firefox
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
deleted file mode 100644
index 7e2b91773..000000000
--- a/etc/audacious.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for audacious
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/audacious.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Audaciousrc
-noblacklist ~/.config/audacious
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin audacious
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/audacity.profile b/etc/audacity.profile
deleted file mode 100644
index 88aea243e..000000000
--- a/etc/audacity.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for audacity
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/audacity.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.audacity-data
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin audacity
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/aweather.profile b/etc/aweather.profile
deleted file mode 100644
index ef811b330..000000000
--- a/etc/aweather.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for aweather
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/aweather.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/aweather
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/aweather
-whitelist ~/.config/aweather
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin aweather
-private-dev
-private-tmp
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
deleted file mode 100644
index 2c2d70c00..000000000
--- a/etc/baloo_file.profile
+++ /dev/null
@@ -1,48 +0,0 @@
-# Firejail profile for baloo_file
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/baloo_file.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
-noblacklist ${HOME}/.local/share/baloo
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-# Baloo makes ioprio_set system calls, which are blacklisted by default.
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
-shell none
-x11 xorg
-
-private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
-
-# Make home directory read-only and allow writing only to ~/.local/share
-# Note: Baloo will not be able to update the "first run" key in its configuration files.
-# read-only  ${HOME}
-# read-write ${HOME}/.local/share
-# noexec     ${HOME}/.local/share
diff --git a/etc/baobab.profile b/etc/baobab.profile
deleted file mode 100644
index ef733632d..000000000
--- a/etc/baobab.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for baobab
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/baobab.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin baobab
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
deleted file mode 100644
index 73d31c205..000000000
--- a/etc/bibletime.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for bibletime
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/bibletime.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist ~/.Xauthority
-blacklist ~/.bashrc
-
-noblacklist ~/.bibletime
-noblacklist ~/.config/qt5ct
-noblacklist ~/.sword
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${HOME}/.bibletime
-whitelist ${HOME}/.config/qt5ct
-whitelist ${HOME}/.sword
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# private-bin bibletime,qt5ct
-private-dev
-private-etc fonts,resolv.conf,sword,sword.conf,passwd
-private-tmp
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
deleted file mode 100644
index f3498e9b9..000000000
--- a/etc/bleachbit.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for bleachbit
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/bleachbit.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin
-# private-dev
-# private-etc
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/blender.profile b/etc/blender.profile
deleted file mode 100644
index f7ecbce55..000000000
--- a/etc/blender.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for blender
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/blender.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/blender
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/bless.profile b/etc/bless.profile
deleted file mode 100644
index 27557d9af..000000000
--- a/etc/bless.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for bless
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/bless.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/bless
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin bless,dash,sh,bash,mono
-private-dev
-private-etc fonts,mono
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
deleted file mode 100644
index f7e322838..000000000
--- a/etc/bluefish.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for bluefish
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/bluefish.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin bluefish
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/brackets.profile b/etc/brackets.profile
deleted file mode 100644
index 0a8c592a7..000000000
--- a/etc/brackets.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for brackets
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/brackets.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/Brackets
-noblacklist /opt/brackets/
-noblacklist /opt/google/
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
diff --git a/etc/brasero.profile b/etc/brasero.profile
deleted file mode 100644
index eff4cba43..000000000
--- a/etc/brasero.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for brasero
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/brasero.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/brasero
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin brasero
-# private-dev
-# private-etc fonts
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/brave.profile b/etc/brave.profile
deleted file mode 100644
index 4a908c884..000000000
--- a/etc/brave.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for brave
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/brave.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/brave
-# brave uses gpg for built-in password manager
-noblacklist ~/.gnupg
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/brave
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.config/KeePass
-whitelist ~/.config/brave
-whitelist ~/.config/keepass
-whitelist ~/.config/lastpass
-whitelist ~/.keepass
-whitelist ~/.lastpass
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-# caps.drop all
-netfilter
-# nonewprivs
-# noroot
-nodvd
-notv
-# protocol unix,inet,inet6,netlink
-# seccomp
-
-# disable-mnt
diff --git a/etc/caja.profile b/etc/caja.profile
deleted file mode 100644
index 97663fddb..000000000
--- a/etc/caja.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for caja
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/caja.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a caja process running on MATE desktops firejail will have no effect.
-
-noblacklist ~/.config/caja
-noblacklist ~/.local/share/Trash
-noblacklist ~/.local/share/caja-python
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin caja
-# private-dev
-# private-etc fonts
-# private-tmp
diff --git a/etc/calibre.profile b/etc/calibre.profile
deleted file mode 100644
index 844231032..000000000
--- a/etc/calibre.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for calibre
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/calibre.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/calibre
-noblacklist ~/.config/calibre
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/calligra.profile b/etc/calligra.profile
deleted file mode 100644
index d2b76d22c..000000000
--- a/etc/calligra.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for calligra
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/calligra.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
-private-dev
-
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligraauthor.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligraconverter.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligraflow.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligraplan.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligraplanwork.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligrasheets.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligrastage.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile
deleted file mode 100644
index 629ab46c1..000000000
--- a/etc/calligrawords.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for calligra
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/calligra.profile
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
deleted file mode 100644
index 88be562c8..000000000
--- a/etc/cherrytree.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for cherrytree
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/cherrytree.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/cherrytree
-noblacklist /usr/bin/python2*
-noblacklist /usr/lib/python3*
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile
deleted file mode 100644
index 472841e92..000000000
--- a/etc/chromium-browser.profile
+++ /dev/null
@@ -1,5 +0,0 @@
-# Firejail profile alias for chromium
-# This file is overwritten after every install/update
-
-# Redirect
-include /etc/firejail/chromium.profile
diff --git a/etc/chromium.profile b/etc/chromium.profile
deleted file mode 100644
index 0c7058a11..000000000
--- a/etc/chromium.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for chromium
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/chromium.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/chromium
-noblacklist ~/.config/chromium
-noblacklist ~/.config/chromium-flags.conf
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/chromium
-mkdir ~/.config/chromium
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/chromium
-whitelist ~/.config/chromium
-whitelist ~/.config/chromium-flags.conf
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-# private-bin chromium,chromium-browser,chromedriver
-private-dev
-# private-tmp - problems with multiple browser sessions
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
deleted file mode 100644
index 6b3e3888b..000000000
--- a/etc/cin.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for cin
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/cin.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.bcast5
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-notv
-noroot
-protocol unix
-seccomp
-shell none
-
-private-bin cin,ffmpeg
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile
deleted file mode 100644
index e6a1941b5..000000000
--- a/etc/cinelerra.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for cin
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/cin.profile
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile
deleted file mode 100644
index f6861dfa1..000000000
--- a/etc/clamdscan.profile
+++ /dev/null
@@ -1,7 +0,0 @@
-# Firejail profile alias for clamav
-# This file is overwritten after every install/update
-quiet
-
-
-# Redirect
-include /etc/firejail/clamav.profile
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile
deleted file mode 100644
index f6861dfa1..000000000
--- a/etc/clamdtop.profile
+++ /dev/null
@@ -1,7 +0,0 @@
-# Firejail profile alias for clamav
-# This file is overwritten after every install/update
-quiet
-
-
-# Redirect
-include /etc/firejail/clamav.profile
diff --git a/etc/clamscan.profile b/etc/clamscan.profile
deleted file mode 100644
index f6861dfa1..000000000
--- a/etc/clamscan.profile
+++ /dev/null
@@ -1,7 +0,0 @@
-# Firejail profile alias for clamav
-# This file is overwritten after every install/update
-quiet
-
-
-# Redirect
-include /etc/firejail/clamav.profile
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
deleted file mode 100644
index 4ab49163b..000000000
--- a/etc/claws-mail.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for claws-mail
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/claws-mail.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.claws-mail
-noblacklist ~/.gnupg
-noblacklist ~/.signature
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-tmp
diff --git a/etc/clementine.profile b/etc/clementine.profile
deleted file mode 100644
index 1d93e5f2c..000000000
--- a/etc/clementine.profile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Firejail profile for clementine
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/clementine.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Clementine
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-# Clementine makes ioprio_set system calls, which are blacklisted by default.
-seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
diff --git a/etc/clipit.profile b/etc/clipit.profile
deleted file mode 100644
index e6ee7b636..000000000
--- a/etc/clipit.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for clipit
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/clipit.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/clipit
-noblacklist ${HOME}/.local/share/clipit
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
deleted file mode 100644
index a7c791a02..000000000
--- a/etc/cliqz.profile
+++ /dev/null
@@ -1,83 +0,0 @@
-# Firejail profile for cliqz
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/cliqz.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/cliqz
-noblacklist ~/.config/cliqz
-noblacklist ~/.config/okularpartrc
-noblacklist ~/.config/okularrc
-noblacklist ~/.config/qpdfview
-noblacklist ~/.kde/share/apps/okular
-noblacklist ~/.kde/share/config/okularpartrc
-noblacklist ~/.kde/share/config/okularrc
-noblacklist ~/.kde4/share/apps/okular
-noblacklist ~/.kde4/share/config/okularpartrc
-noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/gnome-shell/extensions
-noblacklist ~/.local/share/okular
-noblacklist ~/.local/share/qpdfview
-
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/mozilla/firefox
-mkdir ~/.mozilla
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/mozilla/firefox
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/okularpartrc
-whitelist ~/.config/okularrc
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.config/qpdfview
-whitelist ~/.kde/share/apps/okular
-whitelist ~/.kde/share/config/okularpartrc
-whitelist ~/.kde/share/config/okularrc
-whitelist ~/.kde4/share/apps/okular
-whitelist ~/.kde4/share/config/okularpartrc
-whitelist ~/.kde4/share/config/okularrc
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.local/share/gnome-shell/extensions
-whitelist ~/.local/share/okular
-whitelist ~/.local/share/qpdfview
-whitelist ~/.mozilla
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env
-private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cmus.profile b/etc/cmus.profile
deleted file mode 100644
index 2d6f2454b..000000000
--- a/etc/cmus.profile
+++ /dev/null
@@ -1,26 +0,0 @@
-# Firejail profile for cmus
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/cmus.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/cmus
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin cmus
-private-etc group
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
deleted file mode 100644
index f6a9eefb6..000000000
--- a/etc/conkeror.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for conkeror
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/conkeror.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.conkeror.mozdev.org
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ~/.conkeror.mozdev.org
-whitelist ~/.conkerorrc
-whitelist ~/.gtkrc-2.0
-whitelist ~/.lastpass
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.zotero
-whitelist ~/Downloads
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
diff --git a/etc/conky.profile b/etc/conky.profile
deleted file mode 100644
index 4ee25f099..000000000
--- a/etc/conky.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for conky
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/conky.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/corebird.profile b/etc/corebird.profile
deleted file mode 100644
index 99a3335ef..000000000
--- a/etc/corebird.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for corebird
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/corebird.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/corebird
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin corebird
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cpio.profile b/etc/cpio.profile
deleted file mode 100644
index 7f4bc4a84..000000000
--- a/etc/cpio.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for cpio
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/cpio.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist /sbin
-noblacklist /usr/sbin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nonewprivs
-nosound
-notv
-novideo
-seccomp
-shell none
-tracelog
-
-private-dev
diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile
deleted file mode 100644
index 04301ffbd..000000000
--- a/etc/cryptocat.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for Cryptocat
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/Cryptocat.profile
diff --git a/etc/curl.profile b/etc/curl.profile
deleted file mode 100644
index 972bbe9cc..000000000
--- a/etc/curl.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for curl
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/curl.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.curlrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-# private-bin curl
-private-dev
-# private-etc resolv.conf
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
deleted file mode 100644
index 63f6ea845..000000000
--- a/etc/cyberfox.profile
+++ /dev/null
@@ -1,72 +0,0 @@
-# Firejail profile for cyberfox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/cyberfox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.8pecxstudios
-noblacklist ~/.cache/8pecxstudios
-noblacklist ~/.config/okularpartrc
-noblacklist ~/.config/okularrc
-noblacklist ~/.config/qpdfview
-noblacklist ~/.kde/share/apps/okular
-noblacklist ~/.kde4/share/apps/okular
-noblacklist ~/.local/share/okular
-noblacklist ~/.local/share/qpdfview
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.8pecxstudios
-mkdir ~/.cache/8pecxstudios
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.8pecxstudios
-whitelist ~/.cache/8pecxstudios
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/okularpartrc
-whitelist ~/.config/okularrc
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.config/qpdfview
-whitelist ~/.kde/share/apps/okular
-whitelist ~/.kde4/share/apps/okular
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.local/share/okular
-whitelist ~/.local/share/qpdfview
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env
-private-dev
-# private-dev might prevent video calls going out
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/darktable.profile b/etc/darktable.profile
deleted file mode 100644
index c2dc0b42c..000000000
--- a/etc/darktable.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for darktable
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/darktable.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/darktable
-noblacklist ~/.config/darktable
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-#private-bin darktable
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/default.profile b/etc/default.profile
deleted file mode 100644
index 82eded802..000000000
--- a/etc/default.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for default
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/default.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# generic gui profile
-# depending on your usage, you can enable some of the commands below:
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-# ipc-namespace
-netfilter
-# no3d
-# nodvd
-# nogroups
-nonewprivs
-noroot
-# nosound
-# notv
-# novideo
-protocol unix,inet,inet6
-seccomp
-# shell none
-
-# disable-mnt
-# private
-# private-bin program
-# private-dev
-# private-etc none
-# private-lib
-# private-tmp
-
-# memory-deny-write-execute
-# noexec ${HOME}
-# noexec /tmp
diff --git a/etc/deluge.profile b/etc/deluge.profile
deleted file mode 100644
index c311d2fa7..000000000
--- a/etc/deluge.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for deluge
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/deluge.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/deluge
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.config/deluge
-whitelist  ${DOWNLOADS}
-whitelist ${HOME}/.config/deluge
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-# deluge is using python on Debian
-# private-bin deluge,sh,python,uname
-private-dev
-private-tmp
diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile
deleted file mode 100644
index bdbb10b12..000000000
--- a/etc/dex2jar.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for dex2jar
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/dex2jar.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin dex2jar,dash,java,sh,bash,expr,dirname,ls,uname,grep
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/dia.profile b/etc/dia.profile
deleted file mode 100644
index 800c3bbf1..000000000
--- a/etc/dia.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for dia
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dia.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.dia
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-#private-bin dia
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/digikam.profile b/etc/digikam.profile
deleted file mode 100644
index ef518470e..000000000
--- a/etc/digikam.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for digikam
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/digikam.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/digikamrc
-noblacklist ${HOME}/.kde/share/apps/digikam
-noblacklist ${HOME}/.kde4/share/apps/digikam
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
-shell none
-
-# private-bin program
-# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
-# private-etc none
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/dillo.profile b/etc/dillo.profile
deleted file mode 100644
index aa8a395e1..000000000
--- a/etc/dillo.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for dillo
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dillo.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.dillo
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.dillo
-mkdir ~/.fltk
-whitelist ${DOWNLOADS}
-whitelist ~/.dillo
-whitelist ~/.fltk
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-tracelog
diff --git a/etc/dino.profile b/etc/dino.profile
deleted file mode 100644
index 72f4f40b2..000000000
--- a/etc/dino.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for dino
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dino.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/dino
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.local/share/dino
-whitelist ${HOME}/.local/share/dino
-whitelist ${HOME}/Downloads
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-bin dino
-private-dev
-# private-etc fonts # breaks server connection
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
deleted file mode 100644
index 021e6349e..000000000
--- a/etc/disable-common.inc
+++ /dev/null
@@ -1,316 +0,0 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/disable-common.local
-
-# History files in $HOME and clipboard managers
-blacklist-nolog ${HOME}/.*_history
-blacklist-nolog ${HOME}/.adobe
-blacklist-nolog ${HOME}/.cache/greenclip*
-blacklist-nolog ${HOME}/.history
-blacklist-nolog ${HOME}/.local/share/fish/fish_history
-blacklist-nolog ${HOME}/.macromedia
-blacklist-nolog /tmp/clipmenu*
-
-# X11 session autostart
-# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
-blacklist ${HOME}/.Xsession
-blacklist ${HOME}/.config/autostart
-blacklist ${HOME}/.config/autostart-scripts
-blacklist ${HOME}/.config/lxsession/LXDE/autostart
-blacklist ${HOME}/.config/openbox/autostart
-blacklist ${HOME}/.config/openbox/environment
-blacklist ${HOME}/.config/plasma-workspace/env
-blacklist ${HOME}/.config/plasma-workspace/shutdown
-blacklist ${HOME}/.config/startupconfig
-blacklist ${HOME}/.fluxbox/startup
-blacklist ${HOME}/.gnomerc
-blacklist ${HOME}/.kde/Autostart
-blacklist ${HOME}/.kde/env
-blacklist ${HOME}/.kde/share/autostart
-blacklist ${HOME}/.kde/share/config/startupconfig
-blacklist ${HOME}/.kde/shutdown
-blacklist ${HOME}/.kde4/env
-blacklist ${HOME}/.kde4/Autostart
-blacklist ${HOME}/.kde4/share/autostart
-blacklist ${HOME}/.kde4/shutdown
-blacklist ${HOME}/.kde4/share/config/startupconfig
-blacklist ${HOME}/.local/share/autostart
-blacklist ${HOME}/.xinitrc
-blacklist ${HOME}/.xprofile
-blacklist ${HOME}/.xserverrc
-blacklist ${HOME}/.xsession
-blacklist ${HOME}/.xsessionrc
-blacklist /etc/X11/Xsession.d
-blacklist /etc/xdg/autostart
-
-# KDE config
-blacklist ${HOME}/.config/*.notifyrc
-blacklist ${HOME}/.config/khotkeysrc
-blacklist ${HOME}/.config/krunnerrc
-blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
-blacklist ${HOME}/.kde/share/apps/konsole
-blacklist ${HOME}/.kde/share/apps/kwin
-blacklist ${HOME}/.kde/share/apps/plasma
-blacklist ${HOME}/.kde/share/apps/solid
-blacklist ${HOME}/.kde/share/config/*.notifyrc
-blacklist ${HOME}/.kde/share/config/khotkeysrc
-blacklist ${HOME}/.kde/share/config/krunnerrc
-blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.kde4/share/apps/plasma
-blacklist ${HOME}/.kde4/share/apps/konsole
-blacklist ${HOME}/.kde4/share/apps/kwin
-blacklist ${HOME}/.kde4/share/config/krunnerrc
-blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.kde4/share/config/khotkeysrc
-blacklist ${HOME}/.kde4/share/apps/solid
-blacklist ${HOME}/.kde4/share/config/*.notifyrc
-blacklist ${HOME}/.local/share/kglobalaccel
-blacklist ${HOME}/.local/share/konsole
-blacklist ${HOME}/.local/share/kwin
-blacklist ${HOME}/.local/share/plasma
-blacklist ${HOME}/.local/share/solid
-read-only ${HOME}/.config/kdeglobals
-read-only ${HOME}/.kde/share/config/kdeglobals
-read-only ${HOME}/.kde/share/kde4/services
-read-only ${HOME}/.kde4/share/kde4/services
-read-only ${HOME}/.kde4/share/config/kdeglobals
-read-only ${HOME}/.local/share/kservices5
-
-# systemd
-blacklist ${HOME}/.config/systemd
-blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
-# blacklist /var/run/systemd
-#  - creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
-
-# VirtualBox
-blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.config/VirtualBox
-blacklist ${HOME}/VirtualBox VMs
-
-# VeraCrypt
-blacklist ${HOME}/.VeraCrypt
-blacklist ${PATH}/veracrypt
-blacklist ${PATH}/veracrypt-uninstall.sh
-blacklist /usr/share/applications/veracrypt.*
-blacklist /usr/share/pixmaps/veracrypt.*
-blacklist /usr/share/veracrypt
-
-# TrueCrypt
-blacklist ${HOME}/.TrueCrypt
-blacklist ${PATH}/truecrypt
-blacklist ${PATH}/truecrypt-uninstall.sh
-blacklist /usr/share/applications/truecrypt.*
-blacklist /usr/share/pixmaps/truecrypt.*
-blacklist /usr/share/truecrypt
-
-# zuluCrypt
-blacklist ${HOME}/.zuluCrypt
-blacklist ${HOME}/.zuluCrypt-socket
-blacklist ${PATH}/zuluCrypt-cli
-blacklist ${PATH}/zuluMount-cli
-
-# var
-blacklist /var/cache/apt
-blacklist /var/cache/pacman
-blacklist /var/lib/apt
-blacklist /var/lib/clamav
-blacklist /var/lib/dkms
-blacklist /var/lib/mysql/mysql.sock
-blacklist /var/lib/mysqld/mysql.sock
-blacklist /var/lib/pacman
-blacklist /var/lib/upower
-# blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for
-#          every sandbox, unless --writeble-var-log switch is activated
-blacklist /var/mail
-blacklist /var/opt
-blacklist /var/run/acpid.socket
-blacklist /var/run/docker.sock
-blacklist /var/run/minissdpd.sock
-blacklist /var/run/mysql/mysqld.sock
-blacklist /var/run/mysqld/mysqld.sock
-blacklist /var/run/rpcbind.sock
-blacklist /var/run/screens
-blacklist /var/spool/anacron
-blacklist /var/spool/cron
-blacklist /var/spool/mail
-
-# etc
-blacklist /etc/anacrontab
-blacklist /etc/cron*
-blacklist /etc/profile.d
-blacklist /etc/rc.local
-
-# Startup files
-read-only ${HOME}/.antigen
-read-only ${HOME}/.bash_aliases
-read-only ${HOME}/.bash_login
-read-only ${HOME}/.bash_logout
-read-only ${HOME}/.bash_profile
-read-only ${HOME}/.bashrc
-read-only ${HOME}/.config/fish
-read-only ${HOME}/.csh_files
-read-only ${HOME}/.cshrc
-read-only ${HOME}/.forward
-read-only ${HOME}/.local/share/fish
-read-only ${HOME}/.login
-read-only ${HOME}/.logout
-read-only ${HOME}/.pam_environment
-read-only ${HOME}/.pgpkey
-read-only ${HOME}/.plan
-read-only ${HOME}/.profile
-read-only ${HOME}/.project
-read-only ${HOME}/.tcshrc
-read-only ${HOME}/.zlogin
-read-only ${HOME}/.zlogout
-read-only ${HOME}/.zprofile
-read-only ${HOME}/.zsh.d
-read-only ${HOME}/.zsh_files
-read-only ${HOME}/.zshenv
-read-only ${HOME}/.zshrc
-read-only ${HOME}/.zshrc.local
-
-# Initialization files that allow arbitrary command execution
-read-only ${HOME}/.caffrc
-read-only ${HOME}/.dotfiles
-read-only ${HOME}/.emacs
-read-only ${HOME}/.emacs.d
-read-only ${HOME}/.exrc
-read-only ${HOME}/.gvimrc
-read-only ${HOME}/.iscreenrc
-read-only ${HOME}/.mailcap
-read-only ${HOME}/.msmtprc
-read-only ${HOME}/.mutt/muttrc
-read-only ${HOME}/.muttrc
-read-only ${HOME}/.nano
-read-only ${HOME}/.reportbugrc
-read-only ${HOME}/.tmux.conf
-read-only ${HOME}/.vim
-read-only ${HOME}/.vimrc
-read-only ${HOME}/.xmonad
-read-only ${HOME}/.xscreensaver
-read-only ${HOME}/_exrc
-read-only ${HOME}/_gvimrc
-read-only ${HOME}/_vimrc
-read-only ${HOME}/dotfiles
-
-# Make directories commonly found in $PATH read-only
-read-only ${HOME}/.gem
-read-only ${HOME}/.luarocks
-read-only ${HOME}/.npm-packages
-read-only ${HOME}/bin
-
-# The following block breaks trash functionality in file managers
-#read-only  ${HOME}/.local
-#read-write ${HOME}/.local/share
-#noexec     ${HOME}/.local/share
-blacklist   ${HOME}/.local/share/Trash
-
-# Write-protection for desktop entries
-read-only ${HOME}/.local/share/applications
-
-# top secret
-blacklist ${HOME}/*.kdb
-blacklist ${HOME}/*.kdbx
-blacklist ${HOME}/*.key
-blacklist ${HOME}/.Private
-blacklist ${HOME}/.caff
-blacklist ${HOME}/.cert
-blacklist ${HOME}/.config/keybase
-blacklist ${HOME}/.ecryptfs
-blacklist ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.kde/share/apps/kwallet
-blacklist ${HOME}/.kde4/share/apps/kwallet
-blacklist ${HOME}/.local/share/keyrings
-blacklist ${HOME}/.local/share/kwalletd
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.mutt/muttrc
-blacklist ${HOME}/.muttrc
-blacklist ${HOME}/.netrc
-blacklist ${HOME}/.pki
-blacklist ${HOME}/.smbcredentials
-blacklist ${HOME}/.ssh
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /home/.ecryptfs
-blacklist /var/backup
-
-# system directories
-blacklist /sbin
-blacklist /usr/local/sbin
-blacklist /usr/sbin
-
-# system management
-blacklist ${PATH}/at
-blacklist ${PATH}/chage
-blacklist ${PATH}/chfn
-blacklist ${PATH}/chsh
-blacklist ${PATH}/crontab
-blacklist ${PATH}/evtest
-blacklist ${PATH}/expiry
-blacklist ${PATH}/fusermount
-blacklist ${PATH}/gpasswd
-blacklist ${PATH}/ksu
-blacklist ${PATH}/mount
-blacklist ${PATH}/mount.ecryptfs_private
-blacklist ${PATH}/nc
-blacklist ${PATH}/ncat
-blacklist ${PATH}/newgidmap
-blacklist ${PATH}/newgrp
-blacklist ${PATH}/newuidmap
-blacklist ${PATH}/ntfs-3g
-blacklist ${PATH}/pkexec
-blacklist ${PATH}/procmail
-blacklist ${PATH}/sg
-blacklist ${PATH}/strace
-blacklist ${PATH}/su
-blacklist ${PATH}/sudo
-blacklist ${PATH}/umount
-blacklist ${PATH}/unix_chkpwd
-blacklist ${PATH}/xev
-blacklist ${PATH}/xinput
-
-# other SUID binaries
-blacklist /usr/lib/virtualbox
-blacklist /usr/lib64/virtualbox
-
-# prevent lxterminal connecting to an existing lxterminal session
-blacklist /tmp/.lxterminal-socket*
-# prevent tmux connecting to an existing session
-blacklist /tmp/tmux-*
-
-# disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
-blacklist ${PATH}/gnome-terminal
-blacklist ${PATH}/gnome-terminal.wrapper
-blacklist ${PATH}/lilyterm
-blacklist ${PATH}/mate-terminal
-blacklist ${PATH}/mate-terminal.wrapper
-blacklist ${PATH}/pantheon-terminal
-blacklist ${PATH}/roxterm
-blacklist ${PATH}/roxterm-config
-blacklist ${PATH}/terminix
-blacklist ${PATH}/tilix
-blacklist ${PATH}/urxvtc
-blacklist ${PATH}/urxvtcd
-blacklist ${PATH}/xfce4-terminal
-blacklist ${PATH}/xfce4-terminal.wrapper
-# blacklist ${PATH}/konsole
-# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
-
-# kernel files
-blacklist /initrd*
-blacklist /vmlinuz*
-
-# complement noexec ${HOME} and noexec /tmp
-noexec /tmp/.X11-unix
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
deleted file mode 100644
index 9ff58ae2a..000000000
--- a/etc/disable-devel.inc
+++ /dev/null
@@ -1,81 +0,0 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/disable-devel.local
-
-# development tools
-
-# GCC
-#blacklist /usr/lib/gcc - seems to create problems on Gentoo
-blacklist /usr/bin/as
-blacklist /usr/bin/c++*
-blacklist /usr/bin/c8*
-blacklist /usr/bin/c9*
-blacklist /usr/bin/cpp*
-blacklist /usr/bin/g++*
-blacklist /usr/bin/gcc*
-blacklist /usr/bin/gdb
-blacklist /usr/bin/ld
-blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
-blacklist /usr/bin/x86_64-linux-gnu-g++*
-blacklist /usr/bin/x86_64-linux-gnu-gcc*
-blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
-blacklist /usr/include
-
-# clang/llvm
-blacklist /usr/bin/clang*
-blacklist /usr/bin/lldb*
-blacklist /usr/bin/llvm*
-blacklist /usr/lib/llvm*
-
-# tcc - Tiny C Compiler
-blacklist /usr/bin/tcc
-blacklist /usr/bin/x86_64-tcc
-blacklist /usr/lib/tcc
-
-# Valgrind
-blacklist /usr/bin/valgrind*
-blacklist /usr/lib/valgrind
-
-# Perl
-blacklist /usr/bin/cpan*
-blacklist /usr/bin/perl
-blacklist /usr/lib/perl*
-blacklist /usr/share/perl*
-
-# PHP
-blacklist /usr/bin/php*
-blacklist /usr/lib/php*
-blacklist /usr/share/php*
-
-# Ruby
-blacklist /usr/bin/ruby
-blacklist /usr/lib/ruby
-
-# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
-# Python 2
-#blacklist /usr/bin/python2*
-#blacklist /usr/include/python2*
-#blacklist /usr/lib/python2*
-#blacklist /usr/local/lib/python2*
-#blacklist /usr/share/python2*
-#
-# Python 3
-#blacklist /usr/bin/python3*
-#blacklist /usr/include/python3*
-#blacklist /usr/lib/python3*
-#blacklist /usr/local/lib/python3*
-#blacklist /usr/share/python3*
-
-#Go
-blacklist /usr/bin/gccgo
-blacklist /usr/bin/go
-blacklist /usr/bin/gofmt
-
-#Rust
-blacklist /usr/bin/rust-gdb
-blacklist /usr/bin/rust-lldb
-blacklist /usr/bin/rustc
-
-#OpenSSL
-blacklist /usr/bin/openssl
-blacklist /usr/bin/openssl-1.0
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
deleted file mode 100644
index 9507d3feb..000000000
--- a/etc/disable-passwdmgr.inc
+++ /dev/null
@@ -1,15 +0,0 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/disable-passwdmgr.local
-
-blacklist ${HOME}/.config/KeePass
-blacklist ${HOME}/.config/keepass
-blacklist ${HOME}/.config/keepassx
-blacklist ${HOME}/.config/keepassxc
-blacklist ${HOME}/.keepass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.keepassxc
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.local/share/KeePass
-blacklist ${HOME}/.local/share/keepass
-blacklist ${HOME}/.password-store
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
deleted file mode 100644
index 064e60294..000000000
--- a/etc/disable-programs.inc
+++ /dev/null
@@ -1,456 +0,0 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/disable-programs.local
-
-blacklist ${HOME}/.*coin
-blacklist ${HOME}/.8pecxstudios
-blacklist ${HOME}/.AndroidStudio*
-blacklist ${HOME}/.Atom
-blacklist ${HOME}/.FBReader
-blacklist ${HOME}/.FontForge
-blacklist ${HOME}/.IdeaIC*
-blacklist ${HOME}/.LuminanceHDR
-blacklist ${HOME}/.Mathematica
-blacklist ${HOME}/.Natron
-blacklist ${HOME}/.Skype
-blacklist ${HOME}/.Steam
-blacklist ${HOME}/.Steampath
-blacklist ${HOME}/.Steampid
-blacklist ${HOME}/.TelegramDesktop
-blacklist ${HOME}/.ViberPC
-blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.Wolfram Research
-blacklist ${HOME}/.aMule
-blacklist ${HOME}/.android
-blacklist ${HOME}/.arduino15
-blacklist ${HOME}/.atom
-blacklist ${HOME}/.attic
-blacklist ${HOME}/.audacity-data
-blacklist ${HOME}/.bcast5
-blacklist ${HOME}/.bibletime
-blacklist ${HOME}/.claws-mail
-blacklist ${HOME}/.config/0ad
-blacklist ${HOME}/.config/2048-qt
-blacklist ${HOME}/.config/Atom
-blacklist ${HOME}/.config/Audaciousrc
-blacklist ${HOME}/.config/Brackets
-blacklist ${HOME}/.config/Clementine
-blacklist ${HOME}/.config/Cryptocat
-blacklist ${HOME}/.config/Franz
-blacklist ${HOME}/.config/FreeCAD
-blacklist ${HOME}/.config/Gitter
-blacklist ${HOME}/.config/Google
-blacklist ${HOME}/.config/Gpredict
-blacklist ${HOME}/.config/INRIA
-blacklist ${HOME}/.config/InSilmaril
-blacklist ${HOME}/.config/Luminance
-blacklist ${HOME}/.config/Meltytech
-blacklist ${HOME}/.config/Mousepad
-blacklist ${HOME}/.config/Mumble
-blacklist ${HOME}/.config/MusE
-blacklist ${HOME}/.config/MuseScore
-blacklist ${HOME}/.config/Nylas Mail
-blacklist ${HOME}/.config/Qlipper
-blacklist ${HOME}/.config/QuiteRss
-blacklist ${HOME}/.config/QuiteRssrc
-blacklist ${HOME}/.config/Riot
-blacklist ${HOME}/.config/Rocket.Chat
-blacklist ${HOME}/.config/Slack
-blacklist ${HOME}/.config/Thunar
-blacklist ${HOME}/.config/VirtualBox
-blacklist ${HOME}/.config/Wire
-blacklist ${HOME}/.config/akregatorrc
-blacklist ${HOME}/.config/ardour4
-blacklist ${HOME}/.config/ardour5
-blacklist ${HOME}/.config/arkrc
-blacklist ${HOME}/.config/atril
-blacklist ${HOME}/.config/audacious
-blacklist ${HOME}/.config/aweather
-blacklist ${HOME}/.config/baloofilerc
-blacklist ${HOME}/.config/baloorc
-blacklist ${HOME}/.config/blender
-blacklist ${HOME}/.config/bless
-blacklist ${HOME}/.config/borg
-blacklist ${HOME}/.config/brasero
-blacklist ${HOME}/.config/brave
-blacklist ${HOME}/.config/caja
-blacklist ${HOME}/.config/calibre
-blacklist ${HOME}/.config/catfish
-blacklist ${HOME}/.config/cherrytree
-blacklist ${HOME}/.config/chromium
-blacklist ${HOME}/.config/chromium-dev
-blacklist ${HOME}/.config/chromium-flags.conf
-blacklist ${HOME}/.config/clipit
-blacklist ${HOME}/.config/cliqz
-blacklist ${HOME}/.config/cmus
-blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/darktable
-blacklist ${HOME}/.config/deadbeef
-blacklist ${HOME}/.config/deluge
-blacklist ${HOME}/.config/digikam
-blacklist ${HOME}/.config/dolphinrc
-blacklist ${HOME}/.config/dragonplayerrc
-blacklist ${HOME}/.config/enchant
-blacklist ${HOME}/.config/eog
-blacklist ${HOME}/.config/epiphany
-blacklist ${HOME}/.config/evince
-blacklist ${HOME}/.config/evolution
-blacklist ${HOME}/.config/filezilla
-blacklist ${HOME}/.config/flowblade
-blacklist ${HOME}/.config/gajim
-blacklist ${HOME}/.config/galculator
-blacklist ${HOME}/.config/geany
-blacklist ${HOME}/.config/gedit
-blacklist ${HOME}/.config/geeqie
-blacklist ${HOME}/.config/ghb
-blacklist ${HOME}/.config/globaltime
-blacklist ${HOME}/.config/google-chrome
-blacklist ${HOME}/.config/google-chrome-beta
-blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}/.config/gpicview
-blacklist ${HOME}/.config/gthumb
-blacklist ${HOME}/.config/gwenviewrc
-blacklist ${HOME}/.config/hexchat
-blacklist ${HOME}/.config/inox
-blacklist ${HOME}/.config/itch
-blacklist ${HOME}/.config/jd-gui.cfg
-blacklist ${HOME}/.config/k3brc
-blacklist ${HOME}/.config/katepartrc
-blacklist ${HOME}/.config/katerc
-blacklist ${HOME}/.config/kateschemarc
-blacklist ${HOME}/.config/katesyntaxhighlightingrc
-blacklist ${HOME}/.config/katevirc
-blacklist ${HOME}/.config/kdeconnect
-blacklist ${HOME}/.config/knotesrc
-blacklist ${HOME}/.config/ktorrentrc
-blacklist ${HOME}/.config/leafpad
-blacklist ${HOME}/.config/libreoffice
-blacklist ${HOME}/.config/lximage-qt
-blacklist ${HOME}/.config/mate-calc
-blacklist ${HOME}/.config/mate/eom
-blacklist ${HOME}/.config/mate/mate-dictionary
-blacklist ${HOME}/.config/mfusion
-blacklist ${HOME}/.config/midori
-blacklist ${HOME}/.config/mpv
-blacklist ${HOME}/.config/mupen64plus
-blacklist ${HOME}/.config/nautilus
-blacklist ${HOME}/.config/nemo
-blacklist ${HOME}/.config/netsurf
-blacklist ${HOME}/.config/okularpartrc
-blacklist ${HOME}/.config/okularrc
-blacklist ${HOME}/.config/opera
-blacklist ${HOME}/.config/opera-beta
-blacklist ${HOME}/.config/orage
-blacklist ${HOME}/.config/org.kde.gwenviewrc
-blacklist ${HOME}/.config/pcmanfm
-blacklist ${HOME}/.config/pdfmod
-blacklist ${HOME}/.config/Pinta
-blacklist ${HOME}/.config/pix
-blacklist ${HOME}/.config/pluma
-blacklist ${HOME}/.config/psi+
-blacklist ${HOME}/.config/qBittorrent
-blacklist ${HOME}/.config/qBittorrentrc
-blacklist ${HOME}/.config/qpdfview
-blacklist ${HOME}/.config/qt5ct
-blacklist ${HOME}/.config/qupzilla
-blacklist ${HOME}/.config/qutebrowser
-blacklist ${HOME}/.config/ranger
-blacklist ${HOME}/.config/redshift.conf
-blacklist ${HOME}/.config/ristretto
-blacklist ${HOME}/.config/scribus
-blacklist ${HOME}/.config/skypeforlinux
-blacklist ${HOME}/.config/slimjet
-blacklist ${HOME}/.config/smplayer
-blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/stellarium
-blacklist ${HOME}/.config/synfig
-blacklist ${HOME}/.config/telepathy-account-widgets
-blacklist ${HOME}/.config/torbrowser
-blacklist ${HOME}/.config/totem
-blacklist ${HOME}/.config/tox
-blacklist ${HOME}/.config/transmission
-blacklist ${HOME}/.config/uGet
-blacklist ${HOME}/.config/viewnior
-blacklist ${HOME}/.config/vivaldi
-blacklist ${HOME}/.config/vlc
-blacklist ${HOME}/.config/wesnoth
-blacklist ${HOME}/.config/wire
-blacklist ${HOME}/.config/wireshark
-blacklist ${HOME}/.config/xchat
-blacklist ${HOME}/.config/xed
-blacklist ${HOME}/.config/xfburn
-blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-blacklist ${HOME}/.config/xfce4-dict
-blacklist ${HOME}/.config/xiaoyong
-blacklist ${HOME}/.config/xmms2
-blacklist ${HOME}/.config/xplayer
-blacklist ${HOME}/.config/xreader
-blacklist ${HOME}/.config/xviewer
-blacklist ${HOME}/.config/yandex-browser
-blacklist ${HOME}/.config/yandex-browser-beta
-blacklist ${HOME}/.config/zathura
-blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.conkeror.mozdev.org
-blacklist ${HOME}/.curlrc
-blacklist ${HOME}/.dia
-blacklist ${HOME}/.dillo
-blacklist ${HOME}/.dooble
-blacklist ${HOME}/.dosbox
-blacklist ${HOME}/.dropbox-dist
-blacklist ${HOME}/.electrum*
-blacklist ${HOME}/.elinks
-blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs.d
-blacklist ${HOME}/.etr
-blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.flowblade
-blacklist ${HOME}/.fltk
-blacklist ${HOME}/.frozen-bubble
-blacklist ${HOME}/.gimp*
-blacklist ${HOME}/.git-credential-cache
-blacklist ${HOME}/.gitconfig
-blacklist ${HOME}/.googleearth/Cache/
-blacklist ${HOME}/.googleearth/Temp/
-blacklist ${HOME}/.googleearth/myplaces.backup.kml
-blacklist ${HOME}/.googleearth/myplaces.kml
-blacklist ${HOME}/.gradle
-blacklist ${HOME}/.guayadeque
-blacklist ${HOME}/.hedgewars
-blacklist ${HOME}/.hugin
-blacklist ${HOME}/.icedove
-blacklist ${HOME}/.imagej
-blacklist ${HOME}/.inkscape
-blacklist ${HOME}/.jack-server
-blacklist ${HOME}/.jack-settings
-blacklist ${HOME}/.java
-blacklist ${HOME}/.jitsi
-blacklist ${HOME}/.kde/share/apps/gwenview
-blacklist ${HOME}/.kde/share/apps/kcookiejar
-blacklist ${HOME}/.kde/share/apps/khtml
-blacklist ${HOME}/.kde/share/apps/konqsidebartng
-blacklist ${HOME}/.kde/share/apps/konqueror
-blacklist ${HOME}/.kde/share/apps/okular
-blacklist ${HOME}/.kde/share/config/baloofilerc
-blacklist ${HOME}/.kde/share/config/baloorc
-blacklist ${HOME}/.kde/share/config/digikam
-blacklist ${HOME}/.kde/share/config/gwenviewrc
-blacklist ${HOME}/.kde/share/config/k3brc
-blacklist ${HOME}/.kde/share/config/kcookiejarrc
-blacklist ${HOME}/.kde/share/config/khtmlrc
-blacklist ${HOME}/.kde/share/config/konq_history
-blacklist ${HOME}/.kde/share/config/konqsidebartngrc
-blacklist ${HOME}/.kde/share/config/konquerorrc
-blacklist ${HOME}/.kde/share/config/ktorrentrc
-blacklist ${HOME}/.kde/share/config/okularpartrc
-blacklist ${HOME}/.kde/share/config/okularrc
-blacklist ${HOME}/.kde4/share/config/baloorc
-blacklist ${HOME}/.kde4/share/config/baloofilerc
-blacklist ${HOME}/.kde4/share/apps/okular
-blacklist ${HOME}/.kde4/share/apps/konqueror
-blacklist ${HOME}/.kde4/share/apps/konqsidebartng
-blacklist ${HOME}/.kde4/share/apps/khtml
-blacklist ${HOME}/.kde4/share/apps/kcookiejar
-blacklist ${HOME}/.kde4/share/config/digikam
-blacklist ${HOME}/.kde4/share/apps/gwenview
-blacklist ${HOME}/.kde4/share/config/kcookiejarrc
-blacklist ${HOME}/.kde4/share/config/khtmlrc
-blacklist ${HOME}/.kde4/share/config/konq_history
-blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
-blacklist ${HOME}/.kde4/share/config/konquerorrc
-blacklist ${HOME}/.kde4/share/config/okularpartrc
-blacklist ${HOME}/.kde4/share/config/okularrc
-blacklist ${HOME}/.kde4/share/config/ktorrentrc
-blacklist ${HOME}/.kde4/share/config/gwenviewrc
-blacklist ${HOME}/.kde4/share/config/k3brc
-blacklist ${HOME}/.killingfloor
-blacklist ${HOME}/.kino-history
-blacklist ${HOME}/.kinorc
-blacklist ${HOME}/.kodi
-blacklist ${HOME}/.linphone-history.db
-blacklist ${HOME}/.linphonerc
-blacklist ${HOME}/.lmmsrc.xml
-blacklist ${HOME}/.local/.share/maps-places.json
-blacklist ${HOME}/.local/lib/python2.7/site-packages
-blacklist ${HOME}/.local/share/0ad
-blacklist ${HOME}/.local/share/3909/PapersPlease
-blacklist ${HOME}/.local/share/Empathy
-blacklist ${HOME}/.local/share/JetBrains
-blacklist ${HOME}/.local/share/Mumble
-blacklist ${HOME}/.local/share/QuiteRss
-blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/Steam
-blacklist ${HOME}/.local/share/SuperHexagon
-blacklist ${HOME}/.local/share/Terraria
-blacklist ${HOME}/.local/share/TpLogger
-blacklist ${HOME}/.local/share/akregator
-blacklist ${HOME}/.local/share/aspyr-media
-blacklist ${HOME}/.local/share/baloo
-blacklist ${HOME}/.local/share/caja-python
-blacklist ${HOME}/.local/share/cdprojektred
-blacklist ${HOME}/.local/share/clipit
-blacklist ${HOME}/.local/share/data/Mumble
-blacklist ${HOME}/.local/share/data/MusE
-blacklist ${HOME}/.local/share/data/MuseScore
-blacklist ${HOME}/.local/share/dino
-blacklist ${HOME}/.local/share/dolphin
-blacklist ${HOME}/.local/share/epiphany
-blacklist ${HOME}/.local/share/evolution
-blacklist ${HOME}/.local/share/feral-interactive
-blacklist ${HOME}/.local/share/gajim
-blacklist ${HOME}/.local/share/geary
-blacklist ${HOME}/.local/share/geeqie
-blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-chess
-blacklist ${HOME}/.local/share/gnome-music
-blacklist ${HOME}/.local/share/gnome-photos
-blacklist ${HOME}/.local/share/gwenview
-blacklist ${HOME}/.local/share/kate
-blacklist ${HOME}/.local/share/ktorrentrc
-blacklist ${HOME}/.local/share/kwrite
-blacklist ${HOME}/.local/share/lollypop
-blacklist ${HOME}/.local/share/meld
-blacklist ${HOME}/.local/share/multimc
-blacklist ${HOME}/.local/share/multimc5
-blacklist ${HOME}/.local/share/mupen64plus
-blacklist ${HOME}/.local/share/nautilus
-blacklist ${HOME}/.local/share/nautilus-python
-blacklist ${HOME}/.local/share/nemo
-blacklist ${HOME}/.local/share/nemo-python
-blacklist ${HOME}/.local/share/notes
-blacklist ${HOME}/.local/share/okular
-blacklist ${HOME}/.local/share/orage
-blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/pix
-blacklist ${HOME}/.local/share/psi+
-blacklist ${HOME}/.local/share/qpdfview
-blacklist ${HOME}/.local/share/scribus
-blacklist ${HOME}/.local/share/spotify
-blacklist ${HOME}/.local/share/steam
-blacklist ${HOME}/.local/share/supertux2
-blacklist ${HOME}/.local/share/telepathy
-blacklist ${HOME}/.local/share/terasology
-blacklist ${HOME}/.local/share/torbrowser
-blacklist ${HOME}/.local/share/totem
-blacklist ${HOME}/.local/share/vpltd
-blacklist ${HOME}/.local/share/vulkan
-blacklist ${HOME}/.local/share/wesnoth
-blacklist ${HOME}/.local/share/xplayer
-blacklist ${HOME}/.local/share/xreader
-blacklist ${HOME}/.local/share/zathura
-blacklist ${HOME}/.lv2
-blacklist ${HOME}/.mcabber
-blacklist ${HOME}/.mcabberrc
-blacklist ${HOME}/.mediathek3
-blacklist ${HOME}/.minetest
-blacklist ${HOME}/.mozilla
-blacklist ${HOME}/.mpdconf
-blacklist ${HOME}/.mplayer
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.multimc5
-blacklist ${HOME}/.mutt
-blacklist ${HOME}/.mutt/muttrc
-blacklist ${HOME}/.muttrc
-blacklist ${HOME}/.neverball
-blacklist ${HOME}/.nv
-blacklist ${HOME}/.nylas-mail
-blacklist ${HOME}/.openinvaders
-blacklist ${HOME}/.openshot
-blacklist ${HOME}/.openshot_qt
-blacklist ${HOME}/.opera
-blacklist ${HOME}/.opera-beta
-blacklist ${HOME}/.pingus
-blacklist ${HOME}/.purple
-blacklist ${HOME}/.qemu-launcher
-blacklist ${HOME}/.remmina
-blacklist ${HOME}/.repo_.gitconfig.json
-blacklist ${HOME}/.repoconfig
-blacklist ${HOME}/.retroshare
-blacklist ${HOME}/.scribus
-blacklist ${HOME}/.scribusrc
-blacklist ${HOME}/.simutrans
-blacklist ${HOME}/.steam
-blacklist ${HOME}/.steampath
-blacklist ${HOME}/.steampid
-blacklist ${HOME}/.stellarium
-blacklist ${HOME}/.subversion
-blacklist ${HOME}/.surf
-blacklist ${HOME}/.sword
-blacklist ${HOME}/.sylpheed-2.0
-blacklist ${HOME}/.synfig
-blacklist ${HOME}/.tconn
-blacklist ${HOME}/.thunderbird
-blacklist ${HOME}/.tooling
-blacklist ${HOME}/.tor-browser-en
-blacklist ${HOME}/.ts3client
-blacklist ${HOME}/.tuxguitar*
-blacklist ${HOME}/.unknow-horizons
-blacklist ${HOME}/.viking
-blacklist ${HOME}/.viking-maps
-blacklist ${HOME}/.vst
-blacklist ${HOME}/.w3m
-blacklist ${HOME}/.warzone2100-3.*
-blacklist ${HOME}/.weechat
-blacklist ${HOME}/.wgetrc
-blacklist ${HOME}/.wine
-blacklist ${HOME}/.wine64
-blacklist ${HOME}/.xiphos
-blacklist ${HOME}/.xmms
-blacklist ${HOME}/.xonotic
-blacklist ${HOME}/.xpdfrc
-blacklist ${HOME}/.zoom
-blacklist ${HOME}/wallet.dat
-blacklist /tmp/ssh-*
-
-# ~/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
diff --git a/etc/display.profile b/etc/display.profile
deleted file mode 100644
index eca749cec..000000000
--- a/etc/display.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for display
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/display.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-# x11 xorg - problems on kubuntu 17.04
-
-# private-bin display - requires python
-private-dev
-# private-etc none - on Debian-based systems display is a symlink in /etc/alternatives
-private-tmp
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
deleted file mode 100644
index 6d4f6349a..000000000
--- a/etc/dnscrypt-proxy.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for dnscrypt-proxy
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dnscrypt-proxy.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist /sbin
-noblacklist /usr/sbin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
-no3d
-nodvd
-nonewprivs
-nosound
-notv
-novideo
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
-
-disable-mnt
-private
-private-dev
-
-# mdwe can break modules/plugins
-memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
deleted file mode 100644
index 2a1302adb..000000000
--- a/etc/dnsmasq.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for dnsmasq
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dnsmasq.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist /sbin
-noblacklist /usr/sbin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps
-# caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
-no3d
-nodvd
-nonewprivs
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-
-disable-mnt
-private
-private-dev
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
deleted file mode 100644
index 7566e927b..000000000
--- a/etc/dolphin.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for dolphin
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dolphin.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
-
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ~/.config/dolphinrc
-noblacklist ~/.local/share/dolphin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin
-# private-dev
-# private-etc
-# private-tmp
diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile
deleted file mode 100644
index 4e1227a0f..000000000
--- a/etc/dooble-qt4.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for dooble
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/dooble.profile
diff --git a/etc/dosbox.profile b/etc/dosbox.profile
deleted file mode 100644
index a64578e5c..000000000
--- a/etc/dosbox.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for dosbox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dosbox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.dosbox
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin dosbox
-private-dev
-private-tmp
diff --git a/etc/dragon.profile b/etc/dragon.profile
deleted file mode 100644
index c37f81ac9..000000000
--- a/etc/dragon.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for dragon
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dragon.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/dragonplayerrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin dragon
-private-dev
-# private-etc
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
deleted file mode 100644
index c8670357c..000000000
--- a/etc/dropbox.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for dropbox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/dropbox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/autostart
-noblacklist ~/.dropbox-dist
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.dropbox
-mkdir ~/.dropbox-dist
-mkdir ~/Dropbox
-mkfile ~/.config/autostart/dropbox.desktop
-whitelist ~/.config/autostart/dropbox.desktop
-whitelist ~/.dropbox
-whitelist ~/.dropbox-dist
-whitelist ~/Dropbox
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec /tmp
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
deleted file mode 100644
index 11499aba0..000000000
--- a/etc/ebook-viewer.profile
+++ /dev/null
@@ -1,8 +0,0 @@
-# Firejail profile alias for calibre
-# This file is overwritten after every install/update
-
-
-net none
-
-# Redirect
-include /etc/firejail/calibre.profile
diff --git a/etc/electron.profile b/etc/electron.profile
deleted file mode 100644
index 91e5cd3df..000000000
--- a/etc/electron.profile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Firejail profile for electron
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/electron.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${DOWNLOADS}
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
diff --git a/etc/elinks.profile b/etc/elinks.profile
deleted file mode 100644
index 10fd19f71..000000000
--- a/etc/elinks.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for elinks
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/elinks.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.elinks
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin elinks
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/emacs.profile b/etc/emacs.profile
deleted file mode 100644
index 8351d6c42..000000000
--- a/etc/emacs.profile
+++ /dev/null
@@ -1,23 +0,0 @@
-# Firejail profile for emacs
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/emacs.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.emacs
-noblacklist ~/.emacs.d
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
diff --git a/etc/enchant.profile b/etc/enchant.profile
deleted file mode 100644
index b7034b937..000000000
--- a/etc/enchant.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for enchant
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/enchant.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/enchant
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin enchant
-# private-dev
-# private-etc fonts
-# private-tmp
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
deleted file mode 100644
index c198adba9..000000000
--- a/etc/engrampa.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for engrampa
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/engrampa.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin engrampa
-private-dev
-# private-etc fonts
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/eog.profile b/etc/eog.profile
deleted file mode 100644
index 5ff926371..000000000
--- a/etc/eog.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for eog
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/eog.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.Steam
-noblacklist ~/.config/eog
-noblacklist ~/.local/share/Trash
-noblacklist ~/.steam
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin eog
-private-dev
-private-etc fonts
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/eom.profile b/etc/eom.profile
deleted file mode 100644
index 802578959..000000000
--- a/etc/eom.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for eom
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/eom.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.Steam
-noblacklist ~/.config/mate/eom
-noblacklist ~/.local/share/Trash
-noblacklist ~/.steam
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin eom
-private-dev
-private-etc fonts
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/etr.profile b/etc/etr.profile
deleted file mode 100644
index 96e8b46d9..000000000
--- a/etc/etr.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for etr
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/etr.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.etr
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.etr
-whitelist ~/.etr
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,netlink
-seccomp
-shell none
-
-# private-bin etr
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/evince.profile b/etc/evince.profile
deleted file mode 100644
index 466260c49..000000000
--- a/etc/evince.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for evince
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/evince.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/evince
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none breaks AppArmor on Ubuntu systems
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin evince,evince-previewer,evince-thumbnailer
-private-dev
-private-etc fonts
-# evince needs access to /tmp/mozilla* to work in firefox
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/evolution.profile b/etc/evolution.profile
deleted file mode 100644
index 9f29b229b..000000000
--- a/etc/evolution.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for evolution
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/evolution.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ~/.bogofilter
-noblacklist ~/.cache/evolution
-noblacklist ~/.config/evolution
-noblacklist ~/.gnupg
-noblacklist ~/.local/share/evolution
-noblacklist ~/.pki
-noblacklist ~/.pki/nssdb
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
deleted file mode 100644
index 75e5be1b9..000000000
--- a/etc/exiftool.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for exiftool
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/exiftool.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist /usr/bin/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin exiftool,perl
-private-dev
-private-etc none
-private-tmp
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
deleted file mode 100644
index 01da2cafe..000000000
--- a/etc/fbreader.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for fbreader
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/fbreader.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.FBReader
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin fbreader,FBReader
-private-dev
-private-tmp
diff --git a/etc/feh.profile b/etc/feh.profile
deleted file mode 100644
index 7935b1354..000000000
--- a/etc/feh.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for feh
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/feh.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin feh,jpegexiforient,jpegtran
-private-dev
-private-etc feh
-private-tmp
diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile
deleted file mode 100644
index 3fd7f3d75..000000000
--- a/etc/fetchmail.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for fetchmail
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/fetchmail.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-#private-bin fetchmail,procmail,bash,chmod
-private-dev
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
deleted file mode 100644
index 5db39cf61..000000000
--- a/etc/ffmpeg.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for ffmpeg
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/ffmpeg.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-nonewprivs
-noroot
-# protocol none - needs to be implemented!
-seccomp
-# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
-shell none
-tracelog
-
-private-bin ffmpeg
-private-dev
-private-tmp
-
-# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
deleted file mode 100644
index 01e689b9d..000000000
--- a/etc/file-roller.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for file-roller
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/file-roller.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin file-roller
-private-dev
-# private-etc fonts
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/file.profile b/etc/file.profile
deleted file mode 100644
index a83b2cf7d..000000000
--- a/etc/file.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for file
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/file.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-hostname file
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-x11 none
-
-private-bin file
-private-dev
-private-etc magic.mgc,magic,localtime
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
deleted file mode 100644
index 866aaabca..000000000
--- a/etc/filezilla.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for filezilla
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/filezilla.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/filezilla
-noblacklist ${HOME}/.filezilla
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin filezilla,uname,sh,bash,dash,python,lsb_release,fzputtygen,fzsftp
-private-dev
-private-tmp
diff --git a/etc/firefox.profile b/etc/firefox.profile
deleted file mode 100644
index 1f4a8e3f6..000000000
--- a/etc/firefox.profile
+++ /dev/null
@@ -1,83 +0,0 @@
-# Firejail profile for firefox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/firefox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/mozilla
-noblacklist ~/.config/okularpartrc
-noblacklist ~/.config/okularrc
-noblacklist ~/.config/qpdfview
-noblacklist ~/.kde/share/apps/okular
-noblacklist ~/.kde/share/config/okularpartrc
-noblacklist ~/.kde/share/config/okularrc
-noblacklist ~/.kde4/share/apps/okular
-noblacklist ~/.kde4/share/config/okularpartrc
-noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/gnome-shell/extensions
-noblacklist ~/.local/share/okular
-noblacklist ~/.local/share/qpdfview
-noblacklist ~/.mozilla
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/mozilla/firefox
-mkdir ~/.mozilla
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/mozilla/firefox
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/okularpartrc
-whitelist ~/.config/okularrc
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.config/qpdfview
-whitelist ~/.kde/share/apps/okular
-whitelist ~/.kde/share/config/okularpartrc
-whitelist ~/.kde/share/config/okularrc
-whitelist ~/.kde4/share/apps/okular
-whitelist ~/.kde4/share/config/okularpartrc
-whitelist ~/.kde4/share/config/okularrc
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.local/share/gnome-shell/extensions
-whitelist ~/.local/share/okular
-whitelist ~/.local/share/qpdfview
-whitelist ~/.mozilla
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# firefox requires a shell to launch on Arch. We can possibly remove sh though.
-# private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash
-private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/firejail-default b/etc/firejail-default
deleted file mode 100644
index 5e1f2975c..000000000
--- a/etc/firejail-default
+++ /dev/null
@@ -1,161 +0,0 @@
-#########################################
-# Generic Firejail AppArmor profile
-#########################################
-
-##########
-# A simple PID declaration based on Ubuntu's @{pid}
-# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
-# We don't know if this definition is available outside Debian and Ubuntu, so
-# we declare our own here.
-##########
-@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
-
-profile firejail-default flags=(attach_disconnected,mediate_deleted) {
-
-##########
-# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
-# functionality.
-##########
-#dbus,
-
-##########
-# Mask /proc and /sys information leakage. The configuration here is barely
-# enough to run "top" or "ps aux".
-##########
-/ r,
-/{usr,bin,dev,etc,home,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/{,var/}run/ r,
-/{,var/}run/** r,
-/{,var/}run/user/**/dconf/ rw,
-/{,var/}run/user/**/dconf/user rw,
-/{,var/}run/user/**/pulse/ rw,
-/{,var/}run/user/**/pulse/** rw,
-/{,var/}run/user/**/*.slave-socket rw,
-/{,var/}run/user/**/orcexec.* rwkm,
-/{,var/}run/firejail/mnt/fslogger r,
-/{,var/}run/firejail/appimage r,
-/{,var/}run/firejail/appimage/** r,
-/{,var/}run/firejail/appimage/** ix,
-/{run,dev}/shm/ r,
-/{run,dev}/shm/** rmwk,
-
-/proc/ r,
-/proc/meminfo r,
-/proc/cpuinfo r,
-/proc/filesystems r,
-/proc/uptime r,
-/proc/loadavg r,
-/proc/stat r,
-/proc/sys/kernel/pid_max r,
-/proc/sys/kernel/shmmax r,
-/proc/sys/vm/overcommit_memory r,
-/proc/sys/vm/overcommit_ratio r,
-/proc/sys/kernel/random/uuid r,
-
-/sys/ r,
-/sys/bus/ r,
-/sys/bus/** r,
-/sys/class/ r,
-/sys/class/** r,
-/sys/devices/ r,
-/sys/devices/** r,
-
-/proc/@{PID}/ r,
-/proc/@{PID}/fd/ r,
-/proc/@{PID}/task/ r,
-/proc/@{PID}/cmdline r,
-/proc/@{PID}/comm r,
-/proc/@{PID}/stat r,
-/proc/@{PID}/statm r,
-/proc/@{PID}/status r,
-/proc/@{PID}/task/@{PID}/stat r,
-/proc/@{PID}/maps r,
-/proc/@{PID}/mounts r,
-/proc/@{PID}/mountinfo r,
-/proc/@{PID}/oom_score_adj r,
-/proc/@{PID}/auxv r,
-/proc/@{PID}/net/dev r,
-/proc/@{PID}/loginuid r,
-/proc/@{PID}/environ r,
-
-##########
-# Allow running programs only from well-known system directories. If you need
-# to run programs from your home directory, uncomment /home line.
-##########
-/lib/** ix,
-/lib64/** ix,
-/bin/** ix,
-/sbin/** ix,
-/usr/bin/** ix,
-/usr/sbin/** ix,
-/usr/local/** ix,
-/usr/lib/** ix,
-/usr/games/** ix,
-/opt/ r,
-/opt/** r,
-/opt/** ix,
-#/home/** ix,
-
-##########
-# Allow all networking functionality, and control it from Firejail.
-##########
-network inet,
-network inet6,
-network unix,
-network netlink,
-network raw,
-
-##########
-# There is no equivalent in Firejail for filtering signals.
-##########
-signal,
-
-##########
-# We let Firejail deal with capabilities.
-##########
-capability chown,
-capability dac_override,
-capability dac_read_search,
-capability fowner,
-capability fsetid,
-capability kill,
-capability setgid,
-capability setuid,
-capability setpcap,
-capability linux_immutable,
-capability net_bind_service,
-capability net_broadcast,
-capability net_admin,
-capability net_raw,
-capability ipc_lock,
-capability ipc_owner,
-capability sys_module,
-capability sys_rawio,
-capability sys_chroot,
-capability sys_ptrace,
-capability sys_pacct,
-capability sys_admin,
-capability sys_boot,
-capability sys_nice,
-capability sys_resource,
-capability sys_time,
-capability sys_tty_config,
-capability mknod,
-capability lease,
-capability audit_write,
-capability audit_control,
-capability setfcap,
-capability mac_override,
-capability mac_admin,
-
-##########
-# We let Firejail deal with mount/umount functionality.
-##########
-mount,
-remount,
-umount,
-pivot_root,
-
-# Site-specific additions and overrides. See local/README for details.
-#include <local/firejail-local>
-}
diff --git a/etc/firejail-local b/etc/firejail-local
deleted file mode 100644
index cddf44f13..000000000
--- a/etc/firejail-local
+++ /dev/null
@@ -1 +0,0 @@
-# Site-specific additions and overrides for 'firejail-default'
diff --git a/etc/firejail.config b/etc/firejail.config
index b597ed603..aec152b85 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -1,7 +1,9 @@
-# This is Firejail system-wide configuration file.  The file contains
+# This is Firejail system-wide configuration file. The file contains
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
 
+# Enable AppArmor functionality, default enabled.
+# apparmor yes
 
 # Number of ARP probes sent when assigning an IP address for --net option,
 # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
@@ -13,16 +15,24 @@
 # Enable or disable bind support, default enabled.
 # bind yes
 
+# Allow (DRM) execution in browsers, default disabled.
+# browser-allow-drm no
+
+# Disable U2F in browsers, default enabled.
+# browser-disable-u2f yes
+
+# Enable or disable cgroup support, default enabled.
+# cgroup yes
+
 # Enable or disable chroot support, default enabled.
 # chroot yes
 
-# Use chroot for desktop programs, default enabled. The sandbox will have full
-# access to system's /dev directory in order to allow video acceleration,
-# and it will harden the rest of the chroot tree.
-# chroot-desktop yes
+# Enable or disable dbus handling, default enabled.
+# dbus yes
 
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
-# to these directories is enabled.
+# to these directories is enabled. Unlike --disable-mnt profile option this
+# cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
 # Enable or disable file transfer support, default enabled.
@@ -31,16 +41,6 @@
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
-# Follow symlink as user. While using --whitelist feature,
-# symlinks pointing outside home directory are followed only
-# if both the link and the real file are owned by the user.
-# Enabled by default
-# follow-symlink-as-user yes
-
-# Follow symlink for private-bin command.
-# Disabled by default
-# follow-symlink-private-bin no
-
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
@@ -51,52 +51,89 @@
 # root user can always join sandboxes.
 # join yes
 
+# Timeout when joining a sandbox, default five seconds. It is not
+# possible to join a sandbox while it is still starting up. Wait up
+# to the specified period of time to allow sandbox setup to finish.
+# join-timeout 5
+
+# Enable or disable sandbox name change, default enabled.
+# name-change yes
+
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of iptables-save and iptables-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
+
 # Enable or disable networking features, default enabled.
 # network yes
 
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
 
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
+
+# Enable or disable private-bin feature, default enabled.
+# private-bin yes
+
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 
+# Enable or disable private-cache feature, default enabled
+# private-cache yes
+
+# Enable or disable private-etc feature, default enabled.
+# private-etc yes
+
 # Enable or disable private-home feature, default enabled
 # private-home yes
 
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
 
+# Enable or disable private-opt feature, default enabled.
+# private-opt yes
+
+# Enable or disable private-srv feature, default enabled.
+# private-srv yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
-# Remount /proc and /sys inside the sandbox, default enabled.
-# remount-proc-sys yes
-
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
 # Restricted networking grants access to --interface, --net=ethXXX and
 # --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 
-# Change default netfilter configuration. When using --netfilter option without
-# a file argument, the default filter is hardcoded (see man 1 firejail). This
-# configuration entry allows the user to change the default by specifying
-# a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
-# netfilter-default /etc/iptables.iptables.rules
-
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
+
+# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
+# seccomp-error-action EPERM
+
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
-# Enable or disable whitelisting support, default enabled.
-# whitelist yes
+# Disable whitelist top level directories, in addition to those
+# that are disabled out of the box. None by default; this is an example.
+# whitelist-disable-topdir /etc,/usr/etc
 
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
 
+# Xephyr command extra parameters. None by default; these are examples.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale
+
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
@@ -107,17 +144,13 @@
 # Firejail window title in Xephyr, default enabled.
 # xephyr-window-title yes
 
-# Xephyr command extra parameters. None by default; these are examples.
-# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
-# xephyr-extra-params -grayscale
-
-# Xpra server command extra parameters. None by default; this is an example.
-# xpra-extra-params --dpi 96
-
 # Enable this option if you have a version of Xpra that supports --attach switch
 # for start command, default disabled.
 # xpra-attach no
 
+# Xpra server command extra parameters. None by default; this is an example.
+# xpra-extra-params --dpi 96
+
 # Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
 # color depth; use 24 unless you know exactly what you're doing.
 # xvfb-screen 640x480x24
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
deleted file mode 100644
index 18db4c597..000000000
--- a/etc/flashpeak-slimjet.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for flashpeak-slimjet
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/flashpeak-slimjet.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# This is a whitelisted profile, the internal browser sandbox
-# is disabled because it requires sudo password. The command
-# to run it is as follows:
-#  firejail flashpeak-slimjet --no-sandbox
-
-noblacklist ~/.cache/slimjet
-noblacklist ~/.config/slimjet
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/slimjet
-mkdir ~/.config/slimjet
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/slimjet
-whitelist ~/.config/slimjet
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
diff --git a/etc/fontforge.profile b/etc/fontforge.profile
deleted file mode 100644
index 29295f8a0..000000000
--- a/etc/fontforge.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for fontforge
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/fontforge.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.FontForge
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/fossamail.profile b/etc/fossamail.profile
deleted file mode 100644
index cef522c53..000000000
--- a/etc/fossamail.profile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Firejail profile for fossamail
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/fossamail.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/fossamail
-noblacklist ~/.fossamail
-noblacklist ~/.gnupg
-
-mkdir ~/.cache/fossamail
-mkdir ~/.fossamail
-mkdir ~/.gnupg
-whitelist ~/.cache/fossamail
-whitelist ~/.fossamail
-whitelist ~/.gnupg
-include /etc/firejail/whitelist-common.inc
-
-# allow browsers
-# Redirect
-include /etc/firejail/firefox.profile
diff --git a/etc/franz.profile b/etc/franz.profile
deleted file mode 100644
index f83b5018c..000000000
--- a/etc/franz.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for franz
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/franz.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/Franz
-noblacklist ~/.config/Franz
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/Franz
-mkdir ~/.config/Franz
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/Franz
-whitelist ~/.config/Franz
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/freecad.profile b/etc/freecad.profile
deleted file mode 100644
index 4fde66839..000000000
--- a/etc/freecad.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for freecad
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/freecad.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.config/FreeCAD
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin freecad,freecadcmd
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile
deleted file mode 100644
index f8bbff593..000000000
--- a/etc/freecadcmd.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for freecad
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/freecad.profile
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
deleted file mode 100644
index 40aa6d58d..000000000
--- a/etc/frozen-bubble.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for frozen-bubble
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/frozen-bubble.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.frozen-bubble
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.frozen-bubble
-whitelist ~/.frozen-bubble
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,netlink
-seccomp
-shell none
-
-# private-bin frozen-bubble
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/gajim.profile b/etc/gajim.profile
deleted file mode 100644
index f1929c015..000000000
--- a/etc/gajim.profile
+++ /dev/null
@@ -1,46 +0,0 @@
-# Firejail profile for gajim
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gajim.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/gajim
-noblacklist ${HOME}/.config/gajim
-noblacklist ${HOME}/.local/share/gajim
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.cache/gajim
-mkdir ${HOME}/.config/gajim
-mkdir ${HOME}/.local/lib/python2.7/site-packages/
-mkdir ${HOME}/.local/share/gajim
-mkdir ${HOME}/Downloads
-whitelist ${HOME}/.cache/gajim
-whitelist ${HOME}/.config/gajim
-whitelist ${HOME}/.local/lib/python2.7/site-packages/
-whitelist ${HOME}/.local/share/gajim
-whitelist ${HOME}/Downloads
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-# private-bin python2.7 gajim
-private-dev
-# private-etc fonts
-# private-tmp
-# Allow the local python 2.7 site packages, in case any plugins are using these
-read-only ${HOME}/.local/lib/python2.7/site-packages/
diff --git a/etc/galculator.profile b/etc/galculator.profile
deleted file mode 100644
index dbc22a889..000000000
--- a/etc/galculator.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for galculator
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/galculator.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/galculator
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/galculator
-whitelist ~/.config/galculator
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin galculator
-private-dev
-private-etc fonts
-private-tmp
diff --git a/etc/geary.profile b/etc/geary.profile
deleted file mode 100644
index 3ab4a21d8..000000000
--- a/etc/geary.profile
+++ /dev/null
@@ -1,26 +0,0 @@
-# Firejail profile for geary
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/geary.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Users have Geary set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
-
-noblacklist ~/.gnupg
-noblacklist ~/.local/share/geary
-
-mkdir ~/.gnupg
-mkdir ~/.local/share/geary
-whitelist ~/.gnupg
-whitelist ~/.local/share/geary
-include /etc/firejail/whitelist-common.inc
-
-ignore private-tmp
-
-read-only ~/.config/mimeapps.list
-
-# allow browsers
-# Redirect
-include /etc/firejail/firefox.profile
diff --git a/etc/geeqie.profile b/etc/geeqie.profile
deleted file mode 100644
index a50fd4370..000000000
--- a/etc/geeqie.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for geeqie
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/geeqie.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/geeqie
-noblacklist ~/.config/geeqie
-noblacklist ~/.local/share/geeqie
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin geeqie
-private-dev
-# private-etc X11
diff --git a/etc/ghb.profile b/etc/ghb.profile
deleted file mode 100644
index de6244a32..000000000
--- a/etc/ghb.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for handbrake
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/handbrake.profile
diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile
deleted file mode 100644
index a4e04af20..000000000
--- a/etc/gimp-2.8.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for gimp
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/gimp.profile
diff --git a/etc/gimp.profile b/etc/gimp.profile
deleted file mode 100644
index 292c2aac9..000000000
--- a/etc/gimp.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for gimp
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gimp.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.gimp*
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-# gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can enable noexec statement below
-# noexec ${HOME}
-noexec /tmp
diff --git a/etc/git.profile b/etc/git.profile
deleted file mode 100644
index 14fb55118..000000000
--- a/etc/git.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for git
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/git.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.emacs
-noblacklist ~/.emacs.d
-noblacklist ~/.gitconfig
-noblacklist ~/.gnupg
-noblacklist ~/.ssh
-noblacklist ~/.vim
-noblacklist ~/.viminfo
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
diff --git a/etc/gitg.profile b/etc/gitg.profile
deleted file mode 100644
index 0c8495866..000000000
--- a/etc/gitg.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for gitg
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gitg.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.local/share/gitg
-noblacklist ${HOME}/.ssh
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin gitg,git,ssh
-private-dev
-private-tmp
-
-# mdwe breaks diff in older versions
-#memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gitter.profile b/etc/gitter.profile
deleted file mode 100644
index 3e84455f1..000000000
--- a/etc/gitter.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for gitter
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gitter.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/autostart
-noblacklist ~/.config/Gitter
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${DOWNLOADS}
-whitelist ~/.config/autostart
-whitelist ~/.config/Gitter
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-machine-id
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-bin bash,env,gitter
-private-etc fonts,pulse,resolv.conf
-private-opt Gitter
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gjs.profile b/etc/gjs.profile
deleted file mode 100644
index a856d35b5..000000000
--- a/etc/gjs.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for gjs
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gjs.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-
-noblacklist ~/.cache/libgweather
-noblacklist ~/.cache/org.gnome.Books
-noblacklist ~/.config/libreoffice
-noblacklist ~/.local/share/gnome-photos
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
-private-dev
-# private-etc fonts
-private-tmp
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
deleted file mode 100644
index a292633c3..000000000
--- a/etc/gnome-2048.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for gnome-2048
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-2048.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/gnome-2048
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-mkdir ${HOME}/.local/share/gnome-2048
-whitelist ${HOME}/.local/share/gnome-2048
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
deleted file mode 100644
index 6998a3a42..000000000
--- a/etc/gnome-books.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for gnome-books
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-books.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-
-noblacklist ~/.cache/org.gnome.Books
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin gjs gnome-books
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
deleted file mode 100644
index 9e70a563a..000000000
--- a/etc/gnome-calculator.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for gnome-calculator
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-calculator.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-bin gnome-calculator
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
deleted file mode 100644
index 4caf971dd..000000000
--- a/etc/gnome-chess.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for gnome-chess
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-chess.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.local/share/gnome-chess
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-bin fairymax,gnome-chess,hoichess
-private-dev
-private-etc fonts,gnome-chess
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
deleted file mode 100644
index be294ae9a..000000000
--- a/etc/gnome-clocks.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for gnome-clocks
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-clocks.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-# private-bin gnome-clocks
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
deleted file mode 100644
index 3a3808e56..000000000
--- a/etc/gnome-contacts.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for gnome-contacts
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-contacts.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/whitelist-common.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile
deleted file mode 100644
index 3254f3fbc..000000000
--- a/etc/gnome-documents.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for gnome-documents
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-documents.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-
-noblacklist ~/.config/libreoffice
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
deleted file mode 100644
index cca0313cc..000000000
--- a/etc/gnome-font-viewer.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for gnome-font-viewer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-font-viewer.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
deleted file mode 100644
index b1030597c..000000000
--- a/etc/gnome-maps.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for gnome-maps
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-maps.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-
-noblacklist ${HOME}/.cache/champlain
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-# private-bin gjs gnome-maps
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
deleted file mode 100644
index d63cc4500..000000000
--- a/etc/gnome-mplayer.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for gnome-mplayer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-mplayer.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6
-seccomp
-shell none
-
-# private-bin gnome-mplayer,mplayer
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
deleted file mode 100644
index d1ef20e6b..000000000
--- a/etc/gnome-music.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for gnome-music
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-music.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.local/share/gnome-music
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin gnome-music,python3
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
deleted file mode 100644
index f9be4c4de..000000000
--- a/etc/gnome-photos.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for gnome-photos
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-photos.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-
-noblacklist ~/.local/share/gnome-photos
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin gjs gnome-photos
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-ring.profile b/etc/gnome-ring.profile
deleted file mode 100644
index 3e6e82dac..000000000
--- a/etc/gnome-ring.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for gnome-ring
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-ring.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/gnome-ring
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
deleted file mode 100644
index e5804687c..000000000
--- a/etc/gnome-weather.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for gnome-weather
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gnome-weather.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
-
-noblacklist ~/.cache/libgweather
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-# private-bin gjs gnome-weather
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/goobox.profile b/etc/goobox.profile
deleted file mode 100644
index 98514ce8d..000000000
--- a/etc/goobox.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for goobox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/goobox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin goobox
-private-dev
-# private-etc fonts
-# private-tmp
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
deleted file mode 100644
index ac457b92f..000000000
--- a/etc/google-chrome-beta.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for google-chrome-beta
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/google-chrome-beta.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/google-chrome-beta
-noblacklist ~/.config/google-chrome-beta
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/google-chrome-beta
-mkdir ~/.config/google-chrome-beta
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/google-chrome-beta
-whitelist ~/.config/google-chrome-beta
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile
deleted file mode 100644
index 6ade19021..000000000
--- a/etc/google-chrome-stable.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for google-chrome
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/google-chrome.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
deleted file mode 100644
index 3d7a9a715..000000000
--- a/etc/google-chrome-unstable.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for google-chrome-unstable
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/google-chrome-unstable.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/google-chrome-unstable
-noblacklist ~/.config/google-chrome-unstable
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/google-chrome-unstable
-mkdir ~/.config/google-chrome-unstable
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/google-chrome-unstable
-whitelist ~/.config/google-chrome-unstable
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
deleted file mode 100644
index 6e5175989..000000000
--- a/etc/google-chrome.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for google-chrome
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/google-chrome.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/google-chrome
-noblacklist ~/.config/google-chrome
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/google-chrome
-mkdir ~/.config/google-chrome
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/google-chrome
-whitelist ~/.config/google-chrome
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/google-earth.profile b/etc/google-earth.profile
deleted file mode 100644
index b60f5b3a5..000000000
--- a/etc/google-earth.profile
+++ /dev/null
@@ -1,48 +0,0 @@
-# Firejail profile for google-earth
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/google-earth.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.googleearth/Cache/
-noblacklist ${HOME}/.googleearth/Temp/
-noblacklist ${HOME}/.googleearth/myplaces.backup.kml
-noblacklist ${HOME}/.googleearth/myplaces.kml
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.config/Google
-mkdir ${HOME}/.googleearth/Cache/
-mkdir ${HOME}/.googleearth/Temp/
-mkfile ${HOME}/.googleearth/myplaces.backup.kml
-mkfile ${HOME}/.googleearth/myplaces.kml
-whitelist ${HOME}/.config/Google
-whitelist ${HOME}/.googleearth/Cache/
-whitelist ${HOME}/.googleearth/Temp/
-whitelist ${HOME}/.googleearth/myplaces.backup.kml
-whitelist ${HOME}/.googleearth/myplaces.kml
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
deleted file mode 100644
index 704de6e40..000000000
--- a/etc/google-play-music-desktop-player.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for google-play-music-desktop-player
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/google-play-music-desktop-player.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Google Play Music Desktop Player
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-# whitelist ~/.config/pulse
-# whitelist ~/.pulse
-whitelist ~/.config/Google Play Music Desktop Player
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
deleted file mode 100644
index 8fd2ce232..000000000
--- a/etc/gpg-agent.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for gpg-agent
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gpg-agent.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.gnupg
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin gpg-agent,gpg
-private-dev
diff --git a/etc/gpg.profile b/etc/gpg.profile
deleted file mode 100644
index 8c39f85e3..000000000
--- a/etc/gpg.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for gpg
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gpg.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.gnupg
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin gpg,gpg-agent
-private-dev
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
deleted file mode 100644
index 1842c9cb1..000000000
--- a/etc/gpicview.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for gpicview
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gpicview.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/gpicview
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin gpicview
-private-dev
-private-etc fonts
-private-tmp
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
deleted file mode 100644
index f204366c5..000000000
--- a/etc/gpredict.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for gpredict
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gpredict.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Gpredict
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ~/.config/Gpredict
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin gpredict
-private-dev
-private-etc fonts,resolv.conf
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gtar.profile b/etc/gtar.profile
deleted file mode 100644
index d4bf18f95..000000000
--- a/etc/gtar.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for tar
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/tar.profile
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
deleted file mode 100644
index b6be37439..000000000
--- a/etc/gucharmap.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for gucharmap
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gucharmap.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
deleted file mode 100644
index 2b025e56c..000000000
--- a/etc/gwenview.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for gwenview
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/gwenview.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/gwenviewrc
-noblacklist ~/.config/org.kde.gwenviewrc
-noblacklist ~/.kde/share/apps/gwenview
-noblacklist ~/.kde/share/config/gwenviewrc
-noblacklist ~/.kde4/share/apps/gwenview
-noblacklist ~/.kde4/share/config/gwenviewrc
-noblacklist ~/.local/share/gwenview
-noblacklist ~/.local/share/org.kde.gwenview
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin gwenview,kbuildsycoca4,gimp,gimp-2.8
-private-dev
-# private-etc X11
-
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/gzip.profile b/etc/gzip.profile
deleted file mode 100644
index 0f04953d8..000000000
--- a/etc/gzip.profile
+++ /dev/null
@@ -1,23 +0,0 @@
-# Firejail profile for gzip
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/gzip.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-private-dev
-
-include /etc/firejail/default.profile
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile
deleted file mode 100644
index de6244a32..000000000
--- a/etc/handbrake-gtk.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for handbrake
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/handbrake.profile
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
deleted file mode 100644
index 5235e91f2..000000000
--- a/etc/handbrake.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for handbrake
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/handbrake.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/ghb
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/hashcat.profile b/etc/hashcat.profile
deleted file mode 100644
index 5f08d7cb8..000000000
--- a/etc/hashcat.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for hashcat
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/hashcat.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.hashcat
-noblacklist /usr/include
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private-bin hashcat
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
deleted file mode 100644
index e2775ffce..000000000
--- a/etc/hedgewars.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for hedgewars
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/hedgewars.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.hedgewars
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir     ~/.hedgewars
-whitelist ~/.hedgewars
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-seccomp
-tracelog
-
-disable-mnt
-private-dev
-private-tmp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
deleted file mode 100644
index 47d39e8c4..000000000
--- a/etc/hexchat.profile
+++ /dev/null
@@ -1,45 +0,0 @@
-# Firejail profile for hexchat
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/hexchat.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/hexchat
-# noblacklist /usr/lib/python2*
-# noblacklist /usr/lib/python3*
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/hexchat
-whitelist ~/.config/hexchat
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-# debug note: private-bin requires perl, python, etc on some systems
-private-bin hexchat
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/highlight.profile b/etc/highlight.profile
deleted file mode 100644
index d3cacc581..000000000
--- a/etc/highlight.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for highlight
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/highlight.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin highlight
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/hugin.profile b/etc/hugin.profile
deleted file mode 100644
index 64b6e0c69..000000000
--- a/etc/hugin.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for hugin
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/hugin.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.hugin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/icecat.profile b/etc/icecat.profile
deleted file mode 100644
index ab7e62180..000000000
--- a/etc/icecat.profile
+++ /dev/null
@@ -1,51 +0,0 @@
-# Firejail profile for icecat
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/icecat.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/mozilla
-noblacklist ~/.mozilla
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/mozilla/icecat
-mkdir ~/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/mozilla/icecat
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.mozilla
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/icedove.profile b/etc/icedove.profile
deleted file mode 100644
index 46861d9f2..000000000
--- a/etc/icedove.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for icedove
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/icedove.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Users have icedove set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
-
-noblacklist ~/.cache/icedove
-noblacklist ~/.gnupg
-noblacklist ~/.icedove
-
-mkdir ~/.cache/icedove
-mkdir ~/.gnupg
-mkdir ~/.icedove
-whitelist ~/.cache/icedove
-whitelist ~/.gnupg
-whitelist ~/.icedove
-include /etc/firejail/whitelist-common.inc
-
-ignore private-tmp
-
-# allow browsers
-# Redirect
-include /etc/firejail/firefox.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
deleted file mode 100644
index f6b57dde0..000000000
--- a/etc/iceweasel.profile
+++ /dev/null
@@ -1,10 +0,0 @@
-# Firejail profile for iceweasel
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/iceweasel.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-# Redirect
-include /etc/firejail/firefox.profile
diff --git a/etc/ids.config b/etc/ids.config
new file mode 100644
index 000000000..09b0ae912
--- /dev/null
+++ b/etc/ids.config
@@ -0,0 +1,142 @@
+# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
+# This config file is overwritten when a new version of Firejail is installed.
+# For global customization use /etc/firejail/ids.config.local.
+include ids.config.local
+#
+# Each line is a file or directory name such as
+#       /usr/bin
+# or
+#       ${HOME}/Desktop/*.desktop
+#
+# ${HOME} is expanded to the user's home directory, and * is the regular
+# globbing match for zero or more characters.
+#
+# File or directory names starting with ! are not scanned. For example
+#        !${HOME}/.ssh/known_hosts
+#        ${HOME}/.ssh
+# will scan all files in ~/.ssh directory with the exception of known_hosts
+
+### system executables ###
+/bin
+/sbin
+/usr/bin
+/usr/games
+/usr/libexec
+/usr/sbin
+
+### user executables ###
+#/opt
+#/usr/local
+
+### system libraries ###
+#/lib
+#/usr/lib
+#/usr/lib32
+#/usr/lib64
+#/usr/libx32
+
+### shells local ###
+# bash
+${HOME}/.bash_login
+${HOME}/.bash_logout
+${HOME}/.bash_profile
+${HOME}/.bashrc
+# fish
+${HOME}/.config/fish/config.fish
+# others
+${HOME}/.cshrc
+${HOME}/.kshrc
+${HOME}/.login
+${HOME}/.logout
+${HOME}/.profile
+${HOME}/.tcshrc
+# zsh
+${HOME}/.zlogin
+${HOME}/.zlogout
+${HOME}/.zshenv
+${HOME}/.zshprofile
+${HOME}/.zshrc
+
+### shells global ###
+# all
+/etc/dircolors
+/etc/environment
+/etc/profile
+/etc/profile.d
+/etc/shells
+/etc/skel
+# bash
+/etc/bash_completion*
+/etc/bash.bashrc
+/etc/bashrc
+# fish
+/etc/fish
+# ksh
+/etc/ksh.kshrc
+# tcsh
+/etc/complete.tcsh
+/etc/csh.cshrc
+/etc/csh.login
+/etc/csh.logout
+# zsh
+/etc/zlogin
+/etc/zlogout
+/etc/zprofile
+/etc/zshenv
+/etc/zshrc
+
+### X11 ###
+/etc/X11
+${HOME}/.xinitrc
+${HOME}/.xmodmaprc
+${HOME}/.xprofile
+${HOME}/.Xresources
+${HOME}/.xserverrc
+${HOME}/.Xsession
+${HOME}/.xsession
+${HOME}/.xsessionrc
+
+### window/desktop manager ###
+${HOME}/Desktop/*.desktop
+${HOME}/.config/autostart
+${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.gnomerc
+${HOME}/.gtkrc
+${HOME}/.kderc
+
+### security ###
+/etc/aide
+/etc/apparmor*
+/etc/chkrootkit.conf
+/etc/cracklib
+/etc/libaudit.conf
+/etc/group*
+/etc/gshadow*
+/etc/pam.*
+/etc/passwd*
+/etc/rkhunter*
+/etc/securetty
+/etc/security
+/etc/selinux
+/etc/shadow*
+/etc/sudoers*
+/etc/tripwire
+${HOME}/.config/firejail
+${HOME}/.gnupg
+
+### network security ###
+/etc/ca-certificates*
+/etc/hosts.*
+/etc/services
+/etc/snort
+/etc/ssh
+/etc/ssl
+/etc/wireshark
+!${HOME}/.ssh/known_hosts # excluding
+${HOME}/.ssh
+/usr/share/ca-certificates
+
+### system config ###
+/etc/cron.*
+/etc/crontab
+/etc/default
diff --git a/etc/imagej.profile b/etc/imagej.profile
deleted file mode 100644
index 88a56c706..000000000
--- a/etc/imagej.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for imagej
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/imagej.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.imagej
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/img2txt.profile b/etc/img2txt.profile
deleted file mode 100644
index 943350484..000000000
--- a/etc/img2txt.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for img2txt
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/img2txt.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin img2txt
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc
new file mode 100644
index 000000000..d6c295414
--- /dev/null
+++ b/etc/inc/allow-bin-sh.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-bin-sh.local
+
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
new file mode 100644
index 000000000..011bbe226
--- /dev/null
+++ b/etc/inc/allow-common-devel.inc
@@ -0,0 +1,31 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-common-devel.local
+
+# Git
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+
+# Java
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
+
+# Node.js
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
+# Python
+noblacklist ${HOME}/.pylint.d
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+
+# Rust
+noblacklist ${HOME}/.cargo/*
diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc
new file mode 100644
index 000000000..c1366e093
--- /dev/null
+++ b/etc/inc/allow-gjs.inc
@@ -0,0 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-gjs.local
+
+noblacklist ${PATH}/gjs
+noblacklist ${PATH}/gjs-console
+noblacklist /usr/lib/gjs
+noblacklist /usr/lib/libgjs*
+noblacklist /usr/lib/libmozjs-*
+noblacklist /usr/lib64/gjs
+noblacklist /usr/lib64/libgjs*
+noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/inc/allow-java.inc b/etc/inc/allow-java.inc
new file mode 100644
index 000000000..24d18fb77
--- /dev/null
+++ b/etc/inc/allow-java.inc
@@ -0,0 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-java.local
+
+noblacklist ${HOME}/.java
+noblacklist ${PATH}/java
+noblacklist /etc/java
+noblacklist /usr/lib/java
+noblacklist /usr/share/java
diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc
new file mode 100644
index 000000000..9c47e7a3b
--- /dev/null
+++ b/etc/inc/allow-lua.inc
@@ -0,0 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-lua.local
+
+noblacklist ${PATH}/lua*
+noblacklist /usr/include
+noblacklist /usr/lib/liblua*
+noblacklist /usr/lib/lua
+noblacklist /usr/lib64/liblua*
+noblacklist /usr/lib64/lua
+noblacklist /usr/share/lua
+noblacklist /usr/share/lua*
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
new file mode 100644
index 000000000..351c94ab8
--- /dev/null
+++ b/etc/inc/allow-nodejs.inc
@@ -0,0 +1,10 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-nodejs.local
+
+noblacklist ${PATH}/node
+noblacklist /usr/include/node
+
+# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
new file mode 100644
index 000000000..5d2d6c5c1
--- /dev/null
+++ b/etc/inc/allow-opengl-game.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-opengl-game.local
+
+noblacklist ${PATH}/bash
+whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
+private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
new file mode 100644
index 000000000..5a1952c94
--- /dev/null
+++ b/etc/inc/allow-perl.inc
@@ -0,0 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-perl.local
+
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/perl
+noblacklist ${PATH}/site_perl
+noblacklist ${PATH}/vendor_perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/lib64/perl*
+noblacklist /usr/share/perl*
diff --git a/etc/inc/allow-php.inc b/etc/inc/allow-php.inc
new file mode 100644
index 000000000..a0950dc26
--- /dev/null
+++ b/etc/inc/allow-php.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-php.local
+
+noblacklist ${PATH}/php*
+noblacklist /usr/lib/php*
+noblacklist /usr/share/php*
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
new file mode 100644
index 000000000..b0525e2e1
--- /dev/null
+++ b/etc/inc/allow-python2.inc
@@ -0,0 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python2.local
+
+noblacklist ${PATH}/python2*
+noblacklist /usr/include/python2*
+noblacklist /usr/lib/python2*
+noblacklist /usr/local/lib/python2*
+noblacklist /usr/share/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
new file mode 100644
index 000000000..d968886b0
--- /dev/null
+++ b/etc/inc/allow-python3.inc
@@ -0,0 +1,10 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python3.local
+
+noblacklist ${PATH}/python3*
+noblacklist /usr/include/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/lib64/python3*
+noblacklist /usr/local/lib/python3*
+noblacklist /usr/share/python3*
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
new file mode 100644
index 000000000..a8c701219
--- /dev/null
+++ b/etc/inc/allow-ruby.inc
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-ruby.local
+
+noblacklist ${PATH}/ruby
+noblacklist /usr/lib/ruby
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
new file mode 100644
index 000000000..67c78a483
--- /dev/null
+++ b/etc/inc/allow-ssh.inc
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-ssh.local
+
+noblacklist ${HOME}/.ssh
+noblacklist /etc/ssh
+noblacklist /etc/ssh/ssh_config
+noblacklist /tmp/ssh-*
diff --git a/etc/inc/disable-X11.inc b/etc/inc/disable-X11.inc
new file mode 100644
index 000000000..d227c7a0b
--- /dev/null
+++ b/etc/inc/disable-X11.inc
@@ -0,0 +1,15 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-X11.local
+
+blacklist /tmp/.X11-unix
+blacklist ${HOME}/.Xauthority
+blacklist ${RUNUSER}/gdm/Xauthority
+blacklist ${RUNUSER}/.mutter-Xwaylandauth*
+blacklist ${RUNUSER}/xauth_*
+#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+blacklist /tmp/xauth*
+blacklist /tmp/.ICE-unix
+blacklist ${RUNUSER}/ICEauthority
+rmenv DISPLAY
+rmenv XAUTHORITY
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
new file mode 100644
index 000000000..ae84ee38a
--- /dev/null
+++ b/etc/inc/disable-common.inc
@@ -0,0 +1,589 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-common.local
+
+# The following block breaks trash functionality in file managers
+#read-only ${HOME}/.local
+#read-write ${HOME}/.local/share
+blacklist ${HOME}/.local/share/Trash
+
+# History files in $HOME and clipboard managers
+blacklist-nolog ${HOME}/.*_history
+blacklist-nolog ${HOME}/.adobe
+blacklist-nolog ${HOME}/.cache/greenclip*
+blacklist-nolog ${HOME}/.histfile
+blacklist-nolog ${HOME}/.history
+blacklist-nolog ${HOME}/.kde/share/apps/klipper
+blacklist-nolog ${HOME}/.kde4/share/apps/klipper
+blacklist-nolog ${HOME}/.local/share/fish/fish_history
+blacklist-nolog ${HOME}/.local/share/klipper
+blacklist-nolog ${HOME}/.macromedia
+blacklist-nolog ${HOME}/.mupdf.history
+blacklist-nolog ${HOME}/.python-history
+blacklist-nolog ${HOME}/.python_history
+blacklist-nolog ${HOME}/.pythonhist
+blacklist-nolog ${HOME}/.lesshst
+blacklist-nolog ${HOME}/.viminfo
+blacklist-nolog /tmp/clipmenu*
+
+# X11 session autostart
+# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
+blacklist ${HOME}/.Xsession
+blacklist ${HOME}/.blackbox
+blacklist ${HOME}/.config/autostart
+blacklist ${HOME}/.config/autostart-scripts
+blacklist ${HOME}/.config/awesome
+blacklist ${HOME}/.config/i3
+blacklist ${HOME}/.config/sway
+blacklist ${HOME}/.config/lxsession/LXDE/autostart
+blacklist ${HOME}/.config/openbox
+blacklist ${HOME}/.config/plasma-workspace
+blacklist ${HOME}/.config/startupconfig
+blacklist ${HOME}/.config/startupconfigkeys
+blacklist ${HOME}/.fluxbox
+blacklist ${HOME}/.gnomerc
+blacklist ${HOME}/.kde/Autostart
+blacklist ${HOME}/.kde/env
+blacklist ${HOME}/.kde/share/autostart
+blacklist ${HOME}/.kde/share/config/startupconfig
+blacklist ${HOME}/.kde/share/config/startupconfigkeys
+blacklist ${HOME}/.kde/shutdown
+blacklist ${HOME}/.kde4/env
+blacklist ${HOME}/.kde4/Autostart
+blacklist ${HOME}/.kde4/share/autostart
+blacklist ${HOME}/.kde4/shutdown
+blacklist ${HOME}/.kde4/share/config/startupconfig
+blacklist ${HOME}/.kde4/share/config/startupconfigkeys
+blacklist ${HOME}/.local/share/autostart
+blacklist ${HOME}/.xinitrc
+blacklist ${HOME}/.xprofile
+blacklist ${HOME}/.xserverrc
+blacklist ${HOME}/.xsession
+blacklist ${HOME}/.xsessionrc
+blacklist /etc/X11/Xsession.d
+blacklist /etc/xdg/autostart
+read-only ${HOME}/.Xauthority
+
+# Session manager
+# see #3358
+#?HAS_X11: blacklist ${HOME}/.ICEauthority
+#?HAS_X11: blacklist /tmp/.ICE-unix
+
+# KDE config
+blacklist ${HOME}/.cache/konsole
+blacklist ${HOME}/.config/khotkeysrc
+blacklist ${HOME}/.config/krunnerrc
+blacklist ${HOME}/.config/kscreenlockerrc
+blacklist ${HOME}/.config/ksslcertificatemanager
+blacklist ${HOME}/.config/kwalletrc
+blacklist ${HOME}/.config/kwinrc
+blacklist ${HOME}/.config/kwinrulesrc
+blacklist ${HOME}/.config/plasma-locale-settings.sh
+blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
+blacklist ${HOME}/.config/plasmashellrc
+blacklist ${HOME}/.config/plasmavaultrc
+blacklist ${HOME}/.kde/share/apps/kwin
+blacklist ${HOME}/.kde/share/apps/plasma
+blacklist ${HOME}/.kde/share/apps/solid
+blacklist ${HOME}/.kde/share/config/khotkeysrc
+blacklist ${HOME}/.kde/share/config/krunnerrc
+blacklist ${HOME}/.kde/share/config/kscreensaverrc
+blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde/share/config/kwalletrc
+blacklist ${HOME}/.kde/share/config/kwinrc
+blacklist ${HOME}/.kde/share/config/kwinrulesrc
+blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
+blacklist ${HOME}/.kde4/share/apps/kwin
+blacklist ${HOME}/.kde4/share/apps/plasma
+blacklist ${HOME}/.kde4/share/apps/solid
+blacklist ${HOME}/.kde4/share/config/khotkeysrc
+blacklist ${HOME}/.kde4/share/config/krunnerrc
+blacklist ${HOME}/.kde4/share/config/kscreensaverrc
+blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
+blacklist ${HOME}/.kde4/share/config/kwalletrc
+blacklist ${HOME}/.kde4/share/config/kwinrc
+blacklist ${HOME}/.kde4/share/config/kwinrulesrc
+blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
+blacklist ${HOME}/.local/share/kglobalaccel
+blacklist ${HOME}/.local/share/kwin
+blacklist ${HOME}/.local/share/plasma
+blacklist ${HOME}/.local/share/plasmashell
+blacklist ${HOME}/.local/share/solid
+blacklist /tmp/konsole-*.history
+read-only ${HOME}/.cache/ksycoca5_*
+read-only ${HOME}/.config/*notifyrc
+read-only ${HOME}/.config/kdeglobals
+read-only ${HOME}/.config/kio_httprc
+read-only ${HOME}/.config/kiorc
+read-only ${HOME}/.config/kioslaverc
+read-only ${HOME}/.config/ksslcablacklist
+read-only ${HOME}/.kde/share/apps/konsole
+read-only ${HOME}/.kde/share/apps/kssl
+read-only ${HOME}/.kde/share/config/*notifyrc
+read-only ${HOME}/.kde/share/config/kdeglobals
+read-only ${HOME}/.kde/share/config/kio_httprc
+read-only ${HOME}/.kde/share/config/kioslaverc
+read-only ${HOME}/.kde/share/config/ksslcablacklist
+read-only ${HOME}/.kde/share/kde4/services
+read-only ${HOME}/.kde4/share/apps/konsole
+read-only ${HOME}/.kde4/share/apps/kssl
+read-only ${HOME}/.kde4/share/config/*notifyrc
+read-only ${HOME}/.kde4/share/config/kdeglobals
+read-only ${HOME}/.kde4/share/config/kio_httprc
+read-only ${HOME}/.kde4/share/config/kioslaverc
+read-only ${HOME}/.kde4/share/config/ksslcablacklist
+read-only ${HOME}/.kde4/share/kde4/services
+read-only ${HOME}/.local/share/konsole
+read-only ${HOME}/.local/share/kservices5
+read-only ${HOME}/.local/share/kssl
+
+# KDE sockets
+blacklist ${RUNUSER}/*.slave-socket
+blacklist ${RUNUSER}/kdeinit5__*
+blacklist ${RUNUSER}/kdesud_*
+# see #3358
+#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
+#?HAS_NODBUS: blacklist /tmp/ksocket-*
+
+# gnome
+# contains extensions, last used times of applications, and notifications
+blacklist ${HOME}/.local/share/gnome-shell
+# contains recently used files and serials of static/removable storage
+blacklist ${HOME}/.local/share/gvfs-metadata
+# no direct modification of dconf database
+read-only ${HOME}/.config/dconf
+blacklist ${RUNUSER}/gnome-session-leader-fifo
+blacklist ${RUNUSER}/gnome-shell
+blacklist ${RUNUSER}/gsconnect
+
+# systemd
+blacklist ${HOME}/.config/systemd
+blacklist ${HOME}/.local/share/systemd
+blacklist ${PATH}/systemctl
+blacklist ${PATH}/systemd-run
+blacklist ${RUNUSER}/systemd
+blacklist /etc/systemd/network
+blacklist /etc/systemd/system
+blacklist /var/lib/systemd
+# creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
+#blacklist /var/run/systemd
+
+# openrc
+blacklist /etc/init.d
+blacklist /etc/rc.conf
+blacklist /etc/runlevels
+
+# VirtualBox
+blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.VirtualBox
+blacklist ${HOME}/VirtualBox VMs
+
+# GNOME Boxes
+blacklist ${HOME}/.config/gnome-boxes
+blacklist ${HOME}/.local/share/gnome-boxes
+
+# libvirt
+blacklist ${HOME}/.cache/libvirt
+blacklist ${HOME}/.config/libvirt
+blacklist ${RUNUSER}/libvirt
+blacklist /var/cache/libvirt
+blacklist /var/lib/libvirt
+blacklist /var/log/libvirt
+
+# OCI-Containers / Podman
+blacklist ${RUNUSER}/containers
+blacklist ${RUNUSER}/crun
+blacklist ${RUNUSER}/libpod
+blacklist ${RUNUSER}/runc
+blacklist ${RUNUSER}/toolbox
+
+# VeraCrypt
+blacklist ${HOME}/.VeraCrypt
+blacklist ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt-uninstall.sh
+blacklist /usr/share/applications/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
+blacklist /usr/share/veracrypt
+
+# TrueCrypt
+blacklist ${HOME}/.TrueCrypt
+blacklist ${PATH}/truecrypt
+blacklist ${PATH}/truecrypt-uninstall.sh
+blacklist /usr/share/applications/truecrypt.*
+blacklist /usr/share/pixmaps/truecrypt.*
+blacklist /usr/share/truecrypt
+
+# zuluCrypt
+blacklist ${HOME}/.zuluCrypt
+blacklist ${HOME}/.zuluCrypt-socket
+blacklist ${PATH}/zuluCrypt-cli
+blacklist ${PATH}/zuluMount-cli
+
+# var
+blacklist /var/cache/apt
+blacklist /var/cache/pacman
+blacklist /var/lib/apt
+blacklist /var/lib/clamav
+blacklist /var/lib/dkms
+blacklist /var/lib/mysql/mysql.sock
+blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/pacman
+blacklist /var/lib/upower
+# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
+# every sandbox, unless --writable-var-log switch is activated
+blacklist /var/mail
+blacklist /var/opt
+blacklist /var/run/acpid.socket
+blacklist /var/run/docker.sock
+blacklist /var/run/minissdpd.sock
+blacklist /var/run/mysql/mysqld.sock
+blacklist /var/run/mysqld/mysqld.sock
+blacklist /var/run/rpcbind.sock
+blacklist /var/run/screens
+blacklist /var/spool/anacron
+blacklist /var/spool/cron
+blacklist /var/spool/mail
+
+# etc
+blacklist /etc/adduser.conf
+blacklist /etc/anacrontab
+blacklist /etc/apparmor*
+blacklist /etc/cron*
+blacklist /etc/default
+blacklist /etc/dkms
+blacklist /etc/grub*
+blacklist /etc/kernel*
+blacklist /etc/logrotate*
+blacklist /etc/modules*
+blacklist /etc/profile.d
+blacklist /etc/rc.local
+# rc1.d, rc2.d, ...
+blacklist /etc/rc?.d
+blacklist /etc/sysconfig
+
+# hide config for various intrusion detection systems
+blacklist /etc/aide
+blacklist /etc/aide.conf
+blacklist /etc/chkrootkit.conf
+blacklist /etc/fail2ban.conf
+blacklist /etc/logcheck
+blacklist /etc/lynis
+blacklist /etc/rkhunter.*
+blacklist /etc/snort
+blacklist /etc/suricata
+blacklist /etc/tripwire
+blacklist /var/lib/rkhunter
+
+# Startup files
+read-only ${HOME}/.antigen
+read-only ${HOME}/.bash_aliases
+read-only ${HOME}/.bash_login
+read-only ${HOME}/.bash_logout
+read-only ${HOME}/.bash_profile
+read-only ${HOME}/.bashrc
+read-only ${HOME}/.config/environment.d
+read-only ${HOME}/.config/fish
+read-only ${HOME}/.csh_files
+read-only ${HOME}/.cshrc
+read-only ${HOME}/.forward
+read-only ${HOME}/.kshrc
+read-only ${HOME}/.local/share/fish
+read-only ${HOME}/.login
+read-only ${HOME}/.logout
+read-only ${HOME}/.mkshrc
+read-only ${HOME}/.oh-my-zsh
+read-only ${HOME}/.pam_environment
+read-only ${HOME}/.pgpkey
+read-only ${HOME}/.plan
+read-only ${HOME}/.profile
+read-only ${HOME}/.project
+read-only ${HOME}/.tcshrc
+read-only ${HOME}/.zfunc
+read-only ${HOME}/.zlogin
+read-only ${HOME}/.zlogout
+read-only ${HOME}/.zprofile
+read-only ${HOME}/.zsh.d
+read-only ${HOME}/.zsh_files
+read-only ${HOME}/.zshenv
+read-only ${HOME}/.zshrc
+read-only ${HOME}/.zshrc.local
+
+# Remote access
+blacklist ${HOME}/.rhosts
+blacklist ${HOME}/.shosts
+blacklist ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.ssh/authorized_keys2
+blacklist ${HOME}/.ssh/environment
+blacklist ${HOME}/.ssh/rc
+blacklist /etc/hosts.equiv
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
+
+# Initialization files that allow arbitrary command execution
+read-only ${HOME}/.caffrc
+read-only ${HOME}/.cargo/env
+read-only ${HOME}/.dotfiles
+read-only ${HOME}/.emacs
+read-only ${HOME}/.emacs.d
+read-only ${HOME}/.exrc
+read-only ${HOME}/.gvimrc
+read-only ${HOME}/.homesick
+read-only ${HOME}/.iscreenrc
+read-only ${HOME}/.local/lib
+read-only ${HOME}/.local/share/cool-retro-term
+read-only ${HOME}/.mailcap
+read-only ${HOME}/.msmtprc
+read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.muttrc
+read-only ${HOME}/.nano
+read-only ${HOME}/.npmrc
+read-only ${HOME}/.pythonrc.py
+read-only ${HOME}/.reportbugrc
+read-only ${HOME}/.tmux.conf
+read-only ${HOME}/.vim
+read-only ${HOME}/.viminfo
+read-only ${HOME}/.vimrc
+read-only ${HOME}/.xmonad
+read-only ${HOME}/.xscreensaver
+read-only ${HOME}/.yarnrc
+read-only ${HOME}/_exrc
+read-only ${HOME}/_gvimrc
+read-only ${HOME}/_vimrc
+read-only ${HOME}/dotfiles
+
+# Make directories commonly found in $PATH read-only
+read-only ${HOME}/.bin
+read-only ${HOME}/.cargo/bin
+read-only ${HOME}/.gem
+read-only ${HOME}/.local/bin
+read-only ${HOME}/.luarocks
+read-only ${HOME}/.npm-packages
+read-only ${HOME}/.nvm
+read-only ${HOME}/.rustup
+read-only ${HOME}/bin
+
+# Write-protection for desktop entries
+read-only ${HOME}/.config/menus
+read-only ${HOME}/.gnome/apps
+read-only ${HOME}/.local/share/applications
+
+read-only ${HOME}/.config/mimeapps.list
+read-only ${HOME}/.config/user-dirs.dirs
+read-only ${HOME}/.config/user-dirs.locale
+read-only ${HOME}/.local/share/mime
+
+# Write-protection for thumbnailer dir
+read-only ${HOME}/.local/share/thumbnailers
+
+# prevent access to ssh-agent
+blacklist /tmp/ssh-*
+
+# top secret
+blacklist /.fscrypt
+blacklist /etc/davfs2/secrets
+blacklist /etc/group+
+blacklist /etc/group-
+blacklist /etc/gshadow
+blacklist /etc/gshadow+
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/passwd-
+blacklist /etc/shadow
+blacklist /etc/shadow+
+blacklist /etc/shadow-
+blacklist /etc/ssh
+blacklist /etc/ssh/*
+blacklist /home/.ecryptfs
+blacklist /home/.fscrypt
+blacklist ${HOME}/*.kdb
+blacklist ${HOME}/*.kdbx
+blacklist ${HOME}/*.key
+blacklist ${HOME}/Private
+blacklist ${HOME}/.Private
+blacklist ${HOME}/.caff
+blacklist ${HOME}/.cargo/credentials
+blacklist ${HOME}/.cargo/credentials.toml
+blacklist ${HOME}/.cert
+blacklist ${HOME}/.config/hub
+blacklist ${HOME}/.config/keybase
+blacklist ${HOME}/.davfs2/secrets
+blacklist ${HOME}/.ecryptfs
+blacklist ${HOME}/.fetchmailrc
+blacklist ${HOME}/.fscrypt
+blacklist ${HOME}/.git-credential-cache
+blacklist ${HOME}/.git-credentials
+blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.kde/share/apps/kwallet
+blacklist ${HOME}/.kde4/share/apps/kwallet
+blacklist ${HOME}/.local/share/keyrings
+blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.local/share/pki
+blacklist ${HOME}/.local/share/plasma-vault
+blacklist ${HOME}/.minisign
+blacklist ${HOME}/.msmtprc
+blacklist ${HOME}/.mutt
+blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.netrc
+blacklist ${HOME}/.nyx
+blacklist ${HOME}/.pki
+blacklist ${HOME}/.smbcredentials
+blacklist ${HOME}/.ssh
+blacklist ${HOME}/.vaults
+blacklist /var/backup
+
+# Remove environment variables with auth tokens.
+# Note however that the sandbox might still have access to the
+# files where these variables are set.
+rmenv GH_TOKEN
+rmenv GITHUB_TOKEN
+rmenv GH_ENTERPRISE_TOKEN
+rmenv GITHUB_ENTERPRISE_TOKEN
+rmenv CARGO_REGISTRY_TOKEN
+rmenv RESTIC_KEY_HINT
+rmenv RESTIC_PASSWORD_COMMAND
+rmenv RESTIC_PASSWORD_FILE
+
+# cloud provider configuration
+blacklist ${HOME}/.aws
+blacklist ${HOME}/.boto
+blacklist ${HOME}/.config/gcloud
+blacklist ${HOME}/.kube
+blacklist ${HOME}/.passwd-s3fs
+blacklist ${HOME}/.s3cmd
+blacklist /etc/boto.cfg
+
+# system directories
+blacklist /sbin
+blacklist /usr/local/sbin
+blacklist /usr/sbin
+
+# system management
+blacklist ${PATH}/at
+blacklist ${PATH}/busybox
+blacklist ${PATH}/chage
+blacklist ${PATH}/chfn
+blacklist ${PATH}/chsh
+blacklist ${PATH}/crontab
+blacklist ${PATH}/evtest
+blacklist ${PATH}/expiry
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/gksu
+blacklist ${PATH}/gksudo
+blacklist ${PATH}/gpasswd
+blacklist ${PATH}/kdesudo
+blacklist ${PATH}/ksu
+blacklist ${PATH}/mount
+blacklist ${PATH}/mount.ecryptfs_private
+blacklist ${PATH}/nc
+blacklist ${PATH}/ncat
+blacklist ${PATH}/nmap
+blacklist ${PATH}/newgidmap
+blacklist ${PATH}/newgrp
+blacklist ${PATH}/newuidmap
+blacklist ${PATH}/ntfs-3g
+blacklist ${PATH}/pkexec
+blacklist ${PATH}/procmail
+blacklist ${PATH}/sg
+blacklist ${PATH}/strace
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/tcpdump
+blacklist ${PATH}/umount
+blacklist ${PATH}/unix_chkpwd
+blacklist ${PATH}/xev
+blacklist ${PATH}/xinput
+
+# other SUID binaries
+blacklist /usr/lib/virtualbox
+blacklist /usr/lib64/virtualbox
+
+# prevent lxterminal connecting to an existing lxterminal session
+blacklist /tmp/.lxterminal-socket*
+# prevent tmux connecting to an existing session
+blacklist /tmp/tmux-*
+
+# disable terminals running as server resulting in sandbox escape
+blacklist ${PATH}/gnome-terminal
+blacklist ${PATH}/gnome-terminal.wrapper
+# blacklist ${PATH}/konsole
+# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
+blacklist ${PATH}/lilyterm
+blacklist ${PATH}/lxterminal
+blacklist ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal.wrapper
+blacklist ${PATH}/pantheon-terminal
+blacklist ${PATH}/roxterm
+blacklist ${PATH}/roxterm-config
+blacklist ${PATH}/terminix
+blacklist ${PATH}/tilix
+blacklist ${PATH}/urxvtc
+blacklist ${PATH}/urxvtcd
+blacklist ${PATH}/xfce4-terminal
+blacklist ${PATH}/xfce4-terminal.wrapper
+
+# kernel files
+blacklist /initrd*
+blacklist /vmlinuz*
+
+# snapshot files
+blacklist /.snapshots
+
+# flatpak
+blacklist ${HOME}/.cache/flatpak
+blacklist ${HOME}/.config/flatpak
+noblacklist ${HOME}/.local/share/flatpak/exports
+read-only ${HOME}/.local/share/flatpak/exports
+blacklist ${HOME}/.local/share/flatpak/*
+blacklist ${HOME}/.var
+# most of the time bwrap is SUID binary
+blacklist ${PATH}/bwrap
+blacklist ${RUNUSER}/.dbus-proxy
+blacklist ${RUNUSER}/.flatpak
+blacklist ${RUNUSER}/.flatpak-cache
+blacklist ${RUNUSER}/.flatpak-helper
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
+blacklist /usr/share/flatpak
+noblacklist /var/lib/flatpak/exports
+blacklist /var/lib/flatpak/*
+
+# snap
+blacklist ${RUNUSER}/snapd-session-agent.socket
+
+# mail directories used by mutt
+blacklist ${HOME}/.Mail
+blacklist ${HOME}/.mail
+blacklist ${HOME}/.signature
+blacklist ${HOME}/Mail
+blacklist ${HOME}/mail
+blacklist ${HOME}/postponed
+blacklist ${HOME}/sent
+
+# kernel configuration
+blacklist /proc/config.gz
+
+# prevent DNS malware attempting to communicate with the server
+# using regular DNS tools
+blacklist ${PATH}/dig
+blacklist ${PATH}/dlint
+blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/dnssec-*
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/drill
+blacklist ${PATH}/host
+blacklist ${PATH}/iodine
+blacklist ${PATH}/kdig
+blacklist ${PATH}/khost
+blacklist ${PATH}/knsupdate
+blacklist ${PATH}/ldns-*
+blacklist ${PATH}/ldnsd
+blacklist ${PATH}/nslookup
+blacklist ${PATH}/resolvectl
+blacklist ${PATH}/unbound-host
+
+# rest of ${RUNUSER}
+blacklist ${RUNUSER}/*.lock
+blacklist ${RUNUSER}/inaccessible
+blacklist ${RUNUSER}/pk-debconf-socket
+blacklist ${RUNUSER}/update-notifier.pid
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
new file mode 100644
index 000000000..e74b1b40b
--- /dev/null
+++ b/etc/inc/disable-devel.inc
@@ -0,0 +1,69 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-devel.local
+
+# development tools
+
+# clang/llvm
+blacklist ${PATH}/clang*
+blacklist ${PATH}/lldb*
+blacklist ${PATH}/llvm*
+# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
+# blacklist /usr/lib/llvm*
+
+# GCC
+blacklist ${PATH}/as
+blacklist ${PATH}/cc
+blacklist ${PATH}/c++*
+blacklist ${PATH}/c8*
+blacklist ${PATH}/c9*
+blacklist ${PATH}/cpp*
+blacklist ${PATH}/g++*
+blacklist ${PATH}/gcc*
+blacklist ${PATH}/gdb
+blacklist ${PATH}/ld
+blacklist ${PATH}/*-gcc*
+blacklist ${PATH}/*-g++*
+blacklist ${PATH}/*-gcc*
+blacklist ${PATH}/*-g++*
+# seems to create problems on Gentoo
+#blacklist /usr/lib/gcc
+
+#Go
+blacklist ${PATH}/gccgo
+blacklist ${PATH}/go
+blacklist ${PATH}/gofmt
+
+# Java
+blacklist ${PATH}/java
+blacklist ${PATH}/javac
+blacklist /etc/java
+blacklist /usr/lib/java
+blacklist /usr/share/java
+
+#OpenSSL
+blacklist ${PATH}/openssl
+blacklist ${PATH}/openssl-1.0
+
+#Rust
+blacklist ${PATH}/rust-gdb
+blacklist ${PATH}/rust-lldb
+blacklist ${PATH}/rustc
+blacklist ${HOME}/.rustup
+
+# tcc - Tiny C Compiler
+blacklist ${PATH}/tcc
+blacklist ${PATH}/x86_64-tcc
+blacklist /usr/lib/tcc
+
+# Valgrind
+blacklist ${PATH}/valgrind*
+blacklist /usr/lib/valgrind
+
+
+# Source-Code
+
+blacklist /usr/src
+blacklist /usr/local/src
+blacklist /usr/include
+blacklist /usr/local/include
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc
new file mode 100644
index 000000000..9b5c40a2b
--- /dev/null
+++ b/etc/inc/disable-exec.inc
@@ -0,0 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-exec.local
+
+noexec ${HOME}
+noexec ${RUNUSER}
+noexec /dev/mqueue
+noexec /dev/shm
+noexec /tmp
+# /var is noexec by default for unprivileged users
+# except there is a writable-var option, so just in case:
+noexec /var
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
new file mode 100644
index 000000000..5d8a236fb
--- /dev/null
+++ b/etc/inc/disable-interpreters.inc
@@ -0,0 +1,68 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-interpreters.local
+
+# gjs
+blacklist ${PATH}/gjs
+blacklist ${PATH}/gjs-console
+blacklist /usr/lib/gjs
+blacklist /usr/lib/libgjs*
+blacklist /usr/lib64/gjs
+blacklist /usr/lib64/libgjs*
+
+# Lua
+blacklist ${PATH}/lua*
+blacklist /usr/include/lua*
+blacklist /usr/lib/liblua*
+blacklist /usr/lib/lua
+blacklist /usr/lib64/liblua*
+blacklist /usr/lib64/lua
+blacklist /usr/share/lua*
+
+# mozjs
+blacklist /usr/lib/libmozjs-*
+blacklist /usr/lib64/libmozjs-*
+
+# Node.js
+blacklist ${PATH}/node
+blacklist /usr/include/node
+
+# nvm
+blacklist ${HOME}/.nvm
+
+# Perl
+blacklist ${PATH}/core_perl
+blacklist ${PATH}/cpan*
+blacklist ${PATH}/perl
+blacklist ${PATH}/site_perl
+blacklist ${PATH}/vendor_perl
+blacklist /usr/lib/perl*
+blacklist /usr/lib64/perl*
+blacklist /usr/share/perl*
+
+# PHP
+blacklist ${PATH}/php*
+blacklist /usr/lib/php*
+blacklist /usr/share/php*
+
+# Ruby
+blacklist ${PATH}/ruby
+blacklist /usr/lib/ruby
+
+# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
+# Python 2
+blacklist ${PATH}/python2*
+blacklist /usr/include/python2*
+blacklist /usr/lib/python2*
+blacklist /usr/local/lib/python2*
+blacklist /usr/share/python2*
+
+# You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
+
+# Python 3
+blacklist ${PATH}/python3*
+blacklist /usr/include/python3*
+blacklist /usr/lib/python3*
+blacklist /usr/lib64/python3*
+blacklist /usr/local/lib/python3*
+blacklist /usr/share/python3*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
new file mode 100644
index 000000000..4941630a2
--- /dev/null
+++ b/etc/inc/disable-programs.inc
@@ -0,0 +1,1129 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-programs.local
+
+blacklist ${HOME}/.*coin
+blacklist ${HOME}/.8pecxstudios
+blacklist ${HOME}/.AndroidStudio*
+blacklist ${HOME}/.Atom
+blacklist ${HOME}/.CLion*
+blacklist ${HOME}/.FBReader
+blacklist ${HOME}/.FontForge
+blacklist ${HOME}/.IdeaIC*
+blacklist ${HOME}/.LuminanceHDR
+blacklist ${HOME}/.Mathematica
+blacklist ${HOME}/.Natron
+blacklist ${HOME}/.PlayOnLinux
+blacklist ${HOME}/.PyCharm*
+blacklist ${HOME}/.Sayonara
+blacklist ${HOME}/.Steam
+blacklist ${HOME}/.Steampath
+blacklist ${HOME}/.Steampid
+blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.VSCodium
+blacklist ${HOME}/.ViberPC
+blacklist ${HOME}/.VirtualBox
+blacklist ${HOME}/.WebStorm*
+blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.ZAP
+blacklist ${HOME}/.aMule
+blacklist ${HOME}/.abook
+blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.alpine-smime
+blacklist ${HOME}/.android
+blacklist ${HOME}/.anydesk
+blacklist ${HOME}/.arduino15
+blacklist ${HOME}/.aria2
+blacklist ${HOME}/.arm
+blacklist ${HOME}/.asunder_album_artist
+blacklist ${HOME}/.asunder_album_genre
+blacklist ${HOME}/.asunder_album_title
+blacklist ${HOME}/.atom
+blacklist ${HOME}/.attic
+blacklist ${HOME}/.audacity-data
+blacklist ${HOME}/.avidemux6
+blacklist ${HOME}/.ballbuster.hs
+blacklist ${HOME}/.balsa
+blacklist ${HOME}/.bcast5
+blacklist ${HOME}/.bibletime
+blacklist ${HOME}/.bitcoin
+blacklist ${HOME}/.blobby
+blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bzf
+blacklist ${HOME}/.cargo/*
+blacklist ${HOME}/.claws-mail
+blacklist ${HOME}/.cliqz
+blacklist ${HOME}/.clion*
+blacklist ${HOME}/.clonk
+blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/2048-qt
+blacklist ${HOME}/.config/Atom
+blacklist ${HOME}/.config/Audaciousrc
+blacklist ${HOME}/.config/Authenticator
+blacklist ${HOME}/.config/Beaker Browser
+blacklist ${HOME}/.config/Bitcoin
+blacklist ${HOME}/.config/Bitwarden
+blacklist ${HOME}/.config/Brackets
+blacklist ${HOME}/.config/BraveSoftware
+blacklist ${HOME}/.config/Clementine
+blacklist ${HOME}/.config/Code
+blacklist ${HOME}/.config/Code - OSS
+blacklist ${HOME}/.config/Code Industry
+blacklist ${HOME}/.config/Cryptocat
+blacklist ${HOME}/.config/Debauchee/Barrier.conf
+blacklist ${HOME}/.config/Dharkael
+blacklist ${HOME}/.config/ENCOM
+blacklist ${HOME}/.config/Element
+blacklist ${HOME}/.config/Element (Riot)
+blacklist ${HOME}/.config/Enox
+blacklist ${HOME}/.config/Epic
+blacklist ${HOME}/.config/Exodus
+blacklist ${HOME}/.config/Ferdi
+blacklist ${HOME}/.config/Flavio Tordini
+blacklist ${HOME}/.config/Franz
+blacklist ${HOME}/.config/FreeCAD
+blacklist ${HOME}/.config/FreeTube
+blacklist ${HOME}/.config/Fritzing
+blacklist ${HOME}/.config/GIMP
+blacklist ${HOME}/.config/GitHub Desktop
+blacklist ${HOME}/.config/Gitter
+blacklist ${HOME}/.config/Google
+blacklist ${HOME}/.config/Google Play Music Desktop Player
+blacklist ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/INRIA
+blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/Jitsi Meet
+blacklist ${HOME}/.config/JetBrains/CLion*
+blacklist ${HOME}/.config/KDE/neochat
+blacklist ${HOME}/.config/KeePass
+blacklist ${HOME}/.config/KeePassXCrc
+blacklist ${HOME}/.config/Kid3
+blacklist ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/LibreCAD
+blacklist ${HOME}/.config/Loop_Hero
+blacklist ${HOME}/.config/Luminance
+blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/Mattermost
+blacklist ${HOME}/.config/Meltytech
+blacklist ${HOME}/.config/Mendeley Ltd.
+blacklist ${HOME}/.config/Microsoft
+blacklist ${HOME}/.config/Min
+blacklist ${HOME}/.config/ModTheSpire
+blacklist ${HOME}/.config/Mousepad
+blacklist ${HOME}/.config/Mumble
+blacklist ${HOME}/.config/MusE
+blacklist ${HOME}/.config/MuseScore
+blacklist ${HOME}/.config/MusicBrainz
+blacklist ${HOME}/.config/Nathan Osman
+blacklist ${HOME}/.config/Nextcloud
+blacklist ${HOME}/.config/NitroShare
+blacklist ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/PBE
+blacklist ${HOME}/.config/PacmanLogViewer
+blacklist ${HOME}/.config/PawelStolowski
+blacklist ${HOME}/.config/Philipp Schmieder
+blacklist ${HOME}/.config/Pinta
+blacklist ${HOME}/.config/QGIS
+blacklist ${HOME}/.config/QMediathekView
+blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QuiteRss
+blacklist ${HOME}/.config/QuiteRssrc
+blacklist ${HOME}/.config/Quotient
+blacklist ${HOME}/.config/Rambox
+blacklist ${HOME}/.config/Riot
+blacklist ${HOME}/.config/Rocket.Chat
+blacklist ${HOME}/.config/RogueLegacy
+blacklist ${HOME}/.config/RogueLegacyStorageContainer
+blacklist ${HOME}/.config/Signal
+blacklist ${HOME}/.config/Sinew Software Systems
+blacklist ${HOME}/.config/Slack
+blacklist ${HOME}/.config/Standard Notes
+blacklist ${HOME}/.config/SubDownloader
+blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/Twitch
+blacklist ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/VirtualBox
+blacklist ${HOME}/.config/Whalebird
+blacklist ${HOME}/.config/Wire
+blacklist ${HOME}/.config/Youtube
+blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/Zeal
+blacklist ${HOME}/.config/Zulip
+blacklist ${HOME}/.config/aacs
+blacklist ${HOME}/.config/abiword
+blacklist ${HOME}/.config/agenda
+blacklist ${HOME}/.config/akonadi*
+blacklist ${HOME}/.config/akregatorrc
+blacklist ${HOME}/.config/alacritty
+blacklist ${HOME}/.config/ardour4
+blacklist ${HOME}/.config/ardour5
+blacklist ${HOME}/.config/aria2
+blacklist ${HOME}/.config/arkrc
+blacklist ${HOME}/.config/artha.conf
+blacklist ${HOME}/.config/artha.log
+blacklist ${HOME}/.config/asunder
+blacklist ${HOME}/.config/atril
+blacklist ${HOME}/.config/audacious
+blacklist ${HOME}/.config/autokey
+blacklist ${HOME}/.config/avidemux3_qt5rc
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/backintime
+blacklist ${HOME}/.config/baloofilerc
+blacklist ${HOME}/.config/baloorc
+blacklist ${HOME}/.config/bcompare
+blacklist ${HOME}/.config/blender
+blacklist ${HOME}/.config/bless
+blacklist ${HOME}/.config/bnox
+blacklist ${HOME}/.config/borg
+blacklist ${HOME}/.config/brasero
+blacklist ${HOME}/.config/brave
+blacklist ${HOME}/.config/brave-flags.conf
+blacklist ${HOME}/.config/caja
+blacklist ${HOME}/.config/calibre
+blacklist ${HOME}/.config/cantata
+blacklist ${HOME}/.config/catfish
+blacklist ${HOME}/.config/cawbird
+blacklist ${HOME}/.config/celluloid
+blacklist ${HOME}/.config/cherrytree
+blacklist ${HOME}/.config/chrome-beta-flags.conf
+blacklist ${HOME}/.config/chrome-beta-flags.config
+blacklist ${HOME}/.config/chrome-flags.conf
+blacklist ${HOME}/.config/chrome-flags.config
+blacklist ${HOME}/.config/chrome-unstable-flags.conf
+blacklist ${HOME}/.config/chrome-unstable-flags.config
+blacklist ${HOME}/.config/chromium
+blacklist ${HOME}/.config/chromium-dev
+blacklist ${HOME}/.config/chromium-flags.conf
+blacklist ${HOME}/.config/clipit
+blacklist ${HOME}/.config/cliqz
+blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/com.github.bleakgrey.tootle
+blacklist ${HOME}/.config/corebird
+blacklist ${HOME}/.config/cower
+blacklist ${HOME}/.config/coyim
+blacklist ${HOME}/.config/d-feet
+blacklist ${HOME}/.config/darktable
+blacklist ${HOME}/.config/deadbeef
+blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/devilspie2
+blacklist ${HOME}/.config/digikam
+blacklist ${HOME}/.config/digikamrc
+blacklist ${HOME}/.config/discord
+blacklist ${HOME}/.config/discordcanary
+blacklist ${HOME}/.config/dkl
+blacklist ${HOME}/.config/dnox
+blacklist ${HOME}/.config/dolphin-emu
+blacklist ${HOME}/.config/dolphinrc
+blacklist ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.config/draw.io
+blacklist ${HOME}/.config/electron-mail
+blacklist ${HOME}/.config/emaildefaults
+blacklist ${HOME}/.config/emailidentities
+blacklist ${HOME}/.config/emilia
+blacklist ${HOME}/.config/enchant
+blacklist ${HOME}/.config/eog
+blacklist ${HOME}/.config/epiphany
+blacklist ${HOME}/.config/equalx
+blacklist ${HOME}/.config/evince
+blacklist ${HOME}/.config/evolution
+blacklist ${HOME}/.config/falkon
+blacklist ${HOME}/.config/filezilla
+blacklist ${HOME}/.config/flameshot
+blacklist ${HOME}/.config/flaska.net
+blacklist ${HOME}/.config/flowblade
+blacklist ${HOME}/.config/font-manager
+blacklist ${HOME}/.config/freecol
+blacklist ${HOME}/.config/gajim
+blacklist ${HOME}/.config/galculator
+blacklist ${HOME}/.config/gallery-dl
+blacklist ${HOME}/.config/gconf
+blacklist ${HOME}/.config/geany
+blacklist ${HOME}/.config/geary
+blacklist ${HOME}/.config/gedit
+blacklist ${HOME}/.config/geeqie
+blacklist ${HOME}/.config/ghb
+blacklist ${HOME}/.config/ghostwriter
+blacklist ${HOME}/.config/git
+blacklist ${HOME}/.config/git-cola
+blacklist ${HOME}/.config/glade.conf
+blacklist ${HOME}/.config/globaltime
+blacklist ${HOME}/.config/gmpc
+blacklist ${HOME}/.config/gnome-builder
+blacklist ${HOME}/.config/gnome-chess
+blacklist ${HOME}/.config/gnome-control-center
+blacklist ${HOME}/.config/gnome-initial-setup-done
+blacklist ${HOME}/.config/gnome-latex
+blacklist ${HOME}/.config/gnome-mplayer
+blacklist ${HOME}/.config/gnome-mpv
+blacklist ${HOME}/.config/gnome-pie
+blacklist ${HOME}/.config/gnome-session
+blacklist ${HOME}/.config/gnote
+blacklist ${HOME}/.config/godot
+blacklist ${HOME}/.config/google-chrome
+blacklist ${HOME}/.config/google-chrome-beta
+blacklist ${HOME}/.config/google-chrome-unstable
+blacklist ${HOME}/.config/gpicview
+blacklist ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/gummi
+blacklist ${HOME}/.config/guvcview2
+blacklist ${HOME}/.config/gwenviewrc
+blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/homebank
+blacklist ${HOME}/.config/i2p
+blacklist ${HOME}/.config/inkscape
+blacklist ${HOME}/.config/inox
+blacklist ${HOME}/.config/iridium
+blacklist ${HOME}/.config/itch
+blacklist ${HOME}/.config/jami
+blacklist ${HOME}/.config/jd-gui.cfg
+blacklist ${HOME}/.config/k3brc
+blacklist ${HOME}/.config/kaffeinerc
+blacklist ${HOME}/.config/kalgebrarc
+blacklist ${HOME}/.config/katemetainfos
+blacklist ${HOME}/.config/katepartrc
+blacklist ${HOME}/.config/katerc
+blacklist ${HOME}/.config/kateschemarc
+blacklist ${HOME}/.config/katesyntaxhighlightingrc
+blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kazam
+blacklist ${HOME}/.config/kdeconnect
+blacklist ${HOME}/.config/kdenliverc
+blacklist ${HOME}/.config/kdiff3fileitemactionrc
+blacklist ${HOME}/.config/kdiff3rc
+blacklist ${HOME}/.config/keepass
+blacklist ${HOME}/.config/keepassx
+blacklist ${HOME}/.config/keepassxc
+blacklist ${HOME}/.config/kfindrc
+blacklist ${HOME}/.config/kgetrc
+blacklist ${HOME}/.config/kid3rc
+blacklist ${HOME}/.config/klavaro
+blacklist ${HOME}/.config/klipperrc
+blacklist ${HOME}/.config/kmail2rc
+blacklist ${HOME}/.config/kmailsearchindexingrc
+blacklist ${HOME}/.config/kmplayerrc
+blacklist ${HOME}/.config/knotesrc
+blacklist ${HOME}/.config/konversation.notifyrc
+blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/kritarc
+blacklist ${HOME}/.config/ktorrentrc
+blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kube
+blacklist ${HOME}/.config/kwriterc
+blacklist ${HOME}/.config/leafpad
+blacklist ${HOME}/.config/libreoffice
+blacklist ${HOME}/.config/liferea
+blacklist ${HOME}/.config/linphone
+blacklist ${HOME}/.config/lugaru
+blacklist ${HOME}/.config/lutris
+blacklist ${HOME}/.config/lximage-qt
+blacklist ${HOME}/.config/mailtransports
+blacklist ${HOME}/.config/mana
+blacklist ${HOME}/.config/mate-calc
+blacklist ${HOME}/.config/mate/eom
+blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/matrix-mirage
+blacklist ${HOME}/.config/mcomix
+blacklist ${HOME}/.config/meld
+blacklist ${HOME}/.config/menulibre.cfg
+blacklist ${HOME}/.config/meteo-qt
+blacklist ${HOME}/.config/mfusion
+blacklist ${HOME}/.config/microsoft-edge-beta
+blacklist ${HOME}/.config/microsoft-edge-dev
+blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.config/mirage
+blacklist ${HOME}/.config/mono
+blacklist ${HOME}/.config/mpDris2
+blacklist ${HOME}/.config/mpd
+blacklist ${HOME}/.config/mps-youtube
+blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/mutt
+blacklist ${HOME}/.config/mutter
+blacklist ${HOME}/.config/mypaint
+blacklist ${HOME}/.config/nano
+blacklist ${HOME}/.config/nautilus
+blacklist ${HOME}/.config/nemo
+blacklist ${HOME}/.config/neochat.notifyrc
+blacklist ${HOME}/.config/neochatrc
+blacklist ${HOME}/.config/neomutt
+blacklist ${HOME}/.config/netsurf
+blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsboat
+blacklist ${HOME}/.config/newsflash
+blacklist ${HOME}/.config/nheko
+blacklist ${HOME}/.config/nomacs
+blacklist ${HOME}/.config/nuclear
+blacklist ${HOME}/.config/obs-studio
+blacklist ${HOME}/.config/okularpartrc
+blacklist ${HOME}/.config/okularrc
+blacklist ${HOME}/.config/onboard
+blacklist ${HOME}/.config/onionshare
+blacklist ${HOME}/.config/onlyoffice
+blacklist ${HOME}/.config/openmw
+blacklist ${HOME}/.config/opera
+blacklist ${HOME}/.config/opera-beta
+blacklist ${HOME}/.config/orage
+blacklist ${HOME}/.config/org.gabmus.gfeeds.json
+blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+blacklist ${HOME}/.config/org.kde.gwenviewrc
+blacklist ${HOME}/.config/otter
+blacklist ${HOME}/.config/pavucontrol-qt
+blacklist ${HOME}/.config/pavucontrol.ini
+blacklist ${HOME}/.config/pcmanfm
+blacklist ${HOME}/.config/pdfmod
+blacklist ${HOME}/.config/pipe-viewer
+blacklist ${HOME}/.config/pitivi
+blacklist ${HOME}/.config/pix
+blacklist ${HOME}/.config/pluma
+blacklist ${HOME}/.config/ppsspp
+blacklist ${HOME}/.config/pragha
+blacklist ${HOME}/.config/profanity
+blacklist ${HOME}/.config/psi
+blacklist ${HOME}/.config/psi+
+blacklist ${HOME}/.config/qBittorrent
+blacklist ${HOME}/.config/qBittorrentrc
+blacklist ${HOME}/.config/qnapi.ini
+blacklist ${HOME}/.config/qpdfview
+blacklist ${HOME}/.config/quodlibet
+blacklist ${HOME}/.config/qupzilla
+blacklist ${HOME}/.config/qutebrowser
+blacklist ${HOME}/.config/ranger
+blacklist ${HOME}/.config/redshift
+blacklist ${HOME}/.config/redshift.conf
+blacklist ${HOME}/.config/remmina
+blacklist ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/rtv
+blacklist ${HOME}/.config/scribus
+blacklist ${HOME}/.config/scribusrc
+blacklist ${HOME}/.config/sinew.in
+blacklist ${HOME}/.config/sink
+blacklist ${HOME}/.config/skypeforlinux
+blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/smplayer
+blacklist ${HOME}/.config/smtube
+blacklist ${HOME}/.config/smuxi
+blacklist ${HOME}/.config/snox
+blacklist ${HOME}/.config/sound-juicer
+blacklist ${HOME}/.config/specialmailcollectionsrc
+blacklist ${HOME}/.config/spectaclerc
+blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/sqlitebrowser
+blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/straw-viewer
+blacklist ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/supertuxkart
+blacklist ${HOME}/.config/synfig
+blacklist ${HOME}/.config/teams
+blacklist ${HOME}/.config/teams-for-linux
+blacklist ${HOME}/.config/telepathy-account-widgets
+blacklist ${HOME}/.config/torbrowser
+blacklist ${HOME}/.config/totem
+blacklist ${HOME}/.config/tox
+blacklist ${HOME}/.config/transgui
+blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/truecraft
+blacklist ${HOME}/.config/tuta_integration
+blacklist ${HOME}/.config/tutanota-desktop
+blacklist ${HOME}/.config/tvbrowser
+blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/ungoogled-chromium
+blacklist ${HOME}/.config/uzbl
+blacklist ${HOME}/.config/viewnior
+blacklist ${HOME}/.config/vivaldi
+blacklist ${HOME}/.config/vivaldi-snapshot
+blacklist ${HOME}/.config/vlc
+blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/wireshark
+blacklist ${HOME}/.config/wormux
+blacklist ${HOME}/.config/xchat
+blacklist ${HOME}/.config/xed
+blacklist ${HOME}/.config/xfburn
+blacklist ${HOME}/.config/xfce4-dict
+blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
+blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+blacklist ${HOME}/.config/xiaoyong
+blacklist ${HOME}/.config/xmms2
+blacklist ${HOME}/.config/xournalpp
+blacklist ${HOME}/.config/xplayer
+blacklist ${HOME}/.config/xreader
+blacklist ${HOME}/.config/xviewer
+blacklist ${HOME}/.config/yandex-browser
+blacklist ${HOME}/.config/yandex-browser-beta
+blacklist ${HOME}/.config/yelp
+blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-dlg
+blacklist ${HOME}/.config/youtube-music-desktop-app
+blacklist ${HOME}/.config/youtube-viewer
+blacklist ${HOME}/.config/youtubemusic-nativefier-040164
+blacklist ${HOME}/.config/yt-dlp
+blacklist ${HOME}/.config/zathura
+blacklist ${HOME}/.config/zim
+blacklist ${HOME}/.config/zoomus.conf
+blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.crawl
+blacklist ${HOME}/.cups
+blacklist ${HOME}/.curl-hsts
+blacklist ${HOME}/.curlrc
+blacklist ${HOME}/.dashcore
+blacklist ${HOME}/.devilspie
+blacklist ${HOME}/.dia
+blacklist ${HOME}/.digrc
+blacklist ${HOME}/.dillo
+blacklist ${HOME}/.dooble
+blacklist ${HOME}/.dosbox
+blacklist ${HOME}/.dropbox*
+blacklist ${HOME}/.easystroke
+blacklist ${HOME}/.electron-cache
+blacklist ${HOME}/.electrum*
+blacklist ${HOME}/.elinks
+blacklist ${HOME}/.emacs
+blacklist ${HOME}/.emacs.d
+blacklist ${HOME}/.equalx
+blacklist ${HOME}/.ethereum
+blacklist ${HOME}/.etr
+blacklist ${HOME}/.filezilla
+blacklist ${HOME}/.firedragon
+blacklist ${HOME}/.flowblade
+blacklist ${HOME}/.fltk
+blacklist ${HOME}/.fossamail
+blacklist ${HOME}/.fpm
+blacklist ${HOME}/.freeciv
+blacklist ${HOME}/.freecol
+blacklist ${HOME}/.freemind
+blacklist ${HOME}/.frogatto
+blacklist ${HOME}/.frozen-bubble
+blacklist ${HOME}/.funnyboat
+blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.gimp*
+blacklist ${HOME}/.gist
+blacklist ${HOME}/.gitconfig
+blacklist ${HOME}/.gl-117
+blacklist ${HOME}/.glaxiumrc
+blacklist ${HOME}/.gnome/gnome-schedule
+blacklist ${HOME}/.googleearth
+blacklist ${HOME}/.gradle
+blacklist ${HOME}/.gramps
+blacklist ${HOME}/.guayadeque
+blacklist ${HOME}/.hashcat
+blacklist ${HOME}/.hedgewars
+blacklist ${HOME}/.hex-a-hop
+blacklist ${HOME}/.hugin
+blacklist ${HOME}/.i2p
+blacklist ${HOME}/.icedove
+blacklist ${HOME}/.imagej
+blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.itch
+blacklist ${HOME}/.jack-server
+blacklist ${HOME}/.jack-settings
+blacklist ${HOME}/.jak
+blacklist ${HOME}/.java
+blacklist ${HOME}/.jd
+blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.jumpnbump
+blacklist ${HOME}/.kde/share/apps/digikam
+blacklist ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.kde/share/apps/kaffeine
+blacklist ${HOME}/.kde/share/apps/kcookiejar
+blacklist ${HOME}/.kde/share/apps/kget
+blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/klatexformula
+blacklist ${HOME}/.kde/share/apps/konqsidebartng
+blacklist ${HOME}/.kde/share/apps/konqueror
+blacklist ${HOME}/.kde/share/apps/kopete
+blacklist ${HOME}/.kde/share/apps/ktorrent
+blacklist ${HOME}/.kde/share/apps/okular
+blacklist ${HOME}/.kde/share/config/baloofilerc
+blacklist ${HOME}/.kde/share/config/baloorc
+blacklist ${HOME}/.kde/share/config/digikam
+blacklist ${HOME}/.kde/share/config/gwenviewrc
+blacklist ${HOME}/.kde/share/config/k3brc
+blacklist ${HOME}/.kde/share/config/kaffeinerc
+blacklist ${HOME}/.kde/share/config/kcookiejarrc
+blacklist ${HOME}/.kde/share/config/kfindrc
+blacklist ${HOME}/.kde/share/config/kgetrc
+blacklist ${HOME}/.kde/share/config/khtmlrc
+blacklist ${HOME}/.kde/share/config/klipperrc
+blacklist ${HOME}/.kde/share/config/kmplayerrc
+blacklist ${HOME}/.kde/share/config/konq_history
+blacklist ${HOME}/.kde/share/config/konqsidebartngrc
+blacklist ${HOME}/.kde/share/config/konquerorrc
+blacklist ${HOME}/.kde/share/config/konversationrc
+blacklist ${HOME}/.kde/share/config/kopeterc
+blacklist ${HOME}/.kde/share/config/ktorrentrc
+blacklist ${HOME}/.kde/share/config/okularpartrc
+blacklist ${HOME}/.kde/share/config/okularrc
+blacklist ${HOME}/.kde4/share/apps/digikam
+blacklist ${HOME}/.kde4/share/apps/gwenview
+blacklist ${HOME}/.kde4/share/apps/kaffeine
+blacklist ${HOME}/.kde4/share/apps/kcookiejar
+blacklist ${HOME}/.kde4/share/apps/kget
+blacklist ${HOME}/.kde4/share/apps/khtml
+blacklist ${HOME}/.kde4/share/apps/konqsidebartng
+blacklist ${HOME}/.kde4/share/apps/konqueror
+blacklist ${HOME}/.kde4/share/apps/kopete
+blacklist ${HOME}/.kde4/share/apps/ktorrent
+blacklist ${HOME}/.kde4/share/apps/okular
+blacklist ${HOME}/.kde4/share/config/baloofilerc
+blacklist ${HOME}/.kde4/share/config/baloorc
+blacklist ${HOME}/.kde4/share/config/digikam
+blacklist ${HOME}/.kde4/share/config/gwenviewrc
+blacklist ${HOME}/.kde4/share/config/k3brc
+blacklist ${HOME}/.kde4/share/config/kaffeinerc
+blacklist ${HOME}/.kde4/share/config/kcookiejarrc
+blacklist ${HOME}/.kde4/share/config/kfindrc
+blacklist ${HOME}/.kde4/share/config/kgetrc
+blacklist ${HOME}/.kde4/share/config/khtmlrc
+blacklist ${HOME}/.kde4/share/config/klipperrc
+blacklist ${HOME}/.kde4/share/config/konq_history
+blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
+blacklist ${HOME}/.kde4/share/config/konquerorrc
+blacklist ${HOME}/.kde4/share/config/konversationrc
+blacklist ${HOME}/.kde4/share/config/kopeterc
+blacklist ${HOME}/.kde4/share/config/ktorrentrc
+blacklist ${HOME}/.kde4/share/config/okularpartrc
+blacklist ${HOME}/.kde4/share/config/okularrc
+blacklist ${HOME}/.keepass
+blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.keepassxc
+blacklist ${HOME}/.killingfloor
+blacklist ${HOME}/.kingsoft
+blacklist ${HOME}/.kino-history
+blacklist ${HOME}/.kinorc
+blacklist ${HOME}/.klatexformula
+blacklist ${HOME}/.klei
+blacklist ${HOME}/.kodi
+blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.librewolf
+blacklist ${HOME}/.lincity-ng
+blacklist ${HOME}/.links
+blacklist ${HOME}/.links2
+blacklist ${HOME}/.linphone-history.db
+blacklist ${HOME}/.linphonerc
+blacklist ${HOME}/.lmmsrc.xml
+blacklist ${HOME}/.local/lib/vivaldi
+blacklist ${HOME}/.local/share/0ad
+blacklist ${HOME}/.local/share/3909/PapersPlease
+blacklist ${HOME}/.local/share/Anki2
+blacklist ${HOME}/.local/share/Dredmor
+blacklist ${HOME}/.local/share/Empathy
+blacklist ${HOME}/.local/share/Enpass
+blacklist ${HOME}/.local/share/FasterThanLight
+blacklist ${HOME}/.local/share/Flavio Tordini
+blacklist ${HOME}/.local/share/IntoTheBreach
+blacklist ${HOME}/.local/share/JetBrains
+blacklist ${HOME}/.local/share/KDE/neochat
+blacklist ${HOME}/.local/share/KeePass
+blacklist ${HOME}/.local/share/Kingsoft
+blacklist ${HOME}/.local/share/LibreCAD
+blacklist ${HOME}/.local/share/Mendeley Ltd.
+blacklist ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/Nextcloud
+blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/Paradox Interactive
+blacklist ${HOME}/.local/share/PawelStolowski
+blacklist ${HOME}/.local/share/PillarsOfEternity
+blacklist ${HOME}/.local/share/Psi
+blacklist ${HOME}/.local/share/QGIS
+blacklist ${HOME}/.local/share/QMediathekView
+blacklist ${HOME}/.local/share/QuiteRss
+blacklist ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/RogueLegacy
+blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
+blacklist ${HOME}/.local/share/Shortwave
+blacklist ${HOME}/.local/share/Steam
+blacklist ${HOME}/.local/share/SteamWorld Dig 2
+blacklist ${HOME}/.local/share/SteamWorldDig
+blacklist ${HOME}/.local/share/SuperHexagon
+blacklist ${HOME}/.local/share/TelegramDesktop
+blacklist ${HOME}/.local/share/Terraria
+blacklist ${HOME}/.local/share/TpLogger
+blacklist ${HOME}/.local/share/Zeal
+blacklist ${HOME}/.local/share/agenda
+blacklist ${HOME}/.local/share/akonadi*
+blacklist ${HOME}/.local/share/akregator
+blacklist ${HOME}/.local/share/apps/korganizer
+blacklist ${HOME}/.local/share/aspyr-media
+blacklist ${HOME}/.local/share/authenticator-rs
+blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/backintime
+blacklist ${HOME}/.local/share/baloo
+blacklist ${HOME}/.local/share/barrier
+blacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.local/share/bijiben
+blacklist ${HOME}/.local/share/bohemiainteractive
+blacklist ${HOME}/.local/share/caja-python
+blacklist ${HOME}/.local/share/calligragemini
+blacklist ${HOME}/.local/share/cantata
+blacklist ${HOME}/.local/share/cdprojektred
+blacklist ${HOME}/.local/share/clipit
+blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.local/share/contacts
+blacklist ${HOME}/.local/share/cor-games
+blacklist ${HOME}/.local/share/data/Mendeley Ltd.
+blacklist ${HOME}/.local/share/data/Mumble
+blacklist ${HOME}/.local/share/data/MusE
+blacklist ${HOME}/.local/share/data/MuseScore
+blacklist ${HOME}/.local/share/data/nomacs
+blacklist ${HOME}/.local/share/data/qBittorrent
+blacklist ${HOME}/.local/share/dino
+blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/dolphin-emu
+blacklist ${HOME}/.local/share/emailidentities
+blacklist ${HOME}/.local/share/epiphany
+blacklist ${HOME}/.local/share/evolution
+blacklist ${HOME}/.local/share/feedreader
+blacklist ${HOME}/.local/share/feral-interactive
+blacklist ${HOME}/.local/share/five-or-more
+blacklist ${HOME}/.local/share/freecol
+blacklist ${HOME}/.local/share/gajim
+blacklist ${HOME}/.local/share/geary
+blacklist ${HOME}/.local/share/geeqie
+blacklist ${HOME}/.local/share/ghostwriter
+blacklist ${HOME}/.local/share/gitg
+blacklist ${HOME}/.local/share/gnome-2048
+blacklist ${HOME}/.local/share/gnome-boxes
+blacklist ${HOME}/.local/share/gnome-builder
+blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-klotski
+blacklist ${HOME}/.local/share/gnome-latex
+blacklist ${HOME}/.local/share/gnome-mines
+blacklist ${HOME}/.local/share/gnome-music
+blacklist ${HOME}/.local/share/gnome-nibbles
+blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-pomodoro
+blacklist ${HOME}/.local/share/gnome-recipes
+blacklist ${HOME}/.local/share/gnome-ring
+blacklist ${HOME}/.local/share/gnome-sudoku
+blacklist ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/gnote
+blacklist ${HOME}/.local/share/godot
+blacklist ${HOME}/.local/share/gradio
+blacklist ${HOME}/.local/share/gwenview
+blacklist ${HOME}/.local/share/i2p
+blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
+blacklist ${HOME}/.local/share/jami
+blacklist ${HOME}/.local/share/kaffeine
+blacklist ${HOME}/.local/share/kalgebra
+blacklist ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/kdenlive
+blacklist ${HOME}/.local/share/keepass
+blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kiwix
+blacklist ${HOME}/.local/share/kiwix-desktop
+blacklist ${HOME}/.local/share/klavaro
+blacklist ${HOME}/.local/share/kmail2
+blacklist ${HOME}/.local/share/kmplayer
+blacklist ${HOME}/.local/share/knotes
+blacklist ${HOME}/.local/share/krita
+blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktorrentrc
+blacklist ${HOME}/.local/share/ktouch
+blacklist ${HOME}/.local/share/kube
+blacklist ${HOME}/.local/share/kwrite
+blacklist ${HOME}/.local/share/kxmlgui5/*
+blacklist ${HOME}/.local/share/liferea
+blacklist ${HOME}/.local/share/linphone
+blacklist ${HOME}/.local/share/local-mail
+blacklist ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/love
+blacklist ${HOME}/.local/share/lugaru
+blacklist ${HOME}/.local/share/lutris
+blacklist ${HOME}/.local/share/man
+blacklist ${HOME}/.local/share/mana
+blacklist ${HOME}/.local/share/maps-places.json
+blacklist ${HOME}/.local/share/matrix-mirage
+blacklist ${HOME}/.local/share/mcomix
+blacklist ${HOME}/.local/share/meld
+blacklist ${HOME}/.local/share/midori
+blacklist ${HOME}/.local/share/minder
+blacklist ${HOME}/.local/share/mirage
+blacklist ${HOME}/.local/share/multimc
+blacklist ${HOME}/.local/share/multimc5
+blacklist ${HOME}/.local/share/mupen64plus
+blacklist ${HOME}/.local/share/mypaint
+blacklist ${HOME}/.local/share/nautilus
+blacklist ${HOME}/.local/share/nautilus-python
+blacklist ${HOME}/.local/share/nemo
+blacklist ${HOME}/.local/share/nemo-python
+blacklist ${HOME}/.local/share/news-flash
+blacklist ${HOME}/.local/share/newsbeuter
+blacklist ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.local/share/nheko
+blacklist ${HOME}/.local/share/nomacs
+blacklist ${HOME}/.local/share/notes
+blacklist ${HOME}/.local/share/ocenaudio
+blacklist ${HOME}/.local/share/okular
+blacklist ${HOME}/.local/share/onlyoffice
+blacklist ${HOME}/.local/share/openmw
+blacklist ${HOME}/.local/share/orage
+blacklist ${HOME}/.local/share/org.kde.gwenview
+blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/plasma_notes
+blacklist ${HOME}/.local/share/profanity
+blacklist ${HOME}/.local/share/psi
+blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/qpdfview
+blacklist ${HOME}/.local/share/quadrapassel
+blacklist ${HOME}/.local/share/qutebrowser
+blacklist ${HOME}/.local/share/remmina
+blacklist ${HOME}/.local/share/rhythmbox
+blacklist ${HOME}/.local/share/rtv
+blacklist ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/shotwell
+blacklist ${HOME}/.local/share/signal-cli
+blacklist ${HOME}/.local/share/sink
+blacklist ${HOME}/.local/share/smuxi
+blacklist ${HOME}/.local/share/spotify
+blacklist ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/strawberry
+blacklist ${HOME}/.local/share/supertux2
+blacklist ${HOME}/.local/share/supertuxkart
+blacklist ${HOME}/.local/share/swell-foop
+blacklist ${HOME}/.local/share/telepathy
+blacklist ${HOME}/.local/share/terasology
+blacklist ${HOME}/.local/share/torbrowser
+blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/uzbl
+blacklist ${HOME}/.local/share/vlc
+blacklist ${HOME}/.local/share/vpltd
+blacklist ${HOME}/.local/share/vulkan
+blacklist ${HOME}/.local/share/warsow-2.1
+blacklist ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/wormux
+blacklist ${HOME}/.local/share/xplayer
+blacklist ${HOME}/.local/share/xreader
+blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/pipewire
+blacklist ${HOME}/.lv2
+blacklist ${HOME}/.lyx
+blacklist ${HOME}/.magicor
+blacklist ${HOME}/.masterpdfeditor
+blacklist ${HOME}/.mbwarband
+blacklist ${HOME}/.mcabber
+blacklist ${HOME}/.mcabberrc
+blacklist ${HOME}/.mediathek3
+blacklist ${HOME}/.megaglest
+blacklist ${HOME}/.minecraft
+blacklist ${HOME}/.minetest
+blacklist ${HOME}/.mirrormagic
+blacklist ${HOME}/.moc
+blacklist ${HOME}/.moonchild productions/basilisk
+blacklist ${HOME}/.moonchild productions/pale moon
+blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.mp3splt-gtk
+blacklist ${HOME}/.mpd
+blacklist ${HOME}/.mpdconf
+blacklist ${HOME}/.mplayer
+blacklist ${HOME}/.msmtprc
+blacklist ${HOME}/.multimc5
+blacklist ${HOME}/.nanorc
+blacklist ${HOME}/.netactview
+blacklist ${HOME}/.neverball
+blacklist ${HOME}/.newsbeuter
+blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.newsrc
+blacklist ${HOME}/.nicotine
+blacklist ${HOME}/.node-gyp
+blacklist ${HOME}/.npm
+blacklist ${HOME}/.npmrc
+blacklist ${HOME}/.nv
+blacklist ${HOME}/.nvm
+blacklist ${HOME}/.nylas-mail
+blacklist ${HOME}/.openarena
+blacklist ${HOME}/.opencity
+blacklist ${HOME}/.openinvaders
+blacklist ${HOME}/.openshot
+blacklist ${HOME}/.openshot_qt
+blacklist ${HOME}/.openttd
+blacklist ${HOME}/.opera
+blacklist ${HOME}/.opera-beta
+blacklist ${HOME}/.ostrichriders
+blacklist ${HOME}/.paradoxinteractive
+blacklist ${HOME}/.parallelrealities/blobwars
+blacklist ${HOME}/.password-store
+blacklist ${HOME}/.pcsxr
+blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pine-crash
+blacklist ${HOME}/.pine-debug1
+blacklist ${HOME}/.pine-debug2
+blacklist ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pinerc
+blacklist ${HOME}/.pinercex
+blacklist ${HOME}/.pingus
+blacklist ${HOME}/.pioneer
+blacklist ${HOME}/.purple
+blacklist ${HOME}/.pylint.d
+blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qgis2
+blacklist ${HOME}/.qmmp
+blacklist ${HOME}/.quodlibet
+blacklist ${HOME}/.redeclipse
+blacklist ${HOME}/.rednotebook
+blacklist ${HOME}/.remmina
+blacklist ${HOME}/.repo_.gitconfig.json
+blacklist ${HOME}/.repoconfig
+blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.ripperXrc
+blacklist ${HOME}/.scorched3d
+blacklist ${HOME}/.scribus
+blacklist ${HOME}/.scribusrc
+blacklist ${HOME}/.simutrans
+blacklist ${HOME}/.smartgit/*/passwords
+blacklist ${HOME}/.ssr
+blacklist ${HOME}/.steam
+blacklist ${HOME}/.steampath
+blacklist ${HOME}/.steampid
+blacklist ${HOME}/.stellarium
+blacklist ${HOME}/.subversion
+blacklist ${HOME}/.surf
+blacklist ${HOME}/.suve/colorful
+blacklist ${HOME}/.swb.ini
+blacklist ${HOME}/.sword
+blacklist ${HOME}/.sylpheed-2.0
+blacklist ${HOME}/.synfig
+blacklist ${HOME}/.tb
+blacklist ${HOME}/.tconn
+blacklist ${HOME}/.teeworlds
+blacklist ${HOME}/.texlive20*
+blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.tilp
+blacklist ${HOME}/.tin
+blacklist ${HOME}/.tooling
+blacklist ${HOME}/.tor-browser*
+blacklist ${HOME}/.torcs
+blacklist ${HOME}/.tremulous
+blacklist ${HOME}/.ts3client
+blacklist ${HOME}/.tuxguitar*
+blacklist ${HOME}/.tvbrowser
+blacklist ${HOME}/.unknown-horizons
+blacklist ${HOME}/.viking
+blacklist ${HOME}/.viking-maps
+blacklist ${HOME}/.vim
+blacklist ${HOME}/.vimrc
+blacklist ${HOME}/.vmware
+blacklist ${HOME}/.vscode
+blacklist ${HOME}/.vscode-oss
+blacklist ${HOME}/.vst
+blacklist ${HOME}/.vultures
+blacklist ${HOME}/.w3m
+blacklist ${HOME}/.warzone2100-3.*
+blacklist ${HOME}/.waterfox
+blacklist ${HOME}/.weechat
+blacklist ${HOME}/.wget-hsts
+blacklist ${HOME}/.wgetrc
+blacklist ${HOME}/.widelands
+blacklist ${HOME}/.wine
+blacklist ${HOME}/.wine64
+blacklist ${HOME}/.wireshark
+blacklist ${HOME}/.wordwarvi
+blacklist ${HOME}/.wormux
+blacklist ${HOME}/.xiphos
+blacklist ${HOME}/.xmind
+blacklist ${HOME}/.xmms
+blacklist ${HOME}/.xmr-stak
+blacklist ${HOME}/.xonotic
+blacklist ${HOME}/.xournalpp
+blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.yarn
+blacklist ${HOME}/.yarn-config
+blacklist ${HOME}/.yarncache
+blacklist ${HOME}/.yarnrc
+blacklist ${HOME}/.zoom
+blacklist ${HOME}/Arduino
+blacklist ${HOME}/Monero/wallets
+blacklist ${HOME}/Nextcloud
+blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/SoftMaker
+blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/hyperrogue.ini
+blacklist ${HOME}/i2p
+blacklist ${HOME}/mps
+blacklist ${HOME}/wallet.dat
+blacklist ${HOME}/yt-dlp.conf
+blacklist ${RUNUSER}/*firefox*
+blacklist /tmp/.wine-*
+blacklist /tmp/akonadi-*
+blacklist /var/games/nethack
+blacklist /var/games/slashem
+blacklist /var/games/vulturesclaw
+blacklist /var/games/vultureseye
+blacklist /var/lib/games/Maelstrom-Scores
+
+# ${HOME}/.cache directory
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
+blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-beta
+blacklist ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rednotebook
+blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yt-dlp
+blacklist ${HOME}/.cache/zim
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
new file mode 100644
index 000000000..8274b0215
--- /dev/null
+++ b/etc/inc/disable-shell.inc
@@ -0,0 +1,15 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-shell.local
+
+blacklist ${PATH}/bash
+blacklist ${PATH}/csh
+blacklist ${PATH}/dash
+blacklist ${PATH}/fish
+blacklist ${PATH}/ksh
+blacklist ${PATH}/mksh
+blacklist ${PATH}/oksh
+blacklist ${PATH}/sh
+blacklist ${PATH}/tclsh
+blacklist ${PATH}/tcsh
+blacklist ${PATH}/zsh
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc
new file mode 100644
index 000000000..01f57cb0f
--- /dev/null
+++ b/etc/inc/disable-write-mnt.inc
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-write-mnt.local
+
+read-only /media
+read-only /mnt
+read-only /run/media
+read-only /run/mount
diff --git a/etc/inc/disable-xdg.inc b/etc/inc/disable-xdg.inc
new file mode 100644
index 000000000..22acf272d
--- /dev/null
+++ b/etc/inc/disable-xdg.inc
@@ -0,0 +1,12 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-xdg.local
+
+blacklist ${DOCUMENTS}
+blacklist ${MUSIC}
+blacklist ${PICTURES}
+blacklist ${VIDEOS}
+
+# The following should be considered catch-all directories
+#blacklist ${DESKTOP}
+#blacklist ${DOWNLOADS}
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc
new file mode 100644
index 000000000..862837f12
--- /dev/null
+++ b/etc/inc/whitelist-1793-workaround.inc
@@ -0,0 +1,29 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-1793-workaround.local
+# This works around bug 1793, and allows whitelisting to be used for some KDE applications.
+
+noblacklist ${HOME}/.config/ibus
+noblacklist ${HOME}/.config/mimeapps.list
+noblacklist ${HOME}/.config/pkcs11
+noblacklist ${HOME}/.config/user-dirs.dirs
+noblacklist ${HOME}/.config/user-dirs.locale
+noblacklist ${HOME}/.config/dconf
+noblacklist ${HOME}/.config/fontconfig
+noblacklist ${HOME}/.config/gtk-2.0
+noblacklist ${HOME}/.config/gtk-3.0
+noblacklist ${HOME}/.config/gtk-4.0
+noblacklist ${HOME}/.config/gtkrc
+noblacklist ${HOME}/.config/gtkrc-2.0
+noblacklist ${HOME}/.config/Kvantum
+noblacklist ${HOME}/.config/Trolltech.conf
+noblacklist ${HOME}/.config/QtProject.conf
+noblacklist ${HOME}/.config/kdeglobals
+noblacklist ${HOME}/.config/kio_httprc
+noblacklist ${HOME}/.config/kioslaverc
+noblacklist ${HOME}/.config/ksslcablacklist
+noblacklist ${HOME}/.config/qt5ct
+noblacklist ${HOME}/.config/qtcurve
+
+blacklist ${HOME}/.config/*
+whitelist ${HOME}/.config
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
new file mode 100644
index 000000000..fedfb2bc2
--- /dev/null
+++ b/etc/inc/whitelist-common.inc
@@ -0,0 +1,85 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-common.local
+
+# common whitelist for all profiles
+
+whitelist ${HOME}/.XCompose
+whitelist ${HOME}/.alsaequal.bin
+whitelist ${HOME}/.asoundrc
+whitelist ${HOME}/.config/ibus
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.config/pkcs11
+read-only ${HOME}/.config/pkcs11
+whitelist ${HOME}/.config/user-dirs.dirs
+read-only ${HOME}/.config/user-dirs.dirs
+whitelist ${HOME}/.config/user-dirs.locale
+read-only ${HOME}/.config/user-dirs.locale
+whitelist ${HOME}/.drirc
+whitelist ${HOME}/.icons
+?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
+whitelist ${HOME}/.local/share/applications
+read-only ${HOME}/.local/share/applications
+whitelist ${HOME}/.local/share/icons
+whitelist ${HOME}/.local/share/mime
+whitelist ${HOME}/.mime.types
+whitelist ${HOME}/.sndio/cookie
+whitelist ${HOME}/.uim.d
+
+# dconf
+mkdir ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
+# fonts
+whitelist ${HOME}/.cache/fontconfig
+whitelist ${HOME}/.config/fontconfig
+whitelist ${HOME}/.fontconfig
+whitelist ${HOME}/.fonts
+whitelist ${HOME}/.fonts.conf
+whitelist ${HOME}/.fonts.conf.d
+whitelist ${HOME}/.fonts.d
+whitelist ${HOME}/.local/share/fonts
+whitelist ${HOME}/.pangorc
+
+# gtk
+whitelist ${HOME}/.config/gtk-2.0
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/gtk-4.0
+whitelist ${HOME}/.config/gtkrc
+whitelist ${HOME}/.config/gtkrc-2.0
+whitelist ${HOME}/.gnome2
+whitelist ${HOME}/.gnome2-private
+whitelist ${HOME}/.gtk-2.0
+whitelist ${HOME}/.gtkrc
+whitelist ${HOME}/.gtkrc-2.0
+whitelist ${HOME}/.kde/share/config/gtkrc
+whitelist ${HOME}/.kde/share/config/gtkrc-2.0
+whitelist ${HOME}/.kde4/share/config/gtkrc
+whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
+whitelist ${HOME}/.local/share/themes
+whitelist ${HOME}/.themes
+
+# qt/kde
+whitelist ${HOME}/.cache/kioexec/krun
+whitelist ${HOME}/.config/Kvantum
+whitelist ${HOME}/.config/Trolltech.conf
+whitelist ${HOME}/.config/QtProject.conf
+whitelist ${HOME}/.config/kdeglobals
+whitelist ${HOME}/.config/kio_httprc
+whitelist ${HOME}/.config/kioslaverc
+whitelist ${HOME}/.config/ksslcablacklist
+whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qtcurve
+whitelist ${HOME}/.kde/share/config/kdeglobals
+whitelist ${HOME}/.kde/share/config/kio_httprc
+whitelist ${HOME}/.kde/share/config/kioslaverc
+whitelist ${HOME}/.kde/share/config/ksslcablacklist
+whitelist ${HOME}/.kde/share/config/oxygenrc
+whitelist ${HOME}/.kde/share/icons
+whitelist ${HOME}/.kde4/share/config/kdeglobals
+whitelist ${HOME}/.kde4/share/config/kio_httprc
+whitelist ${HOME}/.kde4/share/config/kioslaverc
+whitelist ${HOME}/.kde4/share/config/ksslcablacklist
+whitelist ${HOME}/.kde4/share/config/oxygenrc
+whitelist ${HOME}/.kde4/share/icons
+whitelist ${HOME}/.local/share/qt5ct
diff --git a/etc/inc/whitelist-player-common.inc b/etc/inc/whitelist-player-common.inc
new file mode 100644
index 000000000..e5bf36804
--- /dev/null
+++ b/etc/inc/whitelist-player-common.inc
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-player-common.local
+
+# common whitelist for all media players
+
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
new file mode 100644
index 000000000..224d21064
--- /dev/null
+++ b/etc/inc/whitelist-run-common.inc
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-run-common.local
+
+whitelist /run/NetworkManager/resolv.conf
+whitelist /run/cups/cups.sock
+whitelist /run/dbus/system_bus_socket
+whitelist /run/media
+whitelist /run/resolvconf/resolv.conf
+whitelist /run/systemd/resolve/resolv.conf
+whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
new file mode 100644
index 000000000..a8cab8d07
--- /dev/null
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -0,0 +1,16 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-runuser-common.local
+
+# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
+
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/dconf
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/ICEauthority
+whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
+whitelist ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/pipewire-?
+whitelist ${RUNUSER}/wayland-?
+whitelist ${RUNUSER}/xauth_*
+whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
new file mode 100644
index 000000000..0049ce804
--- /dev/null
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -0,0 +1,70 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-usr-share-common.local
+
+# common /usr/share whitelist for all profiles
+
+whitelist /usr/share/alsa
+whitelist /usr/share/applications
+whitelist /usr/share/ca-certificates
+whitelist /usr/share/crypto-policies
+whitelist /usr/share/cursors
+whitelist /usr/share/dconf
+whitelist /usr/share/distro-info
+whitelist /usr/share/drirc.d
+whitelist /usr/share/enchant
+whitelist /usr/share/enchant-2
+whitelist /usr/share/file
+whitelist /usr/share/fontconfig
+whitelist /usr/share/fonts
+whitelist /usr/share/fonts-config
+whitelist /usr/share/gir-1.0
+whitelist /usr/share/gjs-1.0
+whitelist /usr/share/glib-2.0
+whitelist /usr/share/glvnd
+whitelist /usr/share/gtk-2.0
+whitelist /usr/share/gtk-3.0
+whitelist /usr/share/gtk-engines
+whitelist /usr/share/gtksourceview-3.0
+whitelist /usr/share/gtksourceview-4
+whitelist /usr/share/hunspell
+whitelist /usr/share/hwdata
+whitelist /usr/share/icons
+whitelist /usr/share/icu
+whitelist /usr/share/knotifications5
+whitelist /usr/share/kservices5
+whitelist /usr/share/Kvantum
+whitelist /usr/share/kxmlgui5
+whitelist /usr/share/libdrm
+whitelist /usr/share/libthai
+whitelist /usr/share/locale
+whitelist /usr/share/mime
+whitelist /usr/share/misc
+whitelist /usr/share/Modules
+whitelist /usr/share/myspell
+whitelist /usr/share/p11-kit
+whitelist /usr/share/perl
+whitelist /usr/share/perl5
+whitelist /usr/share/pipewire
+whitelist /usr/share/pixmaps
+whitelist /usr/share/pki
+whitelist /usr/share/plasma
+whitelist /usr/share/publicsuffix
+whitelist /usr/share/qt
+whitelist /usr/share/qt4
+whitelist /usr/share/qt5
+whitelist /usr/share/qt5ct
+whitelist /usr/share/sounds
+whitelist /usr/share/tcl8.6
+whitelist /usr/share/tcltk
+whitelist /usr/share/terminfo
+whitelist /usr/share/texlive
+whitelist /usr/share/texmf
+whitelist /usr/share/themes
+whitelist /usr/share/thumbnail.so
+whitelist /usr/share/uim
+whitelist /usr/share/vulkan
+whitelist /usr/share/X11
+whitelist /usr/share/xml
+whitelist /usr/share/zenity
+whitelist /usr/share/zoneinfo
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
new file mode 100644
index 000000000..d8ba84ad0
--- /dev/null
+++ b/etc/inc/whitelist-var-common.inc
@@ -0,0 +1,15 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include whitelist-var-common.local
+
+# common /var whitelist for all profiles
+
+whitelist /var/lib/aspell
+whitelist /var/lib/ca-certificates
+whitelist /var/lib/dbus
+whitelist /var/lib/menu-xdg
+whitelist /var/lib/uim
+whitelist /var/cache/fontconfig
+whitelist /var/tmp
+whitelist /var/run
+whitelist /var/lock
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
deleted file mode 100644
index b190e4326..000000000
--- a/etc/inkscape.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for inkscape
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/inkscape.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.inkscape
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin inkscape,potrace - problems on Debian stretch
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/inox.profile b/etc/inox.profile
deleted file mode 100644
index de4d6205b..000000000
--- a/etc/inox.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for inox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/inox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/inox
-noblacklist ~/.config/inox
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/inox
-mkdir ~/.config/inox
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/inox
-whitelist ~/.config/inox
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-noroot
-notv
-shell none
diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile
deleted file mode 100644
index 1baa07cb7..000000000
--- a/etc/iridium-browser.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for iridium
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/iridium.profile
diff --git a/etc/iridium.profile b/etc/iridium.profile
deleted file mode 100644
index db9c5c7cf..000000000
--- a/etc/iridium.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for iridium
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/iridium.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/iridium
-noblacklist ~/.config/iridium
-
-include /etc/firejail/disable-common.inc
-# chromium/iridium is distributed with a perl script on Arch
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/iridium
-mkdir ~/.config/iridium
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/iridium
-whitelist ~/.config/iridium
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-netfilter
-nodvd
-notv
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile
deleted file mode 100644
index 0f59b5721..000000000
--- a/etc/jd-gui.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for jd-gui
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/jd-gui.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/jd-gui.cfg
-noblacklist ${HOME}/.java
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin jd-gui,dash,sh,bash
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/k3b.profile b/etc/k3b.profile
deleted file mode 100644
index 58623d823..000000000
--- a/etc/k3b.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for k3b
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/k3b.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/k3brc
-noblacklist ~/.kde/share/config/k3brc
-noblacklist ~/.kde4/share/config/k3brc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-no3d
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin
-# private-etc
-# private-tmp
diff --git a/etc/karbon.profile b/etc/karbon.profile
deleted file mode 100644
index 3525a3e06..000000000
--- a/etc/karbon.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for krita
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/krita.profile
diff --git a/etc/kate.profile b/etc/kate.profile
deleted file mode 100644
index 69100d49d..000000000
--- a/etc/kate.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for kate
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kate.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/katepartrc
-noblacklist ~/.config/katerc
-noblacklist ~/.config/kateschemarc
-noblacklist ~/.config/katesyntaxhighlightingrc
-noblacklist ~/.config/katevirc
-noblacklist ~/.local/share/kate
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin kate
-private-dev
-# private-etc fonts
-private-tmp
diff --git a/etc/kcalc.profile b/etc/kcalc.profile
deleted file mode 100644
index 0de23f106..000000000
--- a/etc/kcalc.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for kcalc
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kcalc.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
deleted file mode 100644
index 10c2909a0..000000000
--- a/etc/kdenlive.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for kdenlive
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kdenlive.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
-private-dev
-#private-etc fonts,alternatives,X11,pulse,passwd
-
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/keepass2.profile b/etc/keepass2.profile
deleted file mode 100644
index d29fc6abc..000000000
--- a/etc/keepass2.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for keepass
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/keepass.profile
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
deleted file mode 100644
index ba98df19d..000000000
--- a/etc/keepassx2.profile
+++ /dev/null
@@ -1,5 +0,0 @@
-# Firejail profile for keepassx2
-# This file is overwritten after every install/update
-
-# Redirects
-include /etc/firejail/keepassx.profile
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
deleted file mode 100644
index a8c6d65f5..000000000
--- a/etc/keepassxc.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for keepassxc
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/keepassxc.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/keepassxc
-noblacklist ${HOME}/.keepassxc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin keepassxc
-private-dev
-private-etc fonts,ld.so.cache
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kino.profile b/etc/kino.profile
deleted file mode 100644
index 240dab8ef..000000000
--- a/etc/kino.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for kino
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kino.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.kino-history
-noblacklist ~/.kinorc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
deleted file mode 100644
index fdc96c97f..000000000
--- a/etc/kmail.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for kmail
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kmail.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.gnupg
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-
-private-dev
-# private-tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
deleted file mode 100644
index 039f1b057..000000000
--- a/etc/knotes.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for knotes
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/knotes.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/knotesrc
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-dev
-#private-tmp - problems on kubuntu 17.04
diff --git a/etc/kodi.profile b/etc/kodi.profile
deleted file mode 100644
index 06db44132..000000000
--- a/etc/kodi.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for kodi
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kodi.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.kodi
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
deleted file mode 100644
index 7d09857ba..000000000
--- a/etc/konversation.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for konversation
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/konversation.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-tracelog
-
-private-dev
-private-tmp
-
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/krita.profile b/etc/krita.profile
deleted file mode 100644
index e91f5b242..000000000
--- a/etc/krita.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for krita
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/krita.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
deleted file mode 100644
index e95bc23ca..000000000
--- a/etc/ktorrent.profile
+++ /dev/null
@@ -1,55 +0,0 @@
-# Firejail profile for ktorrent
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/ktorrent.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/ktorrentrc
-noblacklist ~/.kde/share/apps/ktorrent
-noblacklist ~/.kde/share/config/ktorrentrc
-noblacklist ~/.kde4/share/apps/ktorrent
-noblacklist ~/.kde4/share/config/ktorrentrc
-noblacklist ~/.local/share/ktorrent
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.kde/share/apps/ktorrent
-mkdir ~/.kde4/share/apps/ktorrent
-mkdir ~/.local/share/ktorrent
-mkfile ~/.config/ktorrentrc
-mkfile ~/.kde/share/config/ktorrentrc
-mkfile ~/.kde4/share/config/ktorrentrc
-whitelist  ${DOWNLOADS}
-whitelist ~/.config/ktorrentrc
-whitelist ~/.kde/share/apps/ktorrent
-whitelist ~/.kde/share/config/ktorrentrc
-whitelist ~/.kde4/share/apps/ktorrent
-whitelist ~/.kde4/share/config/ktorrentrc
-whitelist ~/.local/share/ktorrent
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
deleted file mode 100644
index 6b458ede3..000000000
--- a/etc/kwrite.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for kwrite
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kwrite.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/katepartrc
-noblacklist ~/.config/katerc
-noblacklist ~/.config/kateschemarc
-noblacklist ~/.config/katesyntaxhighlightingrc
-noblacklist ~/.config/katevirc
-noblacklist ~/.local/share/kwrite
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-# nosound - KWrite is using ALSA!
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin kwrite
-private-dev
-# private-etc fonts
-private-tmp
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
deleted file mode 100644
index c9addba21..000000000
--- a/etc/leafpad.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for leafpad
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/leafpad.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/leafpad
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/less.profile b/etc/less.profile
deleted file mode 100644
index e1c42ed76..000000000
--- a/etc/less.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for less
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/less.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-writable-var-log
-
-# The user can have a custom coloring scritps configured in ~/.lessfilter.
-# Enable private-bin if you are not using any filter.
-# private-bin less
-private-dev
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
-
-include /etc/firejail/default.profile
diff --git a/etc/liferea.profile b/etc/liferea.profile
deleted file mode 100644
index afd5fed6b..000000000
--- a/etc/liferea.profile
+++ /dev/null
@@ -1,44 +0,0 @@
-# Firejail profile for liferea
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/liferea.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/liferea
-noblacklist ~/.config/liferea
-noblacklist ~/.local/share/liferea
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/liferea
-mkdir ~/.config/liferea
-mkdir ~/.local/share/liferea
-whitelist ~/.cache/liferea
-whitelist ~/.config/liferea
-whitelist ~/.local/share/liferea
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-# no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-# nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/linphone.profile b/etc/linphone.profile
deleted file mode 100644
index 41f9245a2..000000000
--- a/etc/linphone.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for linphone
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/linphone.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.linphone-history.db
-noblacklist ${HOME}/.linphonerc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkfile ${HOME}/.linphone-history.db
-mkfile ${HOME}/.linphonerc
-whitelist ${HOME}/.linphone-history.db
-whitelist ${HOME}/.linphonerc
-whitelist ${HOME}/Downloads
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/lmms.profile b/etc/lmms.profile
deleted file mode 100644
index 29ed235c6..000000000
--- a/etc/lmms.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for lmms
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/lmms.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.lmmsrc.xml
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/localc.profile b/etc/localc.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/localc.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/lodraw.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/loffice.profile b/etc/loffice.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/loffice.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/lofromtemplate.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/loimpress.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/lollypop.profile b/etc/lollypop.profile
deleted file mode 100644
index c0c762c02..000000000
--- a/etc/lollypop.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for lollypop
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/lollypop.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/lollypop
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-etc asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/lomath.profile b/etc/lomath.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/lomath.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/loweb.profile b/etc/loweb.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/loweb.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/lowriter.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
deleted file mode 100644
index 734f16e92..000000000
--- a/etc/lximage-qt.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for lximage-qt
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/lximage-qt.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist .config/lximage-qt
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
deleted file mode 100644
index 901bdb408..000000000
--- a/etc/lxmusic.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for lxmusic
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/lxmusic.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/xmms2
-noblacklist ~/.config/xmms2
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/lynx.profile b/etc/lynx.profile
deleted file mode 100644
index d54bed564..000000000
--- a/etc/lynx.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for lynx
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/lynx.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin lynx
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile
deleted file mode 100644
index be66cf6ee..000000000
--- a/etc/macrofusion.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for macrofusion
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/macrofusion.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.config/mfusion
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
deleted file mode 100644
index c59b2dcc7..000000000
--- a/etc/mate-calc.profile
+++ /dev/null
@@ -1,45 +0,0 @@
-# Firejail profile for mate-calc
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mate-calc.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/mate-calc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${HOME}/.cache/mate-calc
-whitelist ${HOME}/.config/caja
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/dconf
-whitelist ${HOME}./config/mate-menu
-whitelist ${HOME}/.themes
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private-bin mate-calc,mate-calculator
-private-etc fonts
-private-dev
-private-opt none
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile
deleted file mode 100644
index 43bb3ebb4..000000000
--- a/etc/mate-calculator.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for mate-calc
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/mate-calc.profile
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
deleted file mode 100644
index 7df7d7faa..000000000
--- a/etc/mate-color-select.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for mate-color-select
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mate-color-select.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-disable-mnt
-private-bin mate-color-select
-private-etc fonts
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mathematica.profile b/etc/mathematica.profile
deleted file mode 100644
index 984ea9e97..000000000
--- a/etc/mathematica.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for Mathematica
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/Mathematica.profile
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile
deleted file mode 100644
index e502269f7..000000000
--- a/etc/mediainfo.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for mediainfo
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mediainfo.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin mediainfo
-private-dev
-private-etc none
-private-tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
deleted file mode 100644
index dc9946794..000000000
--- a/etc/mediathekview.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for mediathekview
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mediathekview.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/mpv
-noblacklist ~/.config/smplayer
-noblacklist ~/.config/totem
-noblacklist ~/.config/vlc
-noblacklist ~/.config/xplayer
-noblacklist ~/.java
-noblacklist ~/.local/share/totem
-noblacklist ~/.local/share/xplayer
-noblacklist ~/.mediathek3
-noblacklist ~/.mplayer
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-tracelog
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/meld.profile b/etc/meld.profile
deleted file mode 100644
index f1910d0f4..000000000
--- a/etc/meld.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for meld
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/meld.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/meld
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin meld,python2,python2.7
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/midori.profile b/etc/midori.profile
deleted file mode 100644
index 8ddb37776..000000000
--- a/etc/midori.profile
+++ /dev/null
@@ -1,44 +0,0 @@
-# Firejail profile for midori
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/midori.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/midori
-noblacklist ~/.local/share/midori
-noblacklist ~/.local/share/webkit
-noblacklist ~/.local/share/webkitgtk
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/midori
-mkdir ~/.config/midori
-mkdir ~/.local/share/midori
-mkdir ~/.local/share/webkit
-mkdir ~/.local/share/webkitgtk
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/midori
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/midori
-whitelist ~/.lastpass
-whitelist ~/.local/share/midori
-whitelist ~/.local/share/webkit
-whitelist ~/.local/share/webkitgtk
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-# noroot - problems on Ubuntu 14.04
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
diff --git a/etc/minetest.profile b/etc/minetest.profile
deleted file mode 100644
index 147328616..000000000
--- a/etc/minetest.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for minetest
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/minetest.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.minetest
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.minetest
-whitelist ${HOME}/.minetest
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-bin minetest
-private-dev
-private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
deleted file mode 100644
index 60205ffda..000000000
--- a/etc/mousepad.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for mousepad
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mousepad.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Mousepad
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin mousepad
-private-dev
-private-tmp
diff --git a/etc/mpd.profile b/etc/mpd.profile
deleted file mode 100644
index 7bfa47d77..000000000
--- a/etc/mpd.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for mpd
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mpd.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.mpdconf
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-#private-bin mpd,bash
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
deleted file mode 100644
index b431e4695..000000000
--- a/etc/mplayer.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for mplayer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mplayer.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.mplayer
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-# nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-bin mplayer
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mpv.profile b/etc/mpv.profile
deleted file mode 100644
index eb8a88a4b..000000000
--- a/etc/mpv.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for mpv
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mpv.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.netrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin mpv,youtube-dl,python,python2.7,python3,python3.5,python3.6,env
-private-dev
diff --git a/etc/multimc5.profile b/etc/multimc5.profile
deleted file mode 100644
index 3423c2a88..000000000
--- a/etc/multimc5.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for multimc5
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/multimc5.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.java
-noblacklist ${HOME}/.local/share/multimc
-noblacklist ${HOME}/.local/share/multimc5
-noblacklist ${HOME}/.multimc5
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.local/share/multimc
-whitelist ${HOME}/.local/share/multimc
-whitelist ${HOME}/.local/share/multimc5
-whitelist ${HOME}/.multimc5
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-# seccomp
-shell none
-
-disable-mnt
-# private-bin works, but causes weirdness
-# private-bin multimc5,dash,bash,mkdir,which,zenity,kdialog,ldd,chmod,valgrind,apt-file,pkgfile,dnf,yum,zypper,pfl,java,grep,sort,awk,readlink,dirname
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mumble.profile b/etc/mumble.profile
deleted file mode 100644
index e58dc93f4..000000000
--- a/etc/mumble.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for mumble
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mumble.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/Mumble
-noblacklist ${HOME}/.local/share/data/Mumble
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.config/Mumble
-mkdir ${HOME}/.local/share/data/Mumble
-whitelist ${HOME}/.config/Mumble
-whitelist ${HOME}/.local/share/data/Mumble
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-bin mumble
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
deleted file mode 100644
index 62527c17d..000000000
--- a/etc/mupdf.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for mupdf
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mupdf.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
-shell none
-tracelog
-
-# private-bin mupdf,sh,tempfile,rm
-private-dev
-private-etc fonts
-private-tmp
-
-# mupdf will never write anything
-read-only ${HOME}
diff --git a/etc/musescore.profile b/etc/musescore.profile
deleted file mode 100644
index b3d04c08f..000000000
--- a/etc/musescore.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for musescore
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/musescore.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/MusE
-noblacklist ~/.config/MuseScore
-noblacklist ~/.local/share/data/MusE
-noblacklist ~/.local/share/data/MuseScore
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin musescore,mscore
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/mutt.profile b/etc/mutt.profile
deleted file mode 100644
index bdd629773..000000000
--- a/etc/mutt.profile
+++ /dev/null
@@ -1,55 +0,0 @@
-# Firejail profile for mutt
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mutt.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ~/.Mail
-noblacklist ~/.bogofilter
-noblacklist ~/.cache/mutt
-noblacklist ~/.elinks
-noblacklist ~/.emacs
-noblacklist ~/.emacs.d
-noblacklist ~/.gnupg
-noblacklist ~/.mail
-noblacklist ~/.mailcap
-noblacklist ~/.msmtprc
-noblacklist ~/.mutt
-noblacklist ~/.mutt/muttrc
-noblacklist ~/.muttrc
-noblacklist ~/.signature
-noblacklist ~/.vim
-noblacklist ~/.viminfo
-noblacklist ~/.vimrc
-noblacklist ~/.w3m
-noblacklist ~/Mail
-noblacklist ~/mail
-noblacklist ~/postponed
-noblacklist ~/sent
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-writable-run-user
-
-private-dev
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
deleted file mode 100644
index 45d23cae6..000000000
--- a/etc/nautilus.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for nautilus
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/nautilus.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a nautilus process running on gnome desktops firejail will have no effect.
-
-noblacklist ~/.config/nautilus
-noblacklist ~/.local/share/Trash
-noblacklist ~/.local/share/nautilus
-noblacklist ~/.local/share/nautilus-python
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin nautilus
-# private-dev
-# private-etc fonts
-# private-tmp
diff --git a/etc/nemo.profile b/etc/nemo.profile
deleted file mode 100644
index b11ad645a..000000000
--- a/etc/nemo.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for nemo
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/nemo.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/nemo
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nemo
-noblacklist ${HOME}/.local/share/nemo-python
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/nolocal.net b/etc/net/nolocal.net
index 9fa785450..0eb9f9784 100644
--- a/etc/nolocal.net
+++ b/etc/net/nolocal.net
@@ -12,15 +12,25 @@
 #
 ###################################################################
 
-
+#allow all loopback traffic
 -A INPUT -i lo -j ACCEPT
+
+# no incoming connections
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
+# accept dns requests going out to a server on the local network
 -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# drop all local network traffic
 -A OUTPUT -d 192.168.0.0/16 -j DROP
 -A OUTPUT -d 10.0.0.0/8 -j DROP
 -A OUTPUT -d 172.16.0.0/12 -j DROP
+
+# drop multicast traffic
+-A OUTPUT -d 224.0.0.0/4 -j DROP
 COMMIT
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net
new file mode 100644
index 000000000..5a6678d03
--- /dev/null
+++ b/etc/net/nolocal6.net
@@ -0,0 +1,41 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
+#
+###################################################################
+
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
+# required for ipv6
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
+
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# drop all local network traffic
+-A OUTPUT -d FC00::/7 -j DROP
+
+# drop multicast traffic
+# required for ipv6
+-A OUTPUT -d ff02::2 -j ACCEPT
+-A OUTPUT -d ff00::/8 -j DROP
+COMMIT
diff --git a/etc/net/tcpserver.net b/etc/net/tcpserver.net
new file mode 100644
index 000000000..9c39ee5fb
--- /dev/null
+++ b/etc/net/tcpserver.net
@@ -0,0 +1,27 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+###################################################################
+# Simple tcp filter template. $ARG1 is the port number.
+#
+# Usage:  $ARG1 in this template is replaced by 5001 from command line below
+#
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
+#
+###################################################################
+
+# allow server traffic
+-A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT
+
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+
+COMMIT
diff --git a/etc/webserver.net b/etc/net/webserver.net
index 83db76825..83db76825 100644
--- a/etc/webserver.net
+++ b/etc/net/webserver.net
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
deleted file mode 100644
index 64aa068b1..000000000
--- a/etc/netsurf.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for netsurf
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/netsurf.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/netsurf
-noblacklist ~/.config/netsurf
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/netsurf
-mkdir ~/.config/netsurf
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/netsurf
-whitelist ~/.config/netsurf
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
diff --git a/etc/neverball.profile b/etc/neverball.profile
deleted file mode 100644
index 6a9a3a577..000000000
--- a/etc/neverball.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for neverball
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/neverball.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.neverball
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.neverball
-whitelist ${HOME}/.neverball
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,netlink
-seccomp
-shell none
-
-disable-mnt
-private-bin neverball
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/nylas.profile b/etc/nylas.profile
deleted file mode 100644
index d96c6b0d4..000000000
--- a/etc/nylas.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for nylas
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/nylas.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Nylas Mail
-noblacklist ~/.nylas-mail
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${DOWNLOADS}
-whitelist ~/.config/Nylas Mail
-whitelist ~/.nylas-mail
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
diff --git a/etc/obs.profile b/etc/obs.profile
deleted file mode 100644
index 187862752..000000000
--- a/etc/obs.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for obs
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/obs.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/obs-studio
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin obs
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile
deleted file mode 100644
index e8c2d54c7..000000000
--- a/etc/odt2txt.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for odt2txt
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/odt2txt.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin odt2txt
-private-dev
-private-etc none
-private-tmp
-read-only ${HOME}
diff --git a/etc/okular.profile b/etc/okular.profile
deleted file mode 100644
index 60390e4d8..000000000
--- a/etc/okular.profile
+++ /dev/null
@@ -1,46 +0,0 @@
-# Firejail profile for okular
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/okular.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/okularpartrc
-noblacklist ~/.config/okularrc
-noblacklist ~/.kde/share/apps/okular
-noblacklist ~/.kde/share/config/okularpartrc
-noblacklist ~/.kde/share/config/okularrc
-noblacklist ~/.kde4/share/apps/okular
-noblacklist ~/.kde4/share/config/okularpartrc
-noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/okular
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin okular,kbuildsycoca4,kdeinit4,lpr
-private-dev
-# private-etc fonts,X11
-private-tmp
-
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
deleted file mode 100644
index 998d57f62..000000000
--- a/etc/open-invaders.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for open-invaders
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/open-invaders.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.openinvaders
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.openinvaders
-whitelist ~/.openinvaders
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,netlink
-seccomp
-shell none
-
-# private-bin open-invaders
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
deleted file mode 100644
index 99c579c37..000000000
--- a/etc/openbox.profile
+++ /dev/null
@@ -1,16 +0,0 @@
-# Firejail profile for openbox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/openbox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# all applications started in OpenBox will run in this profile
-
-include /etc/firejail/disable-common.inc
-
-caps.drop all
-netfilter
-noroot
-protocol unix,inet,inet6
-seccomp
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile
deleted file mode 100644
index cbd1f8fe8..000000000
--- a/etc/openshot-qt.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for openshot
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/openshot.profile
diff --git a/etc/openshot.profile b/etc/openshot.profile
deleted file mode 100644
index 02f4665d6..000000000
--- a/etc/openshot.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for openshot
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/openshot.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.openshot
-noblacklist ${HOME}/.openshot_qt
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
deleted file mode 100644
index c295a2082..000000000
--- a/etc/opera-beta.profile
+++ /dev/null
@@ -1,26 +0,0 @@
-# Firejail profile for opera-beta
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/opera-beta.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/opera-beta
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/opera
-mkdir ~/.config/opera-beta
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/opera
-whitelist ~/.config/opera-beta
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-netfilter
-nodvd
-notv
diff --git a/etc/opera.profile b/etc/opera.profile
deleted file mode 100644
index 553ea6790..000000000
--- a/etc/opera.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for opera
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/opera.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/opera
-noblacklist ~/.config/opera
-noblacklist ~/.opera
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/opera
-mkdir ~/.config/opera
-mkdir ~/.opera
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/opera
-whitelist ~/.config/opera
-whitelist ~/.opera
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-netfilter
-nodvd
-notv
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
deleted file mode 100644
index 054e876c5..000000000
--- a/etc/palemoon.profile
+++ /dev/null
@@ -1,58 +0,0 @@
-# Firejail profile for palemoon
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/palemoon.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/moonchild productions/pale moon
-noblacklist ~/.moonchild productions/pale moon
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-# These are uncommented in the Firefox profile. If you run into trouble you may
-# want to uncomment (some of) them.
-#whitelist ~/dwhelper
-#whitelist ~/.zotero
-#whitelist ~/.vimperatorrc
-#whitelist ~/.vimperator
-#whitelist ~/.pentadactylrc
-#whitelist ~/.pentadactyl
-#whitelist ~/.keysnail.js
-#whitelist ~/.config/gnome-mplayer
-#whitelist ~/.cache/gnome-mplayer/plugin
-#whitelist ~/.pki
-#whitelist ~/.lastpass
-
-# For silverlight
-#whitelist ~/.wine-pipelight
-#whitelist ~/.wine-pipelight64
-#whitelist ~/.config/pipelight-widevine
-#whitelist ~/.config/pipelight-silverlight5.1
-
-mkdir ~/.cache/moonchild productions/pale moon
-mkdir ~/.moonchild productions
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/moonchild productions/pale moon
-whitelist ~/.moonchild productions
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# private-bin palemoon
-# private-dev (disabled for now as it will interfere with webcam use in palemoon)
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
-# private-opt palemoon
-private-tmp
diff --git a/etc/parole.profile b/etc/parole.profile
deleted file mode 100644
index a8ce63e73..000000000
--- a/etc/parole.profile
+++ /dev/null
@@ -1,24 +0,0 @@
-# Firejail profile for parole
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/parole.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin parole,dbus-launch
-private-etc passwd,group,fonts
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
deleted file mode 100644
index 6c8dd4319..000000000
--- a/etc/pcmanfm.profile
+++ /dev/null
@@ -1,29 +0,0 @@
-# Firejail profile for pcmanfm
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pcmanfm.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ~/.config/libfm
-noblacklist ~/.config/pcmanfm
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-# include /etc/firejail/disable-programs.inc
-
-caps.drop all
-# net none - see issue #1467, computer:/// location broken
-no3d
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile
deleted file mode 100644
index f1c3377d9..000000000
--- a/etc/pdfsam.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for pdfsam
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pdfsam.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.java
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin pdfsam,dash,sh,bash,java,archlinux-java,grep,awk,dirname,uname,which,sort,find,readlink,expr,ls,java-config
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
deleted file mode 100644
index 0c6bf9cde..000000000
--- a/etc/pdftotext.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for pdftotext
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pdftotext.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin pdftotext
-private-dev
-private-etc none
-private-tmp
diff --git a/etc/peek.profile b/etc/peek.profile
deleted file mode 100644
index 13c0c72e0..000000000
--- a/etc/peek.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for peek
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/peek.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/peek
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin breaks gif mode, mp4 and webm mode work fine however
-# private-bin peek,convert,ffmpeg
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/picard.profile b/etc/picard.profile
deleted file mode 100644
index 8dc79b4ad..000000000
--- a/etc/picard.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for picard
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/picard.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/MusicBrainz
-noblacklist ${HOME}/.config/MusicBrainz
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
deleted file mode 100644
index d195cf586..000000000
--- a/etc/pidgin.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for pidgin
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pidgin.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.purple
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin pidgin
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pingus.profile b/etc/pingus.profile
deleted file mode 100644
index 68d5a98ad..000000000
--- a/etc/pingus.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for pingus
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pingus.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.pingus
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.pingus
-whitelist ~/.pingus
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,netlink
-seccomp
-shell none
-
-# private-bin pingus
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/pinta.profile b/etc/pinta.profile
deleted file mode 100644
index cb6e05d35..000000000
--- a/etc/pinta.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for pinta
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pinta.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.config/Pinta
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pithos.profile b/etc/pithos.profile
deleted file mode 100644
index b81e0b634..000000000
--- a/etc/pithos.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for pithos
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pithos.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-# private-bin pithos,python,python3,python3.6
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/pluma.profile b/etc/pluma.profile
deleted file mode 100644
index 56786fda7..000000000
--- a/etc/pluma.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for pluma
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pluma.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/pluma
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-machine-id
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin pluma
-private-dev
-# private-etc fonts
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
new file mode 100644
index 000000000..ddc7ecad5
--- /dev/null
+++ b/etc/profile-a-l/0ad.profile
@@ -0,0 +1,57 @@
+# Firejail profile for 0ad
+# Description: Real-time strategy game of ancient warfare
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 0ad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/0ad
+noblacklist ${HOME}/.config/0ad
+noblacklist ${HOME}/.local/share/0ad
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/0ad
+mkdir ${HOME}/.config/0ad
+mkdir ${HOME}/.local/share/0ad
+whitelist ${HOME}/.cache/0ad
+whitelist ${HOME}/.config/0ad
+whitelist ${HOME}/.local/share/0ad
+whitelist /usr/share/0ad
+whitelist /usr/share/games
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin 0ad,pyrogenesis,sh,which
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
new file mode 100644
index 000000000..80b032aee
--- /dev/null
+++ b/etc/profile-a-l/2048-qt.profile
@@ -0,0 +1,43 @@
+# Firejail profile for 2048-qt
+# Description: Mathematics based puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 2048-qt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/2048-qt
+noblacklist ${HOME}/.config/xiaoyong
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/2048-qt
+mkdir ${HOME}/.config/xiaoyong
+whitelist ${HOME}/.config/2048-qt
+whitelist ${HOME}/.config/xiaoyong
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile
new file mode 100644
index 000000000..0d31255ad
--- /dev/null
+++ b/etc/profile-a-l/7z.profile
@@ -0,0 +1,14 @@
+# Firejail profile for 7z
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include 7z.local
+# Persistent global definitions
+include globals.local
+
+# Included in archiver-common.profile
+ignore include disable-shell.inc
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/7za.profile b/etc/profile-a-l/7za.profile
new file mode 100644
index 000000000..9cd04cad1
--- /dev/null
+++ b/etc/profile-a-l/7za.profile
@@ -0,0 +1,12 @@
+# Firejail profile for 7za
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include 7za.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include 7z.profile
diff --git a/etc/profile-a-l/7zr.profile b/etc/profile-a-l/7zr.profile
new file mode 100644
index 000000000..bd3842900
--- /dev/null
+++ b/etc/profile-a-l/7zr.profile
@@ -0,0 +1,12 @@
+# Firejail profile for 7zr
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include 7zr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include 7z.profile
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
new file mode 100644
index 000000000..76fd21d32
--- /dev/null
+++ b/etc/profile-a-l/Books.profile
@@ -0,0 +1,7 @@
+# Firejail profile for gnome-books
+# This file is overwritten after every install/update
+
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-books.profile
diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile
new file mode 100644
index 000000000..e97267bbc
--- /dev/null
+++ b/etc/profile-a-l/Builder.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-builder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Builder.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-builder.profile
diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile
new file mode 100644
index 000000000..32aeb4f69
--- /dev/null
+++ b/etc/profile-a-l/Cheese.profile
@@ -0,0 +1,11 @@
+# Firejail profile for cheese
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Cheese.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include cheese.profile
diff --git a/etc/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index add122a5e..39b39667c 100644
--- a/etc/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -1,28 +1,31 @@
 # Firejail profile for Cryptocat
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/Cryptocat.local
+include Cryptocat.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/Cryptocat
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
new file mode 100644
index 000000000..5564207fc
--- /dev/null
+++ b/etc/profile-a-l/Cyberfox.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for cyberfox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Cyberfox.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cyberfox.profile
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile
new file mode 100644
index 000000000..3f274b21c
--- /dev/null
+++ b/etc/profile-a-l/Discord.profile
@@ -0,0 +1,17 @@
+# Firejail profile for Discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Discord.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discord
+
+mkdir ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
+
+private-bin Discord
+private-opt Discord
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
new file mode 100644
index 000000000..d24e73ed8
--- /dev/null
+++ b/etc/profile-a-l/DiscordCanary.profile
@@ -0,0 +1,17 @@
+# Firejail profile for DiscordCanary
+# This file is overwritten after every install/update
+# Persistent local customizations
+include DiscordCanary.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discordcanary
+
+mkdir ${HOME}/.config/discordcanary
+whitelist ${HOME}/.config/discordcanary
+
+private-bin DiscordCanary
+private-opt DiscordCanary
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile
new file mode 100644
index 000000000..780416d7f
--- /dev/null
+++ b/etc/profile-a-l/Documents.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-documents
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Documents.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-documents.profile
diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
new file mode 100644
index 000000000..3a584ed4e
--- /dev/null
+++ b/etc/profile-a-l/FossaMail.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for fossamail
+# This file is overwritten after every install/update
+# Persistent local customizations
+include FossaMail.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include fossamail.profile
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
new file mode 100644
index 000000000..3fe2ddcd5
--- /dev/null
+++ b/etc/profile-a-l/Fritzing.profile
@@ -0,0 +1,39 @@
+# Firejail profile for fritzing
+# Description: Easy-to-use electronic design software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Fritzing.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Fritzing
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile
new file mode 100644
index 000000000..96b91430c
--- /dev/null
+++ b/etc/profile-a-l/Gitter.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Gitter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Gitter.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gitter.profile
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
new file mode 100644
index 000000000..92f8e5c85
--- /dev/null
+++ b/etc/profile-a-l/JDownloader.profile
@@ -0,0 +1,48 @@
+# Firejail profile for JDownloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include JDownloader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.jd
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.jd
+whitelist ${HOME}/.jd
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile
new file mode 100644
index 000000000..1a78b86c9
--- /dev/null
+++ b/etc/profile-a-l/Logs.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-logs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Logs.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-logs.profile
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
new file mode 100644
index 000000000..005a502c4
--- /dev/null
+++ b/etc/profile-a-l/abiword.profile
@@ -0,0 +1,49 @@
+# Firejail profile for abiword
+# Description: flexible cross-platform word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include abiword.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/abiword
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist /usr/share/abiword-3.0
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin abiword
+private-cache
+private-dev
+private-etc fonts,gtk-3.0,passwd
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
new file mode 100644
index 000000000..2e6e8f1af
--- /dev/null
+++ b/etc/profile-a-l/abrowser.profile
@@ -0,0 +1,20 @@
+# Firejail profile for abrowser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include abrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+
+mkdir ${HOME}/.cache/mozilla/abrowser
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/abrowser
+whitelist ${HOME}/.mozilla
+
+# private-etc must first be enabled in firefox-common.profile
+#private-etc abrowser
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/acat.profile b/etc/profile-a-l/acat.profile
new file mode 100644
index 000000000..522d8db4e
--- /dev/null
+++ b/etc/profile-a-l/acat.profile
@@ -0,0 +1,11 @@
+# Firejail profile for acat
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include acat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/adiff.profile b/etc/profile-a-l/adiff.profile
new file mode 100644
index 000000000..a80886d56
--- /dev/null
+++ b/etc/profile-a-l/adiff.profile
@@ -0,0 +1,11 @@
+# Firejail profile for adiff
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include adiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
new file mode 100644
index 000000000..fea25fd58
--- /dev/null
+++ b/etc/profile-a-l/agetpkg.profile
@@ -0,0 +1,59 @@
+# Firejail profile for agetpkg
+# Description: CLI tool to list/get/install packages from the Arch Linux Archive
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include agetpkg.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+hostname agetpkg
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin agetpkg,python3
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
new file mode 100644
index 000000000..168e81985
--- /dev/null
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -0,0 +1,55 @@
+# Firejail profile for akonadi_control
+# Persistent local customizations
+include akonadi_control.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emaildefaults
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.config/mailtransports
+noblacklist ${HOME}/.config/specialmailcollectionsrc
+noblacklist ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/apps/korganizer
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/notes
+noblacklist /sbin
+noblacklist /tmp/akonadi-*
+noblacklist /usr/sbin
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
+# this affects ubuntu and debian currently
+
+# apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+# nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol unix,inet,inet6,netlink
+# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
+tracelog
+
+private-dev
+# private-tmp - breaks programs that depend on akonadi
+
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
new file mode 100644
index 000000000..d1e7df37b
--- /dev/null
+++ b/etc/profile-a-l/akregator.profile
@@ -0,0 +1,50 @@
+# Firejail profile for akregator
+# Description: RSS/Atom feed aggregator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include akregator.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/akregatorrc
+noblacklist ${HOME}/.local/share/akregator
+noblacklist ${HOME}/.local/share/kxmlgui5/akregator
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkfile ${HOME}/.config/akregatorrc
+mkdir ${HOME}/.local/share/akregator
+mkdir ${HOME}/.local/share/kxmlgui5/akregator
+whitelist ${HOME}/.config/akregatorrc
+whitelist ${HOME}/.local/share/akregator
+whitelist ${HOME}/.local/share/kssl
+whitelist ${HOME}/.local/share/kxmlgui5/akregator
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# chroot syscalls are needed for setting up the built-in sandbox
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin akregator,akregatorstorageexporter,dbus-launch,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kshell4,kshell5
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
new file mode 100644
index 000000000..69b499c74
--- /dev/null
+++ b/etc/profile-a-l/alacarte.profile
@@ -0,0 +1,65 @@
+# Firejail profile for alacarte
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alacarte.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/alacarte
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# private-bin alacarte,bash,python*,sh
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile
new file mode 100644
index 000000000..b31996cd2
--- /dev/null
+++ b/etc/profile-a-l/alienarena-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alienarena-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alienarena-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin alienarena-wrapper
+
+# Redirect
+include alienarena.profile
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
new file mode 100644
index 000000000..62857a3e2
--- /dev/null
+++ b/etc/profile-a-l/alienarena.profile
@@ -0,0 +1,52 @@
+# Firejail profile for alienarena
+# Description: Multiplayer retro sci-fi deathmatch game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alienarena.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/cor-games
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/cor-games
+whitelist ${HOME}/.local/share/cor-games
+whitelist /usr/share/alienarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alienarena
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..61c3ad21d
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,103 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.addressbook
+noblacklist ${HOME}/.alpine-smime
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.mh_profile
+noblacklist ${HOME}/.mime.types
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pinerc
+noblacklist ${HOME}/.pinercex
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+whitelist /var/mail
+whitelist /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin alpinef
+
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/als.profile b/etc/profile-a-l/als.profile
new file mode 100644
index 000000000..5eae228b6
--- /dev/null
+++ b/etc/profile-a-l/als.profile
@@ -0,0 +1,11 @@
+# Firejail profile for als
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include als.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
new file mode 100644
index 000000000..e7b78f7d0
--- /dev/null
+++ b/etc/profile-a-l/amarok.profile
@@ -0,0 +1,47 @@
+# Firejail profile for amarok
+# Description: Easy to use media player based on the KDE Platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include amarok.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp
+shell none
+
+# private-bin amarok
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+private-tmp
+
+dbus-user filter
+dbus-user.own org.kde.amarok
+dbus-user.own org.mpris.amarok
+dbus-user.own org.mpris.MediaPlayer2.amarok
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.kde.StatusNotifierWatcher
+# If you're not on kde-plasma add the next lines to your amarok.local.
+#dbus-user.own org.kde.kded
+#dbus-user.own org.kde.klauncher
+#dbus-user.talk org.kde.knotify
+dbus-system none
diff --git a/etc/amule.profile b/etc/profile-a-l/amule.profile
index 98ec52015..3ce05c5bc 100644
--- a/etc/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -1,21 +1,23 @@
 # Firejail profile for amule
+# Description: Client for the eD2k and Kad networks, like eMule
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/amule.local
+include amule.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 noblacklist ${HOME}/.aMule
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
+mkdir ${HOME}/.aMule
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.aMule
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 ipc-namespace
@@ -23,10 +25,12 @@ netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -36,5 +40,3 @@ private-bin amule
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/amuled.profile b/etc/profile-a-l/amuled.profile
new file mode 100644
index 000000000..58b796875
--- /dev/null
+++ b/etc/profile-a-l/amuled.profile
@@ -0,0 +1,13 @@
+# Firejail profile for amuled
+# Description: Daemon for amule
+# This file is overwritten after every install/update
+# Persistent local customizations
+include amule.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin amuled
+
+# Redirect
+include amule.profile
diff --git a/etc/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 6be92e1c0..ad44d5f1d 100644
--- a/etc/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -1,24 +1,28 @@
 # Firejail profile for android-studio
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/android-studio.local
+include android-studio.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
+noblacklist ${HOME}/.config/Google
 noblacklist ${HOME}/.AndroidStudio*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
 
 caps.drop all
 netfilter
@@ -32,7 +36,8 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-dev
+private-cache
 # private-tmp
 
-noexec /tmp
+# noexec /tmp breaks 'Android Profiler'
+#noexec /tmp
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
new file mode 100644
index 000000000..fa4dfbb6f
--- /dev/null
+++ b/etc/profile-a-l/anki.profile
@@ -0,0 +1,57 @@
+# Firejail profile for anki
+# Description: flexible, intelligent flashcard program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include anki.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.local/share/Anki2
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/Anki2
+whitelist ${DOCUMENTS}
+whitelist ${HOME}/.local/share/Anki2
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin anki,python*
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
new file mode 100644
index 000000000..5001b20cb
--- /dev/null
+++ b/etc/profile-a-l/anydesk.profile
@@ -0,0 +1,36 @@
+# Firejail profile for AnyDesk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include anydesk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.anydesk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.anydesk
+whitelist ${HOME}/.anydesk
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin anydesk
+private-dev
+private-tmp
diff --git a/etc/aosp.profile b/etc/profile-a-l/aosp.profile
index 5ceef9348..9668ba00a 100644
--- a/etc/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -1,28 +1,29 @@
 # Firejail profile for aosp
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/aosp.local
+include aosp.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.bash_history
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.repo_.gitconfig.json
 noblacklist ${HOME}/.repoconfig
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-programs.inc
+include disable-xdg.inc
 
-include /etc/firejail/whitelist-var-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-a-l/apack.profile b/etc/profile-a-l/apack.profile
new file mode 100644
index 000000000..9fef911af
--- /dev/null
+++ b/etc/profile-a-l/apack.profile
@@ -0,0 +1,11 @@
+# Firejail profile for apack
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include apack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
new file mode 100644
index 000000000..1951748d4
--- /dev/null
+++ b/etc/profile-a-l/apktool.profile
@@ -0,0 +1,38 @@
+# Firejail profile for apktool
+# Description: Tool for reverse engineering Android apk files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include apktool.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin apktool,basename,bash,dirname,expr,java,sh
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
new file mode 100644
index 000000000..5d45a0804
--- /dev/null
+++ b/etc/profile-a-l/apostrophe.profile
@@ -0,0 +1,72 @@
+# Firejail profile for apostrophe
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include apostrophe.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.texlive20*
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/libexec/webkit2gtk-4.0
+whitelist /usr/share/apostrophe
+whitelist /usr/share/texlive
+whitelist /usr/share/texmf
+whitelist /usr/share/pandoc-*
+whitelist /usr/share/perl5
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.gitlab.somas.Apostrophe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile
new file mode 100644
index 000000000..5a20a8181
--- /dev/null
+++ b/etc/profile-a-l/ar.profile
@@ -0,0 +1,11 @@
+# Firejail profile for ar
+# Description: Create, modify, and extract from archives
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ar.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
new file mode 100644
index 000000000..c164073c5
--- /dev/null
+++ b/etc/profile-a-l/arch-audit.profile
@@ -0,0 +1,52 @@
+# Firejail profile for arch-audit
+# Description: A utility like pkg-audit based on Arch CVE Monitoring Team data
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include arch-audit.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/lib/pacman
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/arch-audit
+include whitelist-usr-share-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin arch-audit
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
new file mode 100644
index 000000000..3aebd685d
--- /dev/null
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -0,0 +1,39 @@
+# Firejail profile for archaudit-report
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include archaudit-report.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/lib/pacman
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,pactree,rm,sed,sort,whoneeds
+#private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
new file mode 100644
index 000000000..81733220f
--- /dev/null
+++ b/etc/profile-a-l/archiver-common.profile
@@ -0,0 +1,52 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include archiver-common.local
+
+# common profile for archiver/compression tools
+
+blacklist ${RUNUSER}
+
+# Comment/uncomment the relevant include file(s) in your archiver-common.local
+# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
+# in the relevant <archiver>.local. Beware that things tend to break when overtightening
+# profiles. For example, because you only need to (un)compress files in ${DOWNLOADS},
+# other applications may need access to ${HOME}/.local/share.
+
+# Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+
+apparmor
+caps.drop all
+hostname archiver
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile
new file mode 100644
index 000000000..5c62c94be
--- /dev/null
+++ b/etc/profile-a-l/ardour4.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for ardour5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ardur4.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ardour5.profile
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
new file mode 100644
index 000000000..78dea1cd0
--- /dev/null
+++ b/etc/profile-a-l/ardour5.profile
@@ -0,0 +1,43 @@
+# Firejail profile for ardour5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ardour5.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ardour4
+noblacklist ${HOME}/.config/ardour5
+noblacklist ${HOME}/.lv2
+noblacklist ${HOME}/.vst
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+
+#private-bin ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,ldd,nm,sed,sh
+private-cache
+private-dev
+#private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
new file mode 100644
index 000000000..01da63e8e
--- /dev/null
+++ b/etc/profile-a-l/arduino.profile
@@ -0,0 +1,39 @@
+# Firejail profile for arduino
+# Description: AVR development board IDE and built-in libraries
+# This file is overwritten after every install/update
+# Persistent local customizations
+include arduino.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.arduino15
+noblacklist ${HOME}/Arduino
+noblacklist ${DOCUMENTS}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+# nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-tmp
+
diff --git a/etc/profile-a-l/arepack.profile b/etc/profile-a-l/arepack.profile
new file mode 100644
index 000000000..012f2f049
--- /dev/null
+++ b/etc/profile-a-l/arepack.profile
@@ -0,0 +1,11 @@
+# Firejail profile for arepack
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include arepack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
new file mode 100644
index 000000000..737cf3095
--- /dev/null
+++ b/etc/profile-a-l/aria2c.profile
@@ -0,0 +1,55 @@
+# Firejail profile for aria2c
+# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
+# This file is overwritten after every install/update
+# Persistent local customizations
+include aria2c.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.aria2
+noblacklist ${HOME}/.config/aria2
+noblacklist ${HOME}/.netrc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# disable-mnt
+# Add your custom event hook commands to 'private-bin' in your aria2c.local.
+private-bin aria2c,gzip
+# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
+#private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-lib libreadline.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
new file mode 100644
index 000000000..45071dc62
--- /dev/null
+++ b/etc/profile-a-l/ark.profile
@@ -0,0 +1,46 @@
+# Firejail profile for ark
+# Description: Archive utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ark.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/arkrc
+noblacklist ${HOME}/.local/share/kxmlgui5/ark
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/share/ark
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,zip,zipinfo
+#private-etc alternatives,drirc,fonts,group,kde5rc,mtab,passwd,samba,smb.conf,xdg
+
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
new file mode 100644
index 000000000..3253fb586
--- /dev/null
+++ b/etc/profile-a-l/arm.profile
@@ -0,0 +1,48 @@
+# Firejail profile for arm
+# Description: Terminal status monitor for Tor relays
+# This file is overwritten after every install/update
+# Persistent local customizations
+include arm.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.arm
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.arm
+whitelist ${HOME}/.arm
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-tmp
+
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
new file mode 100644
index 000000000..8d74b6ba4
--- /dev/null
+++ b/etc/profile-a-l/artha.profile
@@ -0,0 +1,66 @@
+# Firejail profile for artha
+# Description: A free cross-platform English thesaurus based on WordNet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include artha.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/artha.conf
+noblacklist ${HOME}/.config/artha.log
+noblacklist ${HOME}/.config/enchant
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# whitelisting in ${HOME} makes settings immutable, see #3112
+#mkfile ${HOME}/.config/artha.conf
+#mkdir ${HOME}/.config/enchant
+#whitelist ${HOME}/.config/artha.conf
+#whitelist ${HOME}/.config/artha.log
+#whitelist ${HOME}/.config/enchant
+whitelist /usr/share/artha
+whitelist /usr/share/wordnet
+#include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin artha,enchant,notify-send
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-lib libnotify.so.*
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
new file mode 100644
index 000000000..788a94302
--- /dev/null
+++ b/etc/profile-a-l/assogiate.profile
@@ -0,0 +1,54 @@
+# Firejail profile for assogiate
+# Description: An editor of the MIME file types database for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include assogiate.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin assogiate,gtk-update-icon-cache,update-mime-database
+private-cache
+private-dev
+private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-write ${HOME}/.local/share/mime
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
new file mode 100644
index 000000000..fbc65ffc7
--- /dev/null
+++ b/etc/profile-a-l/asunder.profile
@@ -0,0 +1,48 @@
+# Firejail profile for asounder
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include asunder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/asunder
+noblacklist ${HOME}/.asunder_album_genre
+noblacklist ${HOME}/.asunder_album_title
+noblacklist ${HOME}/.asunder_album_artist
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+# nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# mdwe is disabled due to breaking hardware accelerated decoding
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/atom-beta.profile b/etc/profile-a-l/atom-beta.profile
new file mode 100644
index 000000000..c0ee2c492
--- /dev/null
+++ b/etc/profile-a-l/atom-beta.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atom-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom-beta.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atom.profile
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
new file mode 100644
index 000000000..5f237ac59
--- /dev/null
+++ b/etc/profile-a-l/atom.profile
@@ -0,0 +1,31 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# net none
+nosound
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
new file mode 100644
index 000000000..e377de2c8
--- /dev/null
+++ b/etc/profile-a-l/atool.profile
@@ -0,0 +1,20 @@
+# Firejail profile for atool
+# Description: Tool for managing file archives of various types
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include atool.local
+# Persistent global definitions
+include globals.local
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+noroot
+
+# without login.defs atool complains and uses UID/GID 1000 by default
+private-etc alternatives,group,login.defs,passwd
+private-tmp
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/atril-previewer.profile b/etc/profile-a-l/atril-previewer.profile
new file mode 100644
index 000000000..7f4697357
--- /dev/null
+++ b/etc/profile-a-l/atril-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atril-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atril-previewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atril.profile
diff --git a/etc/profile-a-l/atril-thumbnailer.profile b/etc/profile-a-l/atril-thumbnailer.profile
new file mode 100644
index 000000000..8f6129ea6
--- /dev/null
+++ b/etc/profile-a-l/atril-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for atril-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atril-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atril.profile
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
new file mode 100644
index 000000000..f7c62926f
--- /dev/null
+++ b/etc/profile-a-l/atril.profile
@@ -0,0 +1,52 @@
+# Firejail profile for atril
+# Description: MATE document viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atril.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/atril
+noblacklist ${HOME}/.config/atril
+noblacklist ${DOCUMENTS}
+
+#noblacklist ${HOME}/.local/share
+# it seems to use only ${HOME}/.local/share/webkitgtk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+machine-id
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
+private-dev
+private-etc alternatives,fonts,ld.so.cache
+# atril uses webkit gtk to display epub files
+# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
+#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
+private-tmp
+
+# webkit gtk killed by memory-deny-write-execute
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
new file mode 100644
index 000000000..d71370b7e
--- /dev/null
+++ b/etc/profile-a-l/audacious.profile
@@ -0,0 +1,44 @@
+# Firejail profile for audacious
+# Description: Small and fast audio player which supports lots of formats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include audacious.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Audaciousrc
+noblacklist ${HOME}/.config/audacious
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin audacious
+private-cache
+private-dev
+private-tmp
+
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
new file mode 100644
index 000000000..264bfb9ab
--- /dev/null
+++ b/etc/profile-a-l/audacity.profile
@@ -0,0 +1,46 @@
+# Firejail profile for audacity
+# Description: Fast, cross-platform audio editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include audacity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.audacity-data
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin audacity
+private-dev
+private-tmp
+
+# problems on Fedora 27
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
new file mode 100644
index 000000000..58b2efde6
--- /dev/null
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -0,0 +1,54 @@
+# Firejail profile for audio-recorder
+# Description: Audio Recorder Application
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include audio-recorder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${MUSIC}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/audio-recorder
+whitelist /usr/share/gstreamer-1.0
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin audio-recorder
+private-cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/aunpack.profile b/etc/profile-a-l/aunpack.profile
new file mode 100644
index 000000000..6ce4aa491
--- /dev/null
+++ b/etc/profile-a-l/aunpack.profile
@@ -0,0 +1,11 @@
+# Firejail profile for aunpack
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include aunpack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include atool.profile
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
new file mode 100644
index 000000000..411c5f4d3
--- /dev/null
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -0,0 +1,55 @@
+# Firejail profile for authenticator-rs
+# Description: Rust based 2FA authentication program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator-rs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/authenticator-rs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/authenticator-rs
+whitelist ${HOME}/.local/share/authenticator-rs
+whitelist ${DOWNLOADS}
+whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin authenticator-rs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
new file mode 100644
index 000000000..0f0fb7ceb
--- /dev/null
+++ b/etc/profile-a-l/authenticator.profile
@@ -0,0 +1,49 @@
+# Firejail profile for authenticator
+# Description: 2FA code generator for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include authenticator.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Authenticator
+noblacklist ${HOME}/.config/Authenticator
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+# apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+# novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+# private-bin authenticator,python*
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
new file mode 100644
index 000000000..abd535afe
--- /dev/null
+++ b/etc/profile-a-l/autokey-common.profile
@@ -0,0 +1,42 @@
+# Firejail profile for autokey
+# Description: Desktop automation utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.config/autokey
+noblacklist ${HOME}/.local/share/autokey
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+# disable-exec.inc might break scripting functionality
+#include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/autokey-gtk.profile b/etc/profile-a-l/autokey-gtk.profile
new file mode 100644
index 000000000..e16449064
--- /dev/null
+++ b/etc/profile-a-l/autokey-gtk.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-gtk
+# Description: Desktop automation utility (GTK version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-gtk.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/autokey-qt.profile b/etc/profile-a-l/autokey-qt.profile
new file mode 100644
index 000000000..b6f1210dd
--- /dev/null
+++ b/etc/profile-a-l/autokey-qt.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-qt
+# Description: Desktop automation utility (Qt version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-qt.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/autokey-run.profile b/etc/profile-a-l/autokey-run.profile
new file mode 100644
index 000000000..05669351a
--- /dev/null
+++ b/etc/profile-a-l/autokey-run.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-run
+# Description: Desktop automation utility (CLI version)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-run.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/autokey-shell.profile b/etc/profile-a-l/autokey-shell.profile
new file mode 100644
index 000000000..dfbd8759f
--- /dev/null
+++ b/etc/profile-a-l/autokey-shell.profile
@@ -0,0 +1,10 @@
+# Firejail profile for autokey-shell
+# Description: Desktop automation utility (CLI shell)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include autokey-shell.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include autokey-common.profile
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
new file mode 100644
index 000000000..468a3fe9f
--- /dev/null
+++ b/etc/profile-a-l/avidemux.profile
@@ -0,0 +1,54 @@
+# Firejail profile for Avidemux
+# Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks.
+# Persistent local customizations
+include avidemux.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.avidemux6
+noblacklist ${HOME}/.config/avidemux3_qt5rc
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.avidemux6
+mkdir ${HOME}/.config/avidemux3_qt5rc
+whitelist ${HOME}/.avidemux6
+whitelist ${HOME}/.config/avidemux3_qt5rc
+whitelist ${VIDEOS}
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
new file mode 100644
index 000000000..e01ea5b5d
--- /dev/null
+++ b/etc/profile-a-l/aweather.profile
@@ -0,0 +1,40 @@
+# Firejail profile for aweather
+# Description: Advanced Weather Monitoring Program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include aweather.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/aweather
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.config/aweather
+whitelist ${HOME}/.config/aweather
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin aweather
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
new file mode 100644
index 000000000..5d1bf5071
--- /dev/null
+++ b/etc/profile-a-l/awesome.profile
@@ -0,0 +1,19 @@
+# Firejail profile for awesome
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include awesome.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in awesome will run in this profile
+noblacklist ${HOME}/.config/awesome
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
+read-only ${HOME}/.config/awesome/autorun.sh
diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile
new file mode 100644
index 000000000..48cb9619b
--- /dev/null
+++ b/etc/profile-a-l/b2sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for b2sum
+# Description: compute and check BLAKE2 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include b2sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin b2sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile
new file mode 100644
index 000000000..419dcaab5
--- /dev/null
+++ b/etc/profile-a-l/ballbuster-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for ballbuster-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ballbuster-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin ballbuster-wrapper
+
+# Redirect
+include ballbuster.profile
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
new file mode 100644
index 000000000..daa13a7ed
--- /dev/null
+++ b/etc/profile-a-l/ballbuster.profile
@@ -0,0 +1,52 @@
+# Firejail profile for ballbuster
+# Description: Move the paddle to bounce the ball and break all the bricks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ballbuster.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ballbuster.hs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.ballbuster.hs
+whitelist ${HOME}/.ballbuster.hs
+whitelist /usr/share/ballbuster
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin ballbuster
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
new file mode 100644
index 000000000..252016bec
--- /dev/null
+++ b/etc/profile-a-l/baloo_file.profile
@@ -0,0 +1,54 @@
+# Firejail profile for baloo_file
+# This file is overwritten after every install/update
+# Persistent local customizations
+include baloo_file.local
+# Persistent global definitions
+include globals.local
+
+# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
+# Note: Baloo will not be able to update the "first run" key in its configuration files.
+# mkdir ${HOME}/.local/share/baloo
+# read-only ${HOME}
+# read-write ${HOME}/.local/share/baloo
+# ignore read-write
+
+noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloofilerc
+noblacklist ${HOME}/.kde/share/config/baloorc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
+noblacklist ${HOME}/.local/share/baloo
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+# blacklisting of ioprio_set system calls breaks baloo_file
+seccomp !ioprio_set
+shell none
+# x11 xorg
+
+private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
new file mode 100644
index 000000000..ff10e9965
--- /dev/null
+++ b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
@@ -0,0 +1,14 @@
+# Firejail profile for baloo_filemetadata_temp_extractor
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include baloo_filemetadata_temp_extractor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore read-write
+read-only ${HOME}
+
+# Redirect
+include baloo_file.profile
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
new file mode 100644
index 000000000..197f787ca
--- /dev/null
+++ b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,82 @@
+# Firejail profile for balsa
+# Description: GNOME mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include balsa.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.balsa
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.balsa
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.signature
+mkdir ${HOME}/mail
+whitelist ${HOME}/.balsa
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.signature
+whitelist ${HOME}/mail
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/balsa
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user filter
+dbus-user.own org.desktop.Balsa
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
new file mode 100644
index 000000000..c8dbcad4e
--- /dev/null
+++ b/etc/profile-a-l/baobab.profile
@@ -0,0 +1,44 @@
+# Firejail profile for baobab
+# Description: GNOME disk usage analyzer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include baobab.local
+# Persistent global definitions
+include globals.local
+
+# include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# include disable-programs.inc
+include disable-shell.inc
+# include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin baobab
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
new file mode 100644
index 000000000..f6775ee01
--- /dev/null
+++ b/etc/profile-a-l/barrier.profile
@@ -0,0 +1,45 @@
+# Firejail profile for barrier
+# Description: Keyboard and mouse sharing application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include barrier.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Debauchee/Barrier.conf
+noblacklist ${HOME}/.local/share/barrier
+noblacklist ${PATH}/openssl
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-cache
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
new file mode 100644
index 000000000..8dc3847a0
--- /dev/null
+++ b/etc/profile-a-l/basilisk.profile
@@ -0,0 +1,26 @@
+# Firejail profile for basilisk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include basilisk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/moonchild productions/basilisk
+noblacklist ${HOME}/.moonchild productions/basilisk
+
+mkdir ${HOME}/.cache/moonchild productions/basilisk
+mkdir ${HOME}/.moonchild productions
+whitelist ${HOME}/.cache/moonchild productions/basilisk
+whitelist ${HOME}/.moonchild productions
+
+# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
+seccomp
+ignore seccomp
+
+#private-bin basilisk
+# private-etc must first be enabled in firefox-common.profile
+#private-etc basilisk
+#private-opt basilisk
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
new file mode 100644
index 000000000..87bcf9a19
--- /dev/null
+++ b/etc/profile-a-l/bcompare.profile
@@ -0,0 +1,47 @@
+# Firejail profile for Beyond Compare by Scooter Software
+# Description: directory and file compare utility
+# Disables the network, which only impacts checking for updates.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bcompare.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/bcompare
+# In case the user decides to include disable-programs.inc, still allow
+# KDE's Gwenview to view images via right click -> Open With -> Associated Application
+noblacklist ${HOME}/.config/gwenviewrc
+
+# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+#include disable-shell.inc - breaks launch
+include disable-write-mnt.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
new file mode 100644
index 000000000..f3a9568bd
--- /dev/null
+++ b/etc/profile-a-l/beaker.profile
@@ -0,0 +1,28 @@
+# Firejail profile for beaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include beaker.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
+
+noblacklist ${HOME}/.config/Beaker Browser
+
+mkdir ${HOME}/.config/Beaker Browser
+whitelist ${HOME}/.config/Beaker Browser
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
new file mode 100644
index 000000000..0104dc181
--- /dev/null
+++ b/etc/profile-a-l/bibletime.profile
@@ -0,0 +1,59 @@
+# Firejail profile for bibletime
+# Description: Bible study tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bibletime.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bibletime
+noblacklist ${HOME}/.sword
+noblacklist ${HOME}/.local/share/bibletime
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.bibletime
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.local/share/bibletime
+whitelist ${HOME}/.bibletime
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.local/share/bibletime
+whitelist /usr/share/bibletime
+whitelist /usr/share/doc/bibletime
+whitelist /usr/share/sword
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+# private-bin bibletime,qt5ct
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bibtex.profile b/etc/profile-a-l/bibtex.profile
new file mode 100644
index 000000000..e868dcbab
--- /dev/null
+++ b/etc/profile-a-l/bibtex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bibtex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bibtex.local
+# Persistent global definitions
+include globals.local
+
+private-bin bibtex
+
+# Redirect
+include latex-common.profile
+
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
new file mode 100644
index 000000000..61cd792b1
--- /dev/null
+++ b/etc/profile-a-l/bijiben.profile
@@ -0,0 +1,63 @@
+# Firejail profile for bijiben
+# Description: Simple Note Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bijiben.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/bijiben
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.cache/tracker
+whitelist /usr/libexec/webkit2gtk-4.0
+whitelist /usr/share/bijiben
+whitelist /usr/share/tracker
+whitelist /usr/share/tracker3
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin bijiben
+# private-cache -- access to .cache/tracker is required
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Notes
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Tracker1
+dbus-system none
+
+env WEBKIT_FORCE_SANDBOX=0
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
new file mode 100644
index 000000000..ef6ef7a75
--- /dev/null
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -0,0 +1,50 @@
+# Firejail profile for bitcoin-qt
+# Description: Bitcoin is a peer-to-peer network based digital currency
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bitcoin-qt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bitcoin
+noblacklist ${HOME}/.config/Bitcoin
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.bitcoin
+mkdir ${HOME}/.config/Bitcoin
+whitelist ${HOME}/.bitcoin
+whitelist ${HOME}/.config/Bitcoin
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bitcoin-qt
+private-dev
+# Causes problem with loading of libGL.so
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 1b7b2c258..773fa7500 100644
--- a/etc/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -1,34 +1,40 @@
 # Firejail profile for bitlbee
+# Description: IRC to other chat networks gateway
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/bitlbee.local
+include bitlbee.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
+
+ignore noexec ${HOME}
 
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
+# noblacklist /var/log
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 netfilter
 no3d
 nodvd
+noinput
 nonewprivs
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 
 disable-mnt
 private
-private-dev
+private-cache
 private-dev
 private-tmp
-read-write /var/lib/bitlbee
 
-noexec /tmp
+read-write /var/lib/bitlbee
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
new file mode 100644
index 000000000..ba2eb2ea7
--- /dev/null
+++ b/etc/profile-a-l/bitwarden.profile
@@ -0,0 +1,30 @@
+# Firejail profile for bitwarden
+# Description: A secure and free password manager for all of your devices
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include bitwarden.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include whitelist-usr-share-common.inc
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Bitwarden
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Bitwarden
+whitelist ${HOME}/.config/Bitwarden
+
+machine-id
+no3d
+nosound
+
+?HAS_APPIMAGE: ignore private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-opt Bitwarden
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
new file mode 100644
index 000000000..233f9a96f
--- /dev/null
+++ b/etc/profile-a-l/blackbox.profile
@@ -0,0 +1,18 @@
+# Firejail profile for blackbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blackbox.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in blackbox will run in this profile
+noblacklist ${HOME}/.blackbox
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
new file mode 100644
index 000000000..28ce8fbea
--- /dev/null
+++ b/etc/profile-a-l/bleachbit.profile
@@ -0,0 +1,42 @@
+# Firejail profile for bleachbit
+# Description: Delete unnecessary files from the system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bleachbit.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# include disable-programs.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+# private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute breaks some systems, see issue #1850
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
new file mode 100644
index 000000000..55d8fdcf2
--- /dev/null
+++ b/etc/profile-a-l/blender-2.8.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for blender
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blender-2.8.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include blender.profile
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
new file mode 100644
index 000000000..225fd7cdc
--- /dev/null
+++ b/etc/profile-a-l/blender.profile
@@ -0,0 +1,40 @@
+# Firejail profile for blender
+# Description: Very fast and versatile 3D modeller/renderer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blender.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/blender
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+# Allow usage of AMD GPU by OpenCL
+noblacklist /sys/module
+whitelist /sys/module/amdgpu
+read-only /sys/module/amdgpu
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+# numpy, used by many add-ons, requires the mbind syscall
+seccomp !mbind
+shell none
+
+private-dev
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
new file mode 100644
index 000000000..61d1c3a1e
--- /dev/null
+++ b/etc/profile-a-l/bless.profile
@@ -0,0 +1,42 @@
+# Firejail profile for bless
+# Description: A full featured hexadecimal editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bless.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/bless
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+# private-bin bash,bless,mono,sh
+private-cache
+private-dev
+private-etc alternatives,fonts,mono
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
new file mode 100644
index 000000000..11d705c5b
--- /dev/null
+++ b/etc/profile-a-l/blobby.profile
@@ -0,0 +1,51 @@
+# Firejail profile for blobby
+# Persistent local customizations
+include blobby.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.blobby
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.blobby
+whitelist ${HOME}/.blobby
+include whitelist-common.inc
+whitelist /usr/share/blobby
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin blobby
+private-dev
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
new file mode 100644
index 000000000..6e3d4256c
--- /dev/null
+++ b/etc/profile-a-l/blobwars.profile
@@ -0,0 +1,50 @@
+# Firejail profile for blobwars
+# Description: Mission and Objective based 2D Platform Game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blobwars.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.parallelrealities/blobwars
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.parallelrealities/blobwars
+whitelist ${HOME}/.parallelrealities/blobwars
+whitelist /usr/share/blobwars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin blobwars
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
new file mode 100644
index 000000000..bc5219e29
--- /dev/null
+++ b/etc/profile-a-l/bluefish.profile
@@ -0,0 +1,40 @@
+# Firejail profile for bluefish
+# Description: Advanced Gtk+ text editor for web and software development
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bluefish.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin bluefish
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
new file mode 100644
index 000000000..6e8f0d7d1
--- /dev/null
+++ b/etc/profile-a-l/bnox.profile
@@ -0,0 +1,22 @@
+# Firejail profile for bnox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bnox.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/bnox
+noblacklist ${HOME}/.config/bnox
+
+mkdir ${HOME}/.cache/bnox
+mkdir ${HOME}/.config/bnox
+whitelist ${HOME}/.cache/bnox
+whitelist ${HOME}/.config/bnox
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
new file mode 100644
index 000000000..94afc9e0b
--- /dev/null
+++ b/etc/profile-a-l/brackets.profile
@@ -0,0 +1,34 @@
+# Firejail profile for brackets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brackets.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Brackets
+#noblacklist /opt/brackets
+#noblacklist /opt/google
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot,!ioperm
+shell none
+
+private-cache
+private-dev
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
new file mode 100644
index 000000000..656701909
--- /dev/null
+++ b/etc/profile-a-l/brasero.profile
@@ -0,0 +1,36 @@
+# Firejail profile for brasero
+# Description: CD/DVD burning application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brasero.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/brasero
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin brasero
+private-cache
+# private-dev
+# private-tmp
diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
new file mode 100644
index 000000000..bbe23056f
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-beta.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for brave (beta channel)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-beta.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
new file mode 100644
index 000000000..b3fcc22ee
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-dev.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for brave (development channel)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-dev.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
new file mode 100644
index 000000000..796c90deb
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-nightly.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for brave (nightly channel)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-nightly.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
new file mode 100644
index 000000000..fab7f5f14
--- /dev/null
+++ b/etc/profile-a-l/brave-browser-stable.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for brave (release channel)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser-stable.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
new file mode 100644
index 000000000..fda337725
--- /dev/null
+++ b/etc/profile-a-l/brave-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for brave
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave-browser.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include brave.profile
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
new file mode 100644
index 000000000..09548c761
--- /dev/null
+++ b/etc/profile-a-l/brave.profile
@@ -0,0 +1,37 @@
+# Firejail profile for brave
+# Description: Web browser that blocks ads and trackers by default.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include brave.local
+# Persistent global definitions
+include globals.local
+
+# noexec /tmp is included in chromium-common.profile and breaks Brave
+ignore noexec /tmp
+# TOR is installed in ${HOME}.
+# NOTE: chromium-common.profile enables apparmor. To keep that intact
+# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
+# Alternatively you can add 'ignore apparmor' to your brave.local.
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/BraveSoftware
+noblacklist ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/brave
+noblacklist ${HOME}/.config/brave-flags.conf
+# brave uses gpg for built-in password manager
+noblacklist ${HOME}/.gnupg
+
+mkdir ${HOME}/.cache/BraveSoftware
+mkdir ${HOME}/.config/BraveSoftware
+mkdir ${HOME}/.config/brave
+whitelist ${HOME}/.cache/BraveSoftware
+whitelist ${HOME}/.config/BraveSoftware
+whitelist ${HOME}/.config/brave
+whitelist ${HOME}/.config/brave-flags.conf
+whitelist ${HOME}/.gnupg
+
+# Brave sandbox needs read access to /proc/config.gz
+noblacklist /proc/config.gz
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
new file mode 100644
index 000000000..ff7d83dad
--- /dev/null
+++ b/etc/profile-a-l/bsdcat.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for bsdtar
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bsdcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include bsdtar.profile
diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
new file mode 100644
index 000000000..eb35ef79f
--- /dev/null
+++ b/etc/profile-a-l/bsdcpio.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for bsdtar
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bsdcpio.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include bsdtar.profile
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
new file mode 100644
index 000000000..d731a6a6e
--- /dev/null
+++ b/etc/profile-a-l/bsdtar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bsdtar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bsdtar.local
+# Persistent global definitions
+include globals.local
+
+private-etc alternatives,group,localtime,passwd
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/bunzip2.profile b/etc/profile-a-l/bunzip2.profile
new file mode 100644
index 000000000..37b47c2ce
--- /dev/null
+++ b/etc/profile-a-l/bunzip2.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bunzip2
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bunzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/bzcat.profile b/etc/profile-a-l/bzcat.profile
new file mode 100644
index 000000000..edefb6bb8
--- /dev/null
+++ b/etc/profile-a-l/bzcat.profile
@@ -0,0 +1,15 @@
+# Firejail profile for bzcat
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore read-write
+read-only ${HOME}
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
new file mode 100644
index 000000000..53cfde352
--- /dev/null
+++ b/etc/profile-a-l/bzflag.profile
@@ -0,0 +1,47 @@
+# Firejail profile for bzflag
+# Description: 3D multi-player tank battle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bzflag.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bzf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.bzf
+whitelist ${HOME}/.bzf
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bzadmin,bzflag,bzflag-wrapper,bzfs
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bzip2.profile b/etc/profile-a-l/bzip2.profile
new file mode 100644
index 000000000..0756e0537
--- /dev/null
+++ b/etc/profile-a-l/bzip2.profile
@@ -0,0 +1,12 @@
+# Firejail profile for bzip2
+# Description: A high-quality data compression program
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile
new file mode 100644
index 000000000..1af102ca8
--- /dev/null
+++ b/etc/profile-a-l/caja.profile
@@ -0,0 +1,15 @@
+# Firejail profile for caja
+# Description: File manager for the MATE desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include caja.local
+# Persistent global definitions
+include globals.local
+
+# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a caja process running on MATE desktops firejail will have no effect.
+
+# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
new file mode 100644
index 000000000..cdc168384
--- /dev/null
+++ b/etc/profile-a-l/calibre.profile
@@ -0,0 +1,38 @@
+# Firejail profile for calibre
+# Description: Powerful and easy to use e-book manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calibre.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/calibre
+noblacklist ${HOME}/.config/calibre
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
new file mode 100644
index 000000000..280a61401
--- /dev/null
+++ b/etc/profile-a-l/calligra.profile
@@ -0,0 +1,40 @@
+# Firejail profile for calligra
+# Description: Extensive productivity and creative suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligra.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/calligra
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+
+private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
+private-dev
+
+# dbus-user none
+# dbus-system none
+
+# noexec ${HOME}
+noexec /tmp
diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
new file mode 100644
index 000000000..ace6c05f8
--- /dev/null
+++ b/etc/profile-a-l/calligraauthor.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligraauthor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
new file mode 100644
index 000000000..b2c23a57b
--- /dev/null
+++ b/etc/profile-a-l/calligraconverter.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligraconverter.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
new file mode 100644
index 000000000..ca654b3f3
--- /dev/null
+++ b/etc/profile-a-l/calligraflow.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligraflow.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile
new file mode 100644
index 000000000..006c307ab
--- /dev/null
+++ b/etc/profile-a-l/calligragemini.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligragemini.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/calligragemini
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
new file mode 100644
index 000000000..81dbd4dcd
--- /dev/null
+++ b/etc/profile-a-l/calligraplan.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligraplan.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
new file mode 100644
index 000000000..bba91b66b
--- /dev/null
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligraplanwork.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
new file mode 100644
index 000000000..7bc296047
--- /dev/null
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligrasheets.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
new file mode 100644
index 000000000..7694abbe4
--- /dev/null
+++ b/etc/profile-a-l/calligrastage.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligrastage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
new file mode 100644
index 000000000..d69d56a95
--- /dev/null
+++ b/etc/profile-a-l/calligrawords.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for calligra
+# This file is overwritten after every install/update
+# Persistent local customizations
+include calligrawords.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
+
+# Redirect
+include calligra.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
new file mode 100644
index 000000000..ae9e0f1d2
--- /dev/null
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -0,0 +1,55 @@
+# Firejail profile for cameramonitor
+# Description: A little monitor to check your webcam status
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cameramonitor.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/cameramonitor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cameramonitor,python*
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
new file mode 100644
index 000000000..69cf912ef
--- /dev/null
+++ b/etc/profile-a-l/cantata.profile
@@ -0,0 +1,40 @@
+# Firejail profile for Cantata
+# Description: Multimedia player - Qt5 client for the music Player daemon (MPD)
+# This file is overwritten during software install.
+# Persistent local customizations
+include cantata.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cantata
+noblacklist ${HOME}/.config/cantata
+noblacklist ${HOME}/.local/share/cantata
+noblacklist ${MUSIC}
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# apparmor
+caps.drop all
+ipc-namespace
+netfilter
+noinput
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# private-etc drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
+private-bin cantata,mpd,perl
+private-dev
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
new file mode 100644
index 000000000..ff46cd429
--- /dev/null
+++ b/etc/profile-a-l/cargo.profile
@@ -0,0 +1,72 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+ignore noexec /tmp
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.cargo/credentials
+noblacklist ${HOME}/.cargo/credentials.toml
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#mkdir ${HOME}/.cargo
+#whitelist ${HOME}/YOUR_CARGO_PROJECTS
+#whitelist ${HOME}/.cargo
+#whitelist ${HOME}/.rustup
+#include whitelist-common.inc
+whitelist /usr/share/pkgconfig
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+#private-bin cargo,rustc
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-write ${HOME}/.cargo/bin
diff --git a/etc/catfish.profile b/etc/profile-a-l/catfish.profile
index 5fc585d90..38a670fdc 100644
--- a/etc/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -1,21 +1,29 @@
 # Firejail profile for catfish
+# Description: File searching tool
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/catfish.local
+include catfish.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 # We can't blacklist much since catfish
 # is for finding files/content
-noblacklist ~/.config/catfish
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+
+noblacklist ${HOME}/.config/catfish
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# include disable-common.inc
+# include disable-devel.inc
+include disable-interpreters.inc
+# include disable-programs.inc
 
 whitelist /var/lib/mlocate
-include /etc/firejail/whitelist-var-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
@@ -33,6 +41,9 @@ tracelog
 
 # These options work but are disabled in case
 # a users wants to search in these directories.
-# private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
+# private-bin bash,catfish,env,locate,ls,mlocate,python*
 # private-dev
 # private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
new file mode 100644
index 000000000..78df5af83
--- /dev/null
+++ b/etc/profile-a-l/cawbird.profile
@@ -0,0 +1,46 @@
+# Firejail profile for cawbird
+# Description: Open-source Twitter client for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cawbird.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cawbird
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cawbird
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
new file mode 100644
index 000000000..0beeaafdd
--- /dev/null
+++ b/etc/profile-a-l/celluloid.profile
@@ -0,0 +1,67 @@
+# Firejail profile for celluloid
+# Description: Simple GTK+ frontend for mpv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include celluloid.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/celluloid
+noblacklist ${HOME}/.config/gnome-mpv
+noblacklist ${HOME}/.config/youtube-dl
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/celluloid
+mkdir ${HOME}/.config/gnome-mpv
+mkdir ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.config/celluloid
+whitelist ${HOME}/.config/gnome-mpv
+whitelist ${HOME}/.config/youtube-dl
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin celluloid,env,gnome-mpv,python*,youtube-dl
+private-cache
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.own io.github.celluloid_player.Celluloid
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/celluloid
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
new file mode 100644
index 000000000..e89f488ea
--- /dev/null
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -0,0 +1,55 @@
+# Firejail profile for checkbashisms
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include checkbashisms.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${DOCUMENTS}
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+x11 none
+
+private-cache
+private-dev
+private-lib libfreebl3.so,perl*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
new file mode 100644
index 000000000..c2fc064f3
--- /dev/null
+++ b/etc/profile-a-l/cheese.profile
@@ -0,0 +1,50 @@
+# Firejail profile for cheese
+# Description: taking pictures and movies from a webcam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cheese.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${VIDEOS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${VIDEOS}
+whitelist ${PICTURES}
+whitelist /usr/share/gnome-video-effects
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cheese
+private-cache
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
new file mode 100644
index 000000000..e68182b27
--- /dev/null
+++ b/etc/profile-a-l/cherrytree.profile
@@ -0,0 +1,43 @@
+# Firejail profile for cherrytree
+# Description: Hierarchical note taking application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cherrytree.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cherrytree
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
new file mode 100644
index 000000000..8803a4d9d
--- /dev/null
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -0,0 +1,19 @@
+# Firejail profile for chromium-browser-privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser-privacy.local
+
+noblacklist ${HOME}/.cache/ungoogled-chromium
+noblacklist ${HOME}/.config/ungoogled-chromium
+
+blacklist /usr/libexec
+
+mkdir ${HOME}/.cache/ungoogled-chromium
+mkdir ${HOME}/.config/ungoogled-chromium
+whitelist ${HOME}/.cache/ungoogled-chromium
+whitelist ${HOME}/.config/ungoogled-chromium
+
+# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
new file mode 100644
index 000000000..7ad806f5b
--- /dev/null
+++ b/etc/profile-a-l/chromium-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for chromium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
new file mode 100644
index 000000000..19addd285
--- /dev/null
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -0,0 +1,9 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include chromium-common-hardened.inc.local
+
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
new file mode 100644
index 000000000..c42243e02
--- /dev/null
+++ b/etc/profile-a-l/chromium-common.profile
@@ -0,0 +1,59 @@
+# Firejail profile for chromium-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
+# to have access to Gnome extensions (extensions.gnome.org) via browser connector
+#include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc.profile
+
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+noinput
+notv
+?BROWSER_DISABLE_U2F: nou2f
+shell none
+
+disable-mnt
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+#private-tmp - issues when using multiple browser sessions
+
+#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
+dbus-system none
+
+# The file dialog needs to work without d-bus.
+?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
new file mode 100644
index 000000000..dadedfbcf
--- /dev/null
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -0,0 +1,10 @@
+# Firejail profile for chromium-freeworld
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-freeworld.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
new file mode 100644
index 000000000..9ac33aa1c
--- /dev/null
+++ b/etc/profile-a-l/chromium.profile
@@ -0,0 +1,24 @@
+# Firejail profile for chromium
+# Description: A web browser built for speed, simplicity, and security
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/chromium
+noblacklist ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/chromium-flags.conf
+
+mkdir ${HOME}/.cache/chromium
+mkdir ${HOME}/.config/chromium
+whitelist ${HOME}/.cache/chromium
+whitelist ${HOME}/.config/chromium
+whitelist ${HOME}/.config/chromium-flags.conf
+whitelist /usr/share/chromium
+whitelist /usr/share/mozilla/extensions
+
+# private-bin chromium,chromium-browser,chromedriver
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
new file mode 100644
index 000000000..7d3e0c100
--- /dev/null
+++ b/etc/profile-a-l/cin.profile
@@ -0,0 +1,37 @@
+# Firejail profile for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cin.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bcast5
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+#nogroups
+noinput
+nonewprivs
+notv
+nou2f
+noroot
+protocol unix
+
+# If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local.
+seccomp
+shell none
+
+#private-bin cin,ffmpeg
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
new file mode 100644
index 000000000..38297bbae
--- /dev/null
+++ b/etc/profile-a-l/cinelerra.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for cin
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cinelerra.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cin.profile
diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile
new file mode 100644
index 000000000..2baeed2ed
--- /dev/null
+++ b/etc/profile-a-l/cksum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cksum
+# Description: checksum and count the bytes in a file
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cksum.local
+# Persistent global definitions
+include globals.local
+
+private-bin cksum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/clamav.profile b/etc/profile-a-l/clamav.profile
index a5aacc1d5..e403c2c41 100644
--- a/etc/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -1,11 +1,15 @@
 # Firejail profile for clamav
+# Description: Anti-virus utility for Unix
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include /etc/firejail/clamav.local
+include clamav.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
+blacklist ${RUNUSER}/wayland-*
+
+include disable-exec.inc
 
 caps.drop all
 ipc-namespace
@@ -13,10 +17,12 @@ net none
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -25,8 +31,10 @@ tracelog
 x11 none
 
 private-dev
+
+dbus-user none
+dbus-system none
+
 read-only ${HOME}
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
new file mode 100644
index 000000000..b25b46a27
--- /dev/null
+++ b/etc/profile-a-l/clamdscan.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clamdscan.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clamav.profile
diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
new file mode 100644
index 000000000..8c8cb3880
--- /dev/null
+++ b/etc/profile-a-l/clamdtop.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clamdtop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clamav.profile
diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile
new file mode 100644
index 000000000..0bc95e515
--- /dev/null
+++ b/etc/profile-a-l/clamscan.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for clamav
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clamscan.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clamav.profile
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
new file mode 100644
index 000000000..2a06178a5
--- /dev/null
+++ b/etc/profile-a-l/clamtk.profile
@@ -0,0 +1,30 @@
+# Firejail profile for clamtk
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clamtk.local
+# Persistent global definitions
+include globals.local
+
+include disable-exec.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
new file mode 100644
index 000000000..691657fa0
--- /dev/null
+++ b/etc/profile-a-l/claws-mail.profile
@@ -0,0 +1,30 @@
+# Firejail profile for claws-mail
+# Description: Fast, lightweight and user-friendly GTK+2 based email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include claws-mail.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.claws-mail
+
+mkdir ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
+
+# Add the below lines to your claws-mail.local if you use python-based plugins.
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+#include allow-python3.inc
+
+whitelist /usr/share/doc/claws-mail
+
+# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# Add the next line to your claws-mail.local if you use the notification plugin.
+# dbus-user.talk org.freedesktop.Notifications
+
+# Redirect
+include email-common.profile
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
new file mode 100644
index 000000000..8ccf67ba1
--- /dev/null
+++ b/etc/profile-a-l/clawsker.profile
@@ -0,0 +1,54 @@
+# Firejail profile for clawsker
+# Description: An applet to edit Claws Mail's hidden preferences
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clawsker.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.claws-mail
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.claws-mail
+whitelist ${HOME}/.claws-mail
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin bash,clawsker,perl,sh,which
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
new file mode 100644
index 000000000..b1509f391
--- /dev/null
+++ b/etc/profile-a-l/clementine.profile
@@ -0,0 +1,40 @@
+# Firejail profile for clementine
+# Description: Modern music player and library organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clementine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Clementine
+noblacklist ${HOME}/.config/Clementine
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioprio_set system calls breaks clementine
+seccomp !ioprio_set
+
+private-dev
+private-tmp
+
+dbus-system none
+# dbus-user none
diff --git a/etc/profile-a-l/clion-eap.profile b/etc/profile-a-l/clion-eap.profile
new file mode 100644
index 000000000..3602c3e7b
--- /dev/null
+++ b/etc/profile-a-l/clion-eap.profile
@@ -0,0 +1,10 @@
+# Firejail profile for CLion EAP
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion-eap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clion.profile
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
new file mode 100644
index 000000000..15071d731
--- /dev/null
+++ b/etc/profile-a-l/clion.profile
@@ -0,0 +1,43 @@
+# Firejail profile for CLion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/JetBrains/CLion*
+noblacklist ${HOME}/.cache/JetBrains/CLion*
+noblacklist ${HOME}/.clion*
+noblacklist ${HOME}/.CLion*
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.tooling
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+# private-tmp
+
+noexec /tmp
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
new file mode 100644
index 000000000..f3c77fa77
--- /dev/null
+++ b/etc/profile-a-l/clipgrab.profile
@@ -0,0 +1,47 @@
+# Firejail profile for clipgrab
+# Description: A free video downloader and converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clipgrab.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Philipp Schmieder
+noblacklist ${HOME}/.pki
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
new file mode 100644
index 000000000..4c7cb86bf
--- /dev/null
+++ b/etc/profile-a-l/clipit.profile
@@ -0,0 +1,50 @@
+# Firejail profile for clipit
+# Description: Lightweight GTK+ clipboard manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clipit.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/clipit
+noblacklist ${HOME}/.local/share/clipit
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/clipit
+mkdir ${HOME}/.local/share/clipit
+whitelist ${HOME}/.config/clipit
+whitelist ${HOME}/.local/share/clipit
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
new file mode 100644
index 000000000..d0b8cc0ef
--- /dev/null
+++ b/etc/profile-a-l/cliqz.profile
@@ -0,0 +1,23 @@
+# Firejail profile for cliqz
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cliqz.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/cliqz
+noblacklist ${HOME}/.cliqz
+noblacklist ${HOME}/.config/cliqz
+
+mkdir ${HOME}/.cache/cliqz
+mkdir ${HOME}/.cliqz
+mkdir ${HOME}/.config/cliqz
+whitelist ${HOME}/.cache/cliqz
+whitelist ${HOME}/.cliqz
+whitelist ${HOME}/.config/cliqz
+
+# private-etc must first be enabled in firefox-common.profile
+#private-etc cliqz
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile
new file mode 100644
index 000000000..3b3efb9f3
--- /dev/null
+++ b/etc/profile-a-l/clocks.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-clocks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clocks.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-clocks.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
new file mode 100644
index 000000000..19a30e694
--- /dev/null
+++ b/etc/profile-a-l/cmus.profile
@@ -0,0 +1,30 @@
+# Firejail profile for cmus
+# Description: Lightweight ncurses audio player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cmus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cmus
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin cmus
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/code-oss.profile b/etc/profile-a-l/code-oss.profile
new file mode 100644
index 000000000..6d45d5994
--- /dev/null
+++ b/etc/profile-a-l/code-oss.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include code-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include code.profile
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
new file mode 100644
index 000000000..fdf94ec41
--- /dev/null
+++ b/etc/profile-a-l/code.profile
@@ -0,0 +1,40 @@
+# Firejail profile for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include code.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Code
+noblacklist ${HOME}/.config/Code - OSS
+noblacklist ${HOME}/.vscode
+noblacklist ${HOME}/.vscode-oss
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+nosound
+
+# Disabling noexec ${HOME} for now since it will
+# probably interfere with running some programmes
+# in VS Code
+# noexec ${HOME}
+noexec /tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
new file mode 100644
index 000000000..e5debfd82
--- /dev/null
+++ b/etc/profile-a-l/cola.profile
@@ -0,0 +1,10 @@
+# Firejail profile for cola
+# Description: Linux native frontend for Git,alternative call for git-cola
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cola.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include git-cola.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile
new file mode 100644
index 000000000..4b762047d
--- /dev/null
+++ b/etc/profile-a-l/colorful-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for colorful-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include colorful-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin colorful-wrapper
+
+# Redirect
+include colorful.profile
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
new file mode 100644
index 000000000..33ee0d0ee
--- /dev/null
+++ b/etc/profile-a-l/colorful.profile
@@ -0,0 +1,52 @@
+# Firejail profile for colorful
+# Description: simple 2D sideview shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include colorful.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.suve/colorful
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.suve/colorful
+whitelist ${HOME}/.suve/colorful
+whitelist /usr/share/suve
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin colorful
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
new file mode 100644
index 000000000..8d9de93bb
--- /dev/null
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -0,0 +1,55 @@
+# Firejail profile for com.github.bleakgrey.tootle
+# Description: Gtk Mastodon client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.bleakgrey.tootle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.bleakgrey.tootle
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Settings are immutable
+# dbus-user filter
+# dbus-user.own com.github.bleakgrey.tootle
+# dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
new file mode 100644
index 000000000..e7aa32be9
--- /dev/null
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -0,0 +1,66 @@
+# Firejail profile for com.github.dahenson.agenda
+# Description: Simple, fast, no-nonsense to-do (task) list
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.dahenson.agenda.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/agenda
+noblacklist ${HOME}/.config/agenda
+noblacklist ${HOME}/.local/share/agenda
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/agenda
+mkdir ${HOME}/.config/agenda
+mkdir ${HOME}/.local/share/agenda
+whitelist ${HOME}/.cache/agenda
+whitelist ${HOME}/.config/agenda
+whitelist ${HOME}/.local/share/agenda
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.dahenson.agenda
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.dahenson.agenda
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/agenda
+read-write ${HOME}/.config/agenda
+read-write ${HOME}/.local/share/agenda
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
new file mode 100644
index 000000000..aa9a19fcb
--- /dev/null
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -0,0 +1,63 @@
+# Firejail profile for foliate
+# Description: Simple and modern GTK eBook reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include foliate.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
+mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
+whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
+whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/com.github.johnfactotum.Foliate
+whitelist /usr/share/hyphen
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.johnfactotum.Foliate,gjs
+private-cache
+private-dev
+private-etc dconf,fonts,gconf,gtk-3.0
+private-tmp
+
+read-only ${HOME}
+read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
+read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
new file mode 100644
index 000000000..b10d1b5b0
--- /dev/null
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -0,0 +1,61 @@
+# Firejail profile for com.github.phase1geo.minder
+# Description: Mind-mapping application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.phase1geo.minder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/minder
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/minder
+whitelist ${HOME}/.local/share/minder
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.phase1geo.minder
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.phase1geo.minder
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
new file mode 100644
index 000000000..1e37da602
--- /dev/null
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for newsflash
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.gitlab.newsflash.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include newsflash.profile
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
new file mode 100644
index 000000000..38edf0d21
--- /dev/null
+++ b/etc/profile-a-l/conkeror.profile
@@ -0,0 +1,36 @@
+# Firejail profile for conkeror
+# This file is overwritten after every install/update
+# Persistent local customizations
+include conkeror.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.conkeror.mozdev.org
+
+include disable-common.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.conkeror.mozdev.org
+mkfile ${HOME}/.conkerorrc
+whitelist ${HOME}/.conkeror.mozdev.org
+whitelist ${HOME}/.conkerorrc
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+
+disable-mnt
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
new file mode 100644
index 000000000..7ccc101bf
--- /dev/null
+++ b/etc/profile-a-l/conky.profile
@@ -0,0 +1,46 @@
+# Firejail profile for conky
+# Description: Highly configurable system monitor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include conky.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/conplay.profile b/etc/profile-a-l/conplay.profile
new file mode 100644
index 000000000..d0ad7c753
--- /dev/null
+++ b/etc/profile-a-l/conplay.profile
@@ -0,0 +1,16 @@
+# Firejail profile for conplay
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include conplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+## system-wide profile
+#+ overrides
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
new file mode 100644
index 000000000..537381f64
--- /dev/null
+++ b/etc/profile-a-l/corebird.profile
@@ -0,0 +1,38 @@
+# Firejail profile for corebird
+# Description: Native Gtk+ Twitter client for the Linux desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include corebird.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/corebird
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin corebird
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
new file mode 100644
index 000000000..351ca0dab
--- /dev/null
+++ b/etc/profile-a-l/cower.profile
@@ -0,0 +1,49 @@
+# Firejail profile for cower
+# Description: a simple AUR agent with a pretentious name
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cower.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cower
+noblacklist /var/lib/pacman
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# This profile could be significantly strengthened by adding the following to cower.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.config/cower
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin cower
+private-cache
+private-dev
+private-tmp
+
+memory-deny-write-execute
+read-only ${HOME}/.config/cower/config
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
new file mode 100644
index 000000000..03218d85a
--- /dev/null
+++ b/etc/profile-a-l/coyim.profile
@@ -0,0 +1,49 @@
+# Firejail profile for coyim
+# Description: GTK Jabber client written in Go
+# This file is overwritten after every install/update
+# Persistent local customizations
+include coyim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/coyim
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/coyim
+whitelist ${HOME}/.config/coyim
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
new file mode 100644
index 000000000..bdc4f21a6
--- /dev/null
+++ b/etc/profile-a-l/cpio.profile
@@ -0,0 +1,14 @@
+# Firejail profile for cpio
+# Description: A program to manage archives of files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cpio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
new file mode 100644
index 000000000..2e24429fd
--- /dev/null
+++ b/etc/profile-a-l/crawl-tiles.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for crawl
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crawl-titles.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore no3d
+
+# Redirect
+include crawl.profile
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
new file mode 100644
index 000000000..7cbbcd8d3
--- /dev/null
+++ b/etc/profile-a-l/crawl.profile
@@ -0,0 +1,47 @@
+# Firejail profile for crawl-tiles
+# Description: Roguelike dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crawl-tiles.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.crawl
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.crawl
+whitelist ${HOME}/.crawl
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin crawl,crawl-tiles
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
new file mode 100644
index 000000000..177abf829
--- /dev/null
+++ b/etc/profile-a-l/crow.profile
@@ -0,0 +1,46 @@
+# Firejail profile for crow
+# Description: A translator that allows to translate and say selected text using Google, Yandex and Bing translate API
+# This file is overwritten after every install/update
+# Persistent local customizations
+include crow.local
+# Persistent global definitions
+include globals.local
+
+mkdir ${HOME}/.config/crow
+mkdir ${HOME}/.cache/gstreamer-1.0
+whitelist ${HOME}/.config/crow
+whitelist ${HOME}/.cache/gstreamer-1.0
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin crow
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-opt none
+private-tmp
+private-srv none
+
diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
new file mode 100644
index 000000000..5362e7a6a
--- /dev/null
+++ b/etc/profile-a-l/cryptocat.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Cryptocat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cryptocat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include Cryptocat.profile
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
new file mode 100644
index 000000000..448d8b655
--- /dev/null
+++ b/etc/profile-a-l/curl.profile
@@ -0,0 +1,57 @@
+# Firejail profile for curl
+# Description: Command line tool for transferring data with URL syntax
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include curl.local
+# Persistent global definitions
+include globals.local
+
+# curl 7.74.0 introduces experimental support for HSTS cache
+# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
+# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
+# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
+# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
+noblacklist ${HOME}/.curl-hsts
+noblacklist ${HOME}/.curlrc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local.
+#include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin curl
+private-cache
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/cvlc.profile b/etc/profile-a-l/cvlc.profile
index 81ccbc530..56c0d965c 100644
--- a/etc/cvlc.profile
+++ b/etc/profile-a-l/cvlc.profile
@@ -1,12 +1,13 @@
 # Firejail profile for cvlc
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/cvlc.local
+include cvlc.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included profile
+#include globals.local
 
 # cvlc doesn't like private-bin
 ignore private-bin
 
 # Redirect
-include /etc/firejail/vlc.profile
+include vlc.profile
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
new file mode 100644
index 000000000..d1fff0004
--- /dev/null
+++ b/etc/profile-a-l/cyberfox.profile
@@ -0,0 +1,21 @@
+# Firejail profile for cyberfox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cyberfox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.8pecxstudios
+noblacklist ${HOME}/.cache/8pecxstudios
+
+mkdir ${HOME}/.8pecxstudios
+mkdir ${HOME}/.cache/8pecxstudios
+whitelist ${HOME}/.8pecxstudios
+whitelist ${HOME}/.cache/8pecxstudios
+
+# private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
+# private-etc must first be enabled in firefox-common.profile
+#private-etc cyberfox
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
new file mode 100644
index 000000000..0e4b8d475
--- /dev/null
+++ b/etc/profile-a-l/d-feet.profile
@@ -0,0 +1,56 @@
+# Firejail profile for d-feet
+# Description: D-Bus debugger for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include d-feet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/d-feet
+
+# Allow python (disabled by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/d-feet
+whitelist ${HOME}/.config/d-feet
+whitelist /usr/share/d-feet
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin d-feet,python*
+private-cache
+private-dev
+private-etc alternatives,dbus-1,fonts,machine-id
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
new file mode 100644
index 000000000..a3590281c
--- /dev/null
+++ b/etc/profile-a-l/darktable.profile
@@ -0,0 +1,40 @@
+# Firejail profile for darktable
+# Description: Virtual lighttable and darkroom for photographers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include darktable.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/darktable
+noblacklist ${HOME}/.config/darktable
+noblacklist ${PICTURES}
+
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+#private-bin darktable
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
new file mode 100644
index 000000000..768f1ac2c
--- /dev/null
+++ b/etc/profile-a-l/dbus-send.profile
@@ -0,0 +1,59 @@
+# Firejail profile for dbus-send
+# Description: Send a message to a message bus
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dbus-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+# Breaks abstract sockets
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin dbus-send
+private-cache
+private-dev
+private-etc alternatives,dbus-1
+private-lib libpcre*
+private-tmp
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
new file mode 100644
index 000000000..f57063ab6
--- /dev/null
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -0,0 +1,53 @@
+# Firejail profile for dconf-editor
+# Description: dconf configuration editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dconf-editor.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.local/share/glib-2.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# net none - breaks application on older versions
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin dconf-editor
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
+private-lib
+private-tmp
+
+dbus-user filter
+dbus-user.own ca.desrt.dconf-editor
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
new file mode 100644
index 000000000..8b7c86789
--- /dev/null
+++ b/etc/profile-a-l/dconf.profile
@@ -0,0 +1,53 @@
+# Firejail profile for dconf
+# Description: Configuration database system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dconf.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.local/share/glib-2.0
+# dconf paths are whitelisted by the following
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin dconf,gsettings
+private-cache
+private-dev
+private-etc alternatives,dconf
+private-lib
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile
new file mode 100644
index 000000000..b1d41ddf7
--- /dev/null
+++ b/etc/profile-a-l/ddgr.profile
@@ -0,0 +1,13 @@
+# Firejail profile for ddgr
+# Description: Search DuckDuckGo from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ddgr.local
+# Persistent global definitions
+include globals.local
+
+private-bin ddgr
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
new file mode 100644
index 000000000..701755d93
--- /dev/null
+++ b/etc/profile-a-l/ddgtk.profile
@@ -0,0 +1,54 @@
+# Firejail profile for ddgtk
+# Description: A frontend GUI to dd for making bootable USB disks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ddgtk.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+whitelist /usr/share/ddgtk
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 3367aa8f4..d9ff941da 100644
--- a/etc/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -1,24 +1,30 @@
 # Firejail profile for deadbeef
+# Description: A GTK+ audio player for GNU/Linux
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/deadbeef.local
+include deadbeef.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/deadbeef
+noblacklist ${MUSIC}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -27,5 +33,3 @@ shell none
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
new file mode 100644
index 000000000..0d8c224d7
--- /dev/null
+++ b/etc/profile-a-l/default.profile
@@ -0,0 +1,61 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include default.local
+# Persistent global definitions
+include globals.local
+
+# generic GUI profile
+# depending on your usage, you can enable some of the commands below:
+
+include disable-common.inc
+# include disable-devel.inc
+# include disable-exec.inc
+# include disable-interpreters.inc
+include disable-programs.inc
+# include disable-shell.inc
+# include disable-write-mnt.inc
+# include disable-xdg.inc
+
+# include whitelist-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+# ipc-namespace
+# machine-id
+# net none
+netfilter
+# no3d
+# nodvd
+# nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+# nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+# shell none
+# tracelog
+
+# disable-mnt
+# private
+# private-bin program
+# private-cache
+# private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
+# private-lib
+# private-opt none
+# private-tmp
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
new file mode 100644
index 000000000..3697243e0
--- /dev/null
+++ b/etc/profile-a-l/deluge.profile
@@ -0,0 +1,46 @@
+# Firejail profile for deluge
+# Description: BitTorrent client written in Python/PyGTK
+# This file is overwritten after every install/update
+# Persistent local customizations
+include deluge.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/deluge
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/deluge
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/deluge
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+# deluge is using python on Debian
+private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
new file mode 100644
index 000000000..5175146db
--- /dev/null
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -0,0 +1,45 @@
+# Firejail profile for desktopeditors
+# Description: ONLYOFFICE DesktopEditors
+# This file is overwritten after every install/update
+# Persistent local customizations
+include desktopeditors.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/onlyoffice
+noblacklist ${HOME}/.local/share/onlyoffice
+noblacklist ${HOME}/.pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin desktopeditors,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
new file mode 100644
index 000000000..a416bc27e
--- /dev/null
+++ b/etc/profile-a-l/devhelp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for devhelp
+# Description: API documentation browser for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include devhelp.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/devhelp
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+
+apparmor
+caps.drop all
+# net none - makes settings immutable
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin devhelp
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
+read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
new file mode 100644
index 000000000..89c8e1ae8
--- /dev/null
+++ b/etc/profile-a-l/devilspie.profile
@@ -0,0 +1,59 @@
+# Firejail profile for devilspie
+# Description: Window matching daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include devilspie.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.devilspie
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.devilspie
+whitelist ${HOME}/.devilspie
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin devilspie
+private-cache
+private-dev
+private-etc alternatives
+private-lib gconv
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
new file mode 100644
index 000000000..9eab3f536
--- /dev/null
+++ b/etc/profile-a-l/devilspie2.profile
@@ -0,0 +1,24 @@
+# Firejail profile for devilspie2
+# Description: Window matching daemon (Lua)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include devilspie2.local
+# Persistent global definitions
+#include globals.local
+
+blacklist ${HOME}/.devilspie
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/devilspie2
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+mkdir ${HOME}/.config/devilspie2
+whitelist ${HOME}/.config/devilspie2
+
+private-bin devilspie2
+
+# Redirect
+include devilspie.profile
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
new file mode 100644
index 000000000..9c1cf72f0
--- /dev/null
+++ b/etc/profile-a-l/dex2jar.profile
@@ -0,0 +1,42 @@
+# Firejail profile for dex2jar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dex2jar.local
+# Persistent global definitions
+include globals.local
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
new file mode 100644
index 000000000..902148756
--- /dev/null
+++ b/etc/profile-a-l/dia.profile
@@ -0,0 +1,57 @@
+# Firejail profile for dia
+# Description: Diagram editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dia.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.dia
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#mkdir ${HOME}/.dia
+#whitelist ${HOME}/.dia
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+whitelist /usr/share/dia
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private-bin dia
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
new file mode 100644
index 000000000..a925781af
--- /dev/null
+++ b/etc/profile-a-l/dig.profile
@@ -0,0 +1,59 @@
+# Firejail profile for dig
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dig.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.digrc
+noblacklist ${PATH}/dig
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#mkfile ${HOME}/.digrc - see #903
+whitelist ${HOME}/.digrc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,dig,sh
+private-dev
+# Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038).
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
new file mode 100644
index 000000000..41625e12e
--- /dev/null
+++ b/etc/profile-a-l/digikam.profile
@@ -0,0 +1,43 @@
+# Firejail profile for digikam
+# Description: Digital photo management application for KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include digikam.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/digikam
+noblacklist ${HOME}/.config/digikamrc
+noblacklist ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.local/share/kxmlgui5/digikam
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+
+# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
new file mode 100644
index 000000000..276ee251a
--- /dev/null
+++ b/etc/profile-a-l/dillo.profile
@@ -0,0 +1,37 @@
+# Firejail profile for dillo
+# Description: Small and fast web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dillo.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.dillo
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.dillo
+mkdir ${HOME}/.fltk
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.dillo
+whitelist ${HOME}/.fltk
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
new file mode 100644
index 000000000..ae0549d3e
--- /dev/null
+++ b/etc/profile-a-l/dino-im.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dino-im
+# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dino-im.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Add Ubuntu specific binary name
+private-bin dino-im
+
+# Redirect
+include dino.profile
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
new file mode 100644
index 000000000..b1a9550f1
--- /dev/null
+++ b/etc/profile-a-l/dino.profile
@@ -0,0 +1,47 @@
+# Firejail profile for dino
+# Description: Modern XMPP Chat Client using GTK+/Vala
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dino.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/dino
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.local/share/dino
+whitelist ${HOME}/.local/share/dino
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin dino
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
new file mode 100644
index 000000000..43db95b8a
--- /dev/null
+++ b/etc/profile-a-l/discord-canary.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord-canary
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-canary.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discordcanary
+
+mkdir ${HOME}/.config/discordcanary
+whitelist ${HOME}/.config/discordcanary
+
+private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
+private-opt discord-canary
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
new file mode 100644
index 000000000..2613027ba
--- /dev/null
+++ b/etc/profile-a-l/discord-common.profile
@@ -0,0 +1,32 @@
+# Firejail profile for discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore disable-mnt
+ignore private-cache
+ignore dbus-user none
+ignore dbus-system none
+
+ignore noexec ${HOME}
+ignore novideo
+
+whitelist ${HOME}/.config/BetterDiscord
+whitelist ${HOME}/.local/share/betterdiscordctl
+
+private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+
+join-or-start discord
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
new file mode 100644
index 000000000..8ef02a30f
--- /dev/null
+++ b/etc/profile-a-l/discord.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discord
+
+mkdir ${HOME}/.config/discord
+whitelist ${HOME}/.config/discord
+
+private-bin discord
+private-opt discord
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/display-im6.q16.profile b/etc/profile-a-l/display-im6.q16.profile
new file mode 100644
index 000000000..b80afc3fa
--- /dev/null
+++ b/etc/profile-a-l/display-im6.q16.profile
@@ -0,0 +1,10 @@
+# Firejail profile for display-im6.q16
+# This file is overwritten after every install/update
+# Persistent local customizations
+include display-im6.q16.local
+# Persistent global definitions
+include globals.local
+
+
+# Redirect
+include display.profile
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
new file mode 100644
index 000000000..0f134bd87
--- /dev/null
+++ b/etc/profile-a-l/display.profile
@@ -0,0 +1,47 @@
+# Firejail profile for display
+# This file is overwritten after every install/update
+# Persistent local customizations
+include display.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+# x11 xorg - problems on kubuntu 17.04
+
+private-bin display,python*
+private-dev
+# On Debian-based systems, display is a symlink in /etc/alternatives
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
new file mode 100644
index 000000000..51ba6f8b7
--- /dev/null
+++ b/etc/profile-a-l/dnox.profile
@@ -0,0 +1,22 @@
+# Firejail profile for dnox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dnox.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/dnox
+noblacklist ${HOME}/.config/dnox
+
+mkdir ${HOME}/.cache/dnox
+mkdir ${HOME}/.config/dnox
+whitelist ${HOME}/.cache/dnox
+whitelist ${HOME}/.config/dnox
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
new file mode 100644
index 000000000..906089663
--- /dev/null
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -0,0 +1,54 @@
+# Firejail profile for dnscrypt-proxy
+# Description: Tool for securing communications between a client and a DNS resolver
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dnscrypt-proxy.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/dnscrypt-proxy
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+noinput
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+shell none
+tracelog
+
+disable-mnt
+private
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
+
+# mdwe can break modules/plugins
+memory-deny-write-execute
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
new file mode 100644
index 000000000..2db1548a4
--- /dev/null
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -0,0 +1,37 @@
+# Firejail profile for dnsmasq
+# Description: Small caching DNS proxy and DHCP/TFTP server
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dnsmasq.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.keep net_admin,net_bind_service,net_raw,setgid,setuid
+no3d
+nodvd
+noinput
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+
+disable-mnt
+private
+private-cache
+private-dev
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
new file mode 100644
index 000000000..ac86ef75a
--- /dev/null
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -0,0 +1,63 @@
+# Firejail profile for dolphin-emu
+# Description: An emulator for Gamecube and Wii games
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin-emu.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in your dolphin-emu.local.
+
+noblacklist ${HOME}/.cache/dolphin-emu
+noblacklist ${HOME}/.config/dolphin-emu
+noblacklist ${HOME}/.local/share/dolphin-emu
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/dolphin-emu
+mkdir ${HOME}/.config/dolphin-emu
+mkdir ${HOME}/.local/share/dolphin-emu
+whitelist ${HOME}/.cache/dolphin-emu
+whitelist ${HOME}/.config/dolphin-emu
+whitelist ${HOME}/.local/share/dolphin-emu
+whitelist /usr/share/dolphin-emu
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# Add the next line to your dolphin-emu.local if you do not need NetPlay support.
+# net none
+netfilter
+# Add the next line to your dolphin-emu.local if you do not need disc support.
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,bluetooth
+seccomp
+shell none
+tracelog
+
+private-bin bash,dolphin-emu,dolphin-emu-x11,sh
+private-cache
+# Add the next line to your dolphin-emu.local if you do not need controller support.
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile
new file mode 100644
index 000000000..e0300a577
--- /dev/null
+++ b/etc/profile-a-l/dolphin.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dolphin
+# Description: File manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
+
+join-or-start dolphin
diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
new file mode 100644
index 000000000..99cf0f7f8
--- /dev/null
+++ b/etc/profile-a-l/dooble-qt4.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for dooble
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dooble-qt4.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include dooble.profile
diff --git a/etc/dooble.profile b/etc/profile-a-l/dooble.profile
index 2a57b0ef3..f1b630ac8 100644
--- a/etc/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -1,30 +1,34 @@
 # Firejail profile for dooble
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/dooble-qt4.local
+include dooble.local
+# Backward compatibility
+include dooble-qt4.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 noblacklist ${HOME}/.dooble
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.dooble
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.dooble
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
@@ -35,5 +39,3 @@ disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
new file mode 100644
index 000000000..ad7049d3d
--- /dev/null
+++ b/etc/profile-a-l/dosbox.profile
@@ -0,0 +1,44 @@
+# Firejail profile for dosbox
+# Description: x86 emulator with Tandy/Herc/CGA/EGA/VGA/SVGA graphics, sound and DOS
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dosbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.dosbox
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin dosbox
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
new file mode 100644
index 000000000..26243ab4e
--- /dev/null
+++ b/etc/profile-a-l/dragon.profile
@@ -0,0 +1,41 @@
+# Firejail profile for dragon
+# Description: A multimedia player where the focus is on simplicity, instead of features
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dragon.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/dragonplayerrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/dragonplayer
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin dragon
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
new file mode 100644
index 000000000..6d5e2501f
--- /dev/null
+++ b/etc/profile-a-l/drawio.profile
@@ -0,0 +1,54 @@
+# Firejail profile for drawio
+# Description: Diagram drawing application built on web technology - desktop version
+# This file is overwritten after every install/update
+# Persistent local customizations
+include drawio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/draw.io
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/draw.io
+whitelist ${HOME}/.config/draw.io
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+
+private-bin drawio
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
new file mode 100644
index 000000000..2a09270f7
--- /dev/null
+++ b/etc/profile-a-l/drill.profile
@@ -0,0 +1,55 @@
+# Firejail profile for drill
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include drill.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/drill
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,drill,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
new file mode 100644
index 000000000..73d9cfbbc
--- /dev/null
+++ b/etc/profile-a-l/dropbox.profile
@@ -0,0 +1,49 @@
+# Firejail profile for dropbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dropbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.dropbox
+noblacklist ${HOME}/.dropbox-dist
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.dropbox
+mkdir ${HOME}/.dropbox-dist
+mkdir ${HOME}/Dropbox
+mkfile ${HOME}/.config/autostart/dropbox.desktop
+whitelist ${HOME}/.config/autostart/dropbox.desktop
+whitelist ${HOME}/.dropbox
+whitelist ${HOME}/.dropbox-dist
+whitelist ${HOME}/Dropbox
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+noexec /tmp
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
new file mode 100644
index 000000000..fd7f252b6
--- /dev/null
+++ b/etc/profile-a-l/easystroke.profile
@@ -0,0 +1,56 @@
+# Firejail profile for easystroke
+# Description: Control your desktop using mouse gestures
+# This file is overwritten after every install/update
+# Persistent local customizations
+include easystroke.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.easystroke
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.easystroke
+whitelist ${HOME}/.easystroke
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# breaks custom shell command functionality
+#private-bin bash,easystroke,sh
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+# breaks custom shell command functionality
+#private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile
new file mode 100644
index 000000000..988ba90fc
--- /dev/null
+++ b/etc/profile-a-l/ebook-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-convert.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile
new file mode 100644
index 000000000..3b5fee0a8
--- /dev/null
+++ b/etc/profile-a-l/ebook-edit.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-edit.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile
new file mode 100644
index 000000000..594a8e241
--- /dev/null
+++ b/etc/profile-a-l/ebook-meta.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-meta.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile
new file mode 100644
index 000000000..ad94e32a2
--- /dev/null
+++ b/etc/profile-a-l/ebook-polish.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-polish.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/ebook-viewer.profile b/etc/profile-a-l/ebook-viewer.profile
new file mode 100644
index 000000000..706aec737
--- /dev/null
+++ b/etc/profile-a-l/ebook-viewer.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for calibre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ebook-viewer.local
+
+net none
+dbus-user none
+dbus-system none
+
+# Redirect
+include calibre.profile
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
new file mode 100644
index 000000000..9aac3f570
--- /dev/null
+++ b/etc/profile-a-l/electron-mail.profile
@@ -0,0 +1,56 @@
+# Firejail profile for electron-mail
+# Description: Unofficial desktop app for several E2E encrypted email providers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron-mail.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/electron-mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/electron-mail
+whitelist ${HOME}/.config/electron-mail
+whitelist ${DOWNLOADS}
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+
+private-bin electron-mail
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+private-opt ElectronMail
+private-tmp
+
+# breaks tray functionality
+# dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
new file mode 100644
index 000000000..05ae7e16d
--- /dev/null
+++ b/etc/profile-a-l/electron.profile
@@ -0,0 +1,40 @@
+# Firejail profile for electron
+# Description: Build cross platform desktop apps with web technologies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electron.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc.profile
+
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+noinput
+notv
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
new file mode 100644
index 000000000..1647f2bc4
--- /dev/null
+++ b/etc/profile-a-l/electrum.profile
@@ -0,0 +1,54 @@
+# Firejail profile for electrum
+# Description: Lightweight Bitcoin wallet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include electrum.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.electrum
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.electrum
+whitelist ${HOME}/.electrum
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin electrum,python*
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
new file mode 100644
index 000000000..48a826f2e
--- /dev/null
+++ b/etc/profile-a-l/element-desktop.profile
@@ -0,0 +1,24 @@
+# Firejail profile for element-desktop
+# Description: All-in-one secure chat app for teams, friends and organisations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include element-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore dbus-user none
+
+noblacklist ${HOME}/.config/Element
+
+mkdir ${HOME}/.config/Element
+whitelist ${HOME}/.config/Element
+whitelist /opt/Element
+
+private-opt Element
+
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+
+# Redirect
+include riot-desktop.profile
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
new file mode 100644
index 000000000..5a29eb24b
--- /dev/null
+++ b/etc/profile-a-l/elinks.profile
@@ -0,0 +1,18 @@
+# Firejail profile for elinks
+# Description: Advanced text-mode WWW browser
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include elinks.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.elinks
+
+mkdir ${HOME}/.elinks
+whitelist ${HOME}/.elinks
+
+private-bin elinks
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
new file mode 100644
index 000000000..7e9be653d
--- /dev/null
+++ b/etc/profile-a-l/emacs.profile
@@ -0,0 +1,32 @@
+# Firejail profile for emacs
+# Description: GNU Emacs editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include emacs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+# Add the next line to your emacs.local if you need gpg support.
+#noblacklist ${HOME}/.gnupg
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+
+read-write ${HOME}/.emacs
+read-write ${HOME}/.emacs.d
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
new file mode 100644
index 000000000..03fd9033a
--- /dev/null
+++ b/etc/profile-a-l/email-common.profile
@@ -0,0 +1,84 @@
+# Firejail profile for email-common
+# Description: Common profile for claws-mail and sylpheed email clients
+# This file is overwritten after every install/update
+# Persistent local customizations
+include email-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.signature
+# when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
+# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+noblacklist ${HOME}/Mail
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+mkfile ${HOME}/.config/mimeapps.list
+mkfile ${HOME}/.signature
+whitelist ${HOME}/.config/mimeapps.list
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.signature
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+# when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
+whitelist ${HOME}/Mail
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+# encrypting and signing email
+writable-run-user
+
+dbus-system none
+
+# If you want to read local mail stored in /var/mail, add the following to email-common.local:
+#noblacklist /var/mail
+#noblacklist /var/spool/mail
+#whitelist /var/mail
+#whitelist /var/spool/mail
+#writable-var
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.signature
diff --git a/etc/empathy.profile b/etc/profile-a-l/empathy.profile
index b2cfa369c..5ca640d30 100644
--- a/etc/empathy.profile
+++ b/etc/profile-a-l/empathy.profile
@@ -1,14 +1,16 @@
 # Firejail profile for empathy
+# Description: GNOME multi-protocol chat and call client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/empathy.local
+include empathy.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
@@ -19,3 +21,6 @@ noroot
 notv
 protocol unix,inet,inet6
 seccomp
+
+private-cache
+private-tmp
diff --git a/etc/profile-a-l/enchant-2.profile b/etc/profile-a-l/enchant-2.profile
new file mode 100644
index 000000000..32cc0e691
--- /dev/null
+++ b/etc/profile-a-l/enchant-2.profile
@@ -0,0 +1,10 @@
+# Firejail profile for enchant-2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include enchant.profile
diff --git a/etc/profile-a-l/enchant-lsmod-2.profile b/etc/profile-a-l/enchant-lsmod-2.profile
new file mode 100644
index 000000000..a7199955e
--- /dev/null
+++ b/etc/profile-a-l/enchant-lsmod-2.profile
@@ -0,0 +1,10 @@
+# Firejail profile for enchant-lsmod-2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant-lsmod-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include enchant.profile
diff --git a/etc/profile-a-l/enchant-lsmod.profile b/etc/profile-a-l/enchant-lsmod.profile
new file mode 100644
index 000000000..ba4353d15
--- /dev/null
+++ b/etc/profile-a-l/enchant-lsmod.profile
@@ -0,0 +1,10 @@
+# Firejail profile for enchant-lsmod
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant-lsmod.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include enchant.profile
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
new file mode 100644
index 000000000..dc383984e
--- /dev/null
+++ b/etc/profile-a-l/enchant.profile
@@ -0,0 +1,58 @@
+# Firejail profile for enchant
+# Description: Wrapper for various spell checker engines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enchant.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/enchant
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/enchant
+whitelist ${HOME}/.config/enchant
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin enchant,enchant-*
+private-cache
+private-dev
+private-etc alternatives
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
new file mode 100644
index 000000000..1aca416d8
--- /dev/null
+++ b/etc/profile-a-l/engrampa.profile
@@ -0,0 +1,41 @@
+# Firejail profile for engrampa
+# Description: Archive manager for MATE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include engrampa.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin engrampa
+private-dev
+# private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
new file mode 100644
index 000000000..d982433e2
--- /dev/null
+++ b/etc/profile-a-l/enox.profile
@@ -0,0 +1,24 @@
+# Firejail profile for enox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include enox.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/Enox
+noblacklist ${HOME}/.config/Enox
+
+#mkdir ${HOME}/.cache/dnox
+#mkdir ${HOME}/.config/dnox
+mkdir ${HOME}/.cache/Enox
+mkdir ${HOME}/.config/Enox
+whitelist ${HOME}/.cache/Enox
+whitelist ${HOME}/.config/Enox
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
new file mode 100644
index 000000000..0d0d6f083
--- /dev/null
+++ b/etc/profile-a-l/enpass.profile
@@ -0,0 +1,62 @@
+# Firejail profile for enpass
+# Description: A multiplatform password manager
+# This file is overwritten after every install/update.
+# Persistent local customisations
+include enpass.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Enpass
+noblacklist ${HOME}/.config/sinew.in
+noblacklist ${HOME}/.config/Sinew Software Systems
+noblacklist ${HOME}/.local/share/Enpass
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Enpass
+mkfile ${HOME}/.config/sinew.in
+mkdir ${HOME}/.config/Sinew Software Systems
+mkdir ${HOME}/.local/share/Enpass
+whitelist ${HOME}/.cache/Enpass
+whitelist ${HOME}/.config/sinew.in
+whitelist ${HOME}/.config/Sinew Software Systems
+whitelist ${HOME}/.local/share/Enpass
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+# machine-id and nosound break audio notification functionality.
+# Add the next lines to your enpass.local if you need that functionality.
+#ignore machine-id
+#ignore nosound
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin dirname,Enpass,importer_enpass,readlink,sh
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-opt Enpass
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
new file mode 100644
index 000000000..02112ef20
--- /dev/null
+++ b/etc/profile-a-l/eo-common.profile
@@ -0,0 +1,52 @@
+# Firejail profile for eo-common
+# Description: Common profile for Eye of GNOME/MATE graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eo-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-write-mnt.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
+private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
new file mode 100644
index 000000000..65e5c6e69
--- /dev/null
+++ b/etc/profile-a-l/eog.profile
@@ -0,0 +1,29 @@
+# Firejail profile for eog
+# Description: Eye of GNOME graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eog.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/eog
+
+whitelist /usr/share/eog
+
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
+# Add the next lines to your eog.local if you need that functionality.
+#ignore private-bin
+#ignore private-etc
+#ignore private-lib
+
+private-bin eog
+
+# broken on Debian 10 (buster) running LXDE got the following error:
+# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
+#dbus-user filter
+#dbus-user.own org.gnome.eog
+#dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+# Redirect
+include eo-common.profile
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
new file mode 100644
index 000000000..7143a8e03
--- /dev/null
+++ b/etc/profile-a-l/eom.profile
@@ -0,0 +1,22 @@
+# Firejail profile for eom
+# Description: Eye of MATE graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mate/eom
+
+whitelist /usr/share/eom
+
+# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
+# Add the next lines to your eom.local if you need that functionality.
+#ignore private-bin
+#ignore private-etc
+#ignore private-lib
+
+private-bin eom
+
+# Redirect
+include eo-common.profile
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
new file mode 100644
index 000000000..131d68951
--- /dev/null
+++ b/etc/profile-a-l/ephemeral.profile
@@ -0,0 +1,64 @@
+# Firejail profile for ephemeral
+# Description: The always-incognito web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ephemeral.local
+# Persistent global definitions
+include globals.local
+
+# enforce private-cache
+#noblacklist ${HOME}/.cache/ephemeral
+
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+# enforce private-cache
+#mkdir ${HOME}/.cache/ephemeral
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+# enforce private-cache
+#whitelist ${HOME}/.cache/ephemeral
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+#machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+# breaks preferences
+# dbus-user none
+# dbus-system none
diff --git a/etc/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 0f9a9cf55..225811226 100644
--- a/etc/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
@@ -1,17 +1,22 @@
 # Firejail profile for epiphany
+# Description: The GNOME Web browser
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/epiphany.local
+include epiphany.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
+
+# Note: Epiphany use bwrap since 3.34 and can not be firejailed any more.
+# See https://github.com/netblue30/firejail/issues/2995
 
 noblacklist ${HOME}/.cache/epiphany
 noblacklist ${HOME}/.config/epiphany
 noblacklist ${HOME}/.local/share/epiphany
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.cache/epiphany
 mkdir ${HOME}/.config/epiphany
@@ -20,7 +25,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/epiphany
 whitelist ${HOME}/.config/epiphany
 whitelist ${HOME}/.local/share/epiphany
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
new file mode 100644
index 000000000..7566f7b50
--- /dev/null
+++ b/etc/profile-a-l/equalx.profile
@@ -0,0 +1,63 @@
+# Firejail profile for equalx
+# Description: A graphical editor for writing LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include equalx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/equalx
+noblacklist ${HOME}/.equalx
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/equalx
+mkdir ${HOME}/.equalx
+whitelist ${HOME}/.config/equalx
+whitelist ${HOME}/.equalx
+whitelist /usr/share/poppler
+whitelist /usr/share/ghostscript
+whitelist /usr/share/texlive
+whitelist /usr/share/equalx
+whitelist /var/lib/texmf
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin equalx,gs,pdflatex,pdftocairo
+private-cache
+private-dev
+private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/et.profile b/etc/profile-a-l/et.profile
new file mode 100644
index 000000000..4e70bb114
--- /dev/null
+++ b/etc/profile-a-l/et.profile
@@ -0,0 +1,11 @@
+# Firejail profile for et
+# Description: WPS Office - Spreadsheets
+# This file is overwritten after every install/update
+# Persistent local customizations
+include et.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include wps.profile
diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile
new file mode 100644
index 000000000..98f949918
--- /dev/null
+++ b/etc/profile-a-l/etr-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for etr-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include etr-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin etr-wrapper
+
+# Redirect
+include etr.profile
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
new file mode 100644
index 000000000..edeed69bf
--- /dev/null
+++ b/etc/profile-a-l/etr.profile
@@ -0,0 +1,56 @@
+# Firejail profile for etr
+# Description: High speed arctic racing game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include etr.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.etr
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.etr
+whitelist ${HOME}/.etr
+whitelist /usr/share/etr
+# Debian version
+whitelist /usr/share/games/etr
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin etr
+private-cache
+private-dev
+# private-etc alternatives,drirc,machine-id,openal,passwd
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/evince-previewer.profile b/etc/profile-a-l/evince-previewer.profile
new file mode 100644
index 000000000..3857d6f7b
--- /dev/null
+++ b/etc/profile-a-l/evince-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for evince-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evince-previewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include evince.profile
diff --git a/etc/profile-a-l/evince-thumbnailer.profile b/etc/profile-a-l/evince-thumbnailer.profile
new file mode 100644
index 000000000..080a04a52
--- /dev/null
+++ b/etc/profile-a-l/evince-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for evince-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evince-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include evince.profile
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
new file mode 100644
index 000000000..19ad5799c
--- /dev/null
+++ b/etc/profile-a-l/evince.profile
@@ -0,0 +1,67 @@
+# Firejail profile for evince
+# Description: Document (PostScript, PDF) viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evince.local
+# Persistent global definitions
+include globals.local
+
+# WARNING: using bookmarks possibly exposes information, including file history from other programs.
+# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
+#noblacklist ${HOME}/.local/share/gvfs-metadata
+
+noblacklist ${HOME}/.config/evince
+noblacklist ${DOCUMENTS}
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/doc
+whitelist /usr/share/evince
+whitelist /usr/share/poppler
+whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+# net none - breaks AppArmor on Ubuntu systems
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin evince,evince-previewer,evince-thumbnailer
+private-cache
+private-dev
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
+# private-lib might break two-page-view on some systems
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-tmp
+
+# dbus-user filtering might break two-page-view on some systems
+dbus-user filter
+# Add the next two lines to your evince.local if you need bookmarks support.
+#dbus-user.talk org.gtk.vfs.Daemon
+#dbus-user.talk org.gtk.vfs.Metadata
+dbus-system none
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
new file mode 100644
index 000000000..a80327234
--- /dev/null
+++ b/etc/profile-a-l/evolution.profile
@@ -0,0 +1,46 @@
+# Firejail profile for evolution
+# Description: Groupware suite with mail client and organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include evolution.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.cache/evolution
+noblacklist ${HOME}/.config/evolution
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/evolution
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+# no3d breaks under wayland
+#no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+writable-var
diff --git a/etc/profile-a-l/exfalso.profile b/etc/profile-a-l/exfalso.profile
new file mode 100644
index 000000000..92e4395c5
--- /dev/null
+++ b/etc/profile-a-l/exfalso.profile
@@ -0,0 +1,15 @@
+# Firejail profile for exfalso
+# Description: GTK audio tag editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include exfalso.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
+
+dbus-user none
+
+# Redirect
+include quodlibet.profile
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
new file mode 100644
index 000000000..49a16f2f2
--- /dev/null
+++ b/etc/profile-a-l/exiftool.profile
@@ -0,0 +1,57 @@
+# Firejail profile for exiftool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include exiftool.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/share/perl-image-exiftool
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool
+# to /usr/bin/exiftool and add the below to your exiftool.local.
+# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening.
+#private-bin exiftool,perl
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
new file mode 100644
index 000000000..3911a8c75
--- /dev/null
+++ b/etc/profile-a-l/falkon.profile
@@ -0,0 +1,54 @@
+# Firejail profile for falkon
+# Description: Lightweight web browser based on Qt WebEngine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include falkon.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/falkon
+noblacklist ${HOME}/.config/falkon
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/falkon
+mkdir ${HOME}/.config/falkon
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/falkon
+whitelist ${HOME}/.config/falkon
+whitelist /usr/share/falkon
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+# blacklisting of chroot system calls breaks falkon
+seccomp !chroot
+# tracelog
+
+disable-mnt
+# private-bin falkon
+private-cache
+private-dev
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+# dbus-user filter
+# dbus-user.own org.kde.Falkon
+dbus-system none
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
new file mode 100644
index 000000000..121c5ba26
--- /dev/null
+++ b/etc/profile-a-l/fbreader.profile
@@ -0,0 +1,39 @@
+# Firejail profile for fbreader
+# Description: E-book reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fbreader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.FBReader
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin fbreader,FBReader
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
new file mode 100644
index 000000000..25e1082ad
--- /dev/null
+++ b/etc/profile-a-l/fdns.profile
@@ -0,0 +1,49 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fdns.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+
+caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+#seccomp
+#shell none
+
+disable-mnt
+private
+private-bin bash,fdns,sh
+private-cache
+#private-dev
+private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+# private-lib
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
new file mode 100644
index 000000000..e45df21fc
--- /dev/null
+++ b/etc/profile-a-l/feedreader.profile
@@ -0,0 +1,59 @@
+# Firejail profile for feedreader
+# Description: RSS client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include feedreader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/feedreader
+noblacklist ${HOME}/.local/share/feedreader
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/feedreader
+mkdir ${HOME}/.local/share/feedreader
+whitelist ${HOME}/.cache/feedreader
+whitelist ${HOME}/.local/share/feedreader
+whitelist /usr/share/feedreader
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.FeedReader
+dbus-user.own org.gnome.FeedReader.ArticleView
+dbus-user.talk org.freedesktop.secrets
+# Enable as you need.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
new file mode 100644
index 000000000..690b39171
--- /dev/null
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include feh-network.inc.local
+
+ignore net none
+netfilter
+protocol unix,inet,inet6
+private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
new file mode 100644
index 000000000..0fdb1d3d3
--- /dev/null
+++ b/etc/profile-a-l/feh.profile
@@ -0,0 +1,43 @@
+# Firejail profile for feh
+# Description: imlib2 based image viewer
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include feh.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+# Add the next line to your feh.local to enable network access.
+#include feh-network.inc.profile
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin feh,jpegexiforient,jpegtran
+private-cache
+private-dev
+private-etc alternatives,feh
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
new file mode 100644
index 000000000..a2372ec8a
--- /dev/null
+++ b/etc/profile-a-l/ferdi.profile
@@ -0,0 +1,47 @@
+# Firejail profile for ferdi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ferdi.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.cache/Ferdi
+noblacklist ${HOME}/.config/Ferdi
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/Ferdi
+mkdir ${HOME}/.config/Ferdi
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Ferdi
+whitelist ${HOME}/.config/Ferdi
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
new file mode 100644
index 000000000..babfeab61
--- /dev/null
+++ b/etc/profile-a-l/fetchmail.profile
@@ -0,0 +1,34 @@
+# Firejail profile for fetchmail
+# Description: SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fetchmail.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.fetchmailrc
+noblacklist ${HOME}/.netrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+#private-bin bash,chmod,fetchmail,procmail
+private-dev
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
new file mode 100644
index 000000000..637e6fbf5
--- /dev/null
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -0,0 +1,57 @@
+# Firejail profile for ffmpeg
+# Description: Tools for transcoding, streaming and playing of multimedia files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffmpeg.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/devedeng
+whitelist /usr/share/ffmpeg
+whitelist /usr/share/qtchooser
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+# allow set_mempolicy, which is required to encode using libx265
+seccomp !set_mempolicy
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin ffmpeg
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/profile-a-l/ffmpegthumbnailer.profile b/etc/profile-a-l/ffmpegthumbnailer.profile
new file mode 100644
index 000000000..6d72c3b99
--- /dev/null
+++ b/etc/profile-a-l/ffmpegthumbnailer.profile
@@ -0,0 +1,18 @@
+# Firejail profile for ffmpegthumbnailer
+# Description: FFmpeg-based video thumbnailer
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffmpegthumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin ffmpegthumbnailer
+private-lib libffmpegthumbnailer.so.*
+
+# fix for ranger video thumbnails
+ignore private-cache
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
new file mode 100644
index 000000000..04134cbf4
--- /dev/null
+++ b/etc/profile-a-l/ffplay.profile
@@ -0,0 +1,20 @@
+# Firejail profile for ffplay
+# Description: FFmpeg-based media player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+protocol unix,inet,inet6
+ignore ipc-namespace
+ignore nogroups
+ignore nosound
+
+private-bin ffplay
+private-etc alsa,asound.conf,group
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-a-l/ffprobe.profile b/etc/profile-a-l/ffprobe.profile
new file mode 100644
index 000000000..e7c9f678d
--- /dev/null
+++ b/etc/profile-a-l/ffprobe.profile
@@ -0,0 +1,14 @@
+# Firejail profile for ffprobe
+# Description: FFmpeg-based media prober
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ffprobe.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore private-bin
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
new file mode 100644
index 000000000..dbae06f19
--- /dev/null
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -0,0 +1,52 @@
+# Firejail profile for file managers
+# Description: Common profile for GUI file managers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-manager-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# File managers need to be able to see everything under ${HOME}
+# and be able to start arbitrary applications
+
+ignore noexec ${HOME}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+#include disable-programs.inc
+
+allusers
+#apparmor
+caps.drop all
+#net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+
+#dbus-user none
+#dbus-system none
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
new file mode 100644
index 000000000..434466139
--- /dev/null
+++ b/etc/profile-a-l/file-roller.profile
@@ -0,0 +1,49 @@
+# Firejail profile for file-roller
+# Description: Archive manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-roller.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/libexec/file-roller
+whitelist /usr/libexec/p7zip
+whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none - breaks on older Ubuntu versions
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,xdg
+# private-tmp
+
+dbus-system none
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
new file mode 100644
index 000000000..397120a0b
--- /dev/null
+++ b/etc/profile-a-l/file.profile
@@ -0,0 +1,47 @@
+# Firejail profile for file
+# Description: Recognize the type of data in a file using "magic" numbers
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include file.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+hostname file
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
+private-cache
+private-dev
+#private-etc alternatives,localtime,magic,magic.mgc
+#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
new file mode 100644
index 000000000..dc5def54f
--- /dev/null
+++ b/etc/profile-a-l/filezilla.profile
@@ -0,0 +1,44 @@
+# Firejail profile for filezilla
+# Description: Full-featured graphical FTP/FTPS/SFTP client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include filezilla.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/filezilla
+noblacklist ${HOME}/.filezilla
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+# private-bin breaks --join if the user has zsh set as $SHELL - adding zsh on private-bin
+private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
new file mode 100644
index 000000000..77487161e
--- /dev/null
+++ b/etc/profile-a-l/firedragon.profile
@@ -0,0 +1,26 @@
+# Firejail profile for FireDragon
+# Description: Librewolf fork with enhanced KDE integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firedragon.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/firedragon
+noblacklist ${HOME}/.firedragon
+
+mkdir ${HOME}/.cache/firedragon
+mkdir ${HOME}/.firedragon
+whitelist ${HOME}/.cache/firedragon
+whitelist ${HOME}/.firedragon
+
+# Add the next lines to your firedragon.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# FireDragon requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your firedragon.local to enable private-bin.
+#private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/firefox-beta.profile b/etc/profile-a-l/firefox-beta.profile
new file mode 100644
index 000000000..fa8bbb1f5
--- /dev/null
+++ b/etc/profile-a-l/firefox-beta.profile
@@ -0,0 +1,10 @@
+# Firejail profile for firefox-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-beta.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
new file mode 100644
index 000000000..b2b7c362a
--- /dev/null
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -0,0 +1,93 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include firefox-common-addons.local
+
+ignore whitelist ${RUNUSER}/*firefox*
+ignore include whitelist-runuser-common.inc
+ignore private-cache
+
+noblacklist ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.netrc
+
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/kgetrc
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/kget
+whitelist ${HOME}/.local/share/kxmlgui5/okular
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.local/share/tridactyl
+whitelist ${HOME}/.netrc
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.tridactylrc
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
+whitelist /usr/share/vulkan
+
+# GNOME Shell integration (chrome-gnome-shell) needs dbus and python
+noblacklist ${HOME}/.local/share/gnome-shell
+whitelist ${HOME}/.local/share/gnome-shell
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.ChromeGnomeShell
+dbus-user.talk org.gnome.Shell
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# KeePassXC Browser Integration
+#private-bin keepassxc-proxy
+
+# Flash plugin
+# private-etc must first be enabled in firefox-common.profile and in profiles including it.
+#private-etc adobe
+
+# ff2mpv
+#ignore noexec ${HOME}
+#include allow-lua.inc
+#private-bin env,mpv,python3*,waf,youtube-dl
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
new file mode 100644
index 000000000..20ae039aa
--- /dev/null
+++ b/etc/profile-a-l/firefox-common.profile
@@ -0,0 +1,64 @@
+# Firejail profile for firefox-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
+#include firefox-common-addons.profile
+
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
+#machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
+seccomp !chroot
+shell none
+# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
+#tracelog
+
+disable-mnt
+?BROWSER_DISABLE_U2F: private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+# Add it to your firefox-common.local if you want to enable it.
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
+# Gnome connector, KDE connect and power management on KDE Plasma.
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
new file mode 100644
index 000000000..8c7ca3887
--- /dev/null
+++ b/etc/profile-a-l/firefox-developer-edition.profile
@@ -0,0 +1,11 @@
+# Firejail profile for firefox-developer-edition
+# Description: Developer Edition of the popular Firefox web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-developer-edition.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include firefox.profile
diff --git a/etc/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
index 9821c7150..5e69fdb51 100644
--- a/etc/firefox-esr.profile
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -1,10 +1,12 @@
 # Firejail profile for firefox-esr
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/firefox-esr.local
+include firefox-esr.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+# added by included profile
+#include globals.local
 
+whitelist /usr/share/firefox-esr
 
 # Redirect
-include /etc/firejail/firefox.profile
+include firefox.profile
diff --git a/etc/firefox-nightly.profile b/etc/profile-a-l/firefox-nightly.profile
index 302f6eb24..96d2bf898 100644
--- a/etc/firefox-nightly.profile
+++ b/etc/profile-a-l/firefox-nightly.profile
@@ -1,10 +1,10 @@
 # Firejail profile for firefox-nightly
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/firefox-nightly.local
+include firefox-nightly.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+# added by included profile
+#include globals.local
 
 # Redirect
-include /etc/firejail/firefox.profile
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-wayland.profile b/etc/profile-a-l/firefox-wayland.profile
new file mode 100644
index 000000000..17c9f059e
--- /dev/null
+++ b/etc/profile-a-l/firefox-wayland.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for firefox-wayland
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-wayland.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox-x11.profile b/etc/profile-a-l/firefox-x11.profile
new file mode 100644
index 000000000..ffd64aad7
--- /dev/null
+++ b/etc/profile-a-l/firefox-x11.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for firefox-x11
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox-x11.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
new file mode 100644
index 000000000..9138fed90
--- /dev/null
+++ b/etc/profile-a-l/firefox.profile
@@ -0,0 +1,69 @@
+# Firejail profile for firefox
+# Description: Safe and easy web browser from Mozilla
+# This file is overwritten after every install/update
+# Persistent local customizations
+include firefox.local
+# Persistent global definitions
+include globals.local
+
+# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# interested in creating custom profiles depending on use case (e.g. one for
+# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
+# info. Here are a few links to get you going.
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
+# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
+# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+noblacklist ${RUNUSER}/*firefox*
+
+blacklist /usr/libexec
+
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.mozilla
+
+# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
+# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+whitelist /usr/share/doc
+whitelist /usr/share/firefox
+whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+whitelist ${RUNUSER}/*firefox*
+include whitelist-usr-share-common.inc
+
+# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
+#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
+# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
+#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
+# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too.
+#private-etc firefox
+
+dbus-user filter
+dbus-user.own org.mozilla.Firefox.*
+dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mpris.MediaPlayer2.firefox.*
+# Add the next line to your firefox.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your firefox.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your firefox.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your firefox.local to allow screen sharing under wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Add the next line to your firefox.local if screen sharing sharing still does not work
+# with the above lines (might depend on the portal implementation).
+#ignore noroot
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
new file mode 100644
index 000000000..2c86d3ac7
--- /dev/null
+++ b/etc/profile-a-l/five-or-more.profile
@@ -0,0 +1,21 @@
+# Firejail profile for five-or-more
+# Description: GNOME port of the once-popular Colour Lines game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include five-or-more.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/five-or-more
+
+mkdir ${HOME}/.local/share/five-or-more
+whitelist ${HOME}/.local/share/five-or-more
+
+whitelist /usr/share/five-or-more
+
+private-bin five-or-more
+
+dbus-user.own org.gnome.five-or-more
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/flacsplt.profile b/etc/profile-a-l/flacsplt.profile
new file mode 100644
index 000000000..2efef0f22
--- /dev/null
+++ b/etc/profile-a-l/flacsplt.profile
@@ -0,0 +1,6 @@
+# Firejail profile for flacsplt
+# This file is overwritten after every install/update
+include flacsplt.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
new file mode 100644
index 000000000..e9241efc3
--- /dev/null
+++ b/etc/profile-a-l/flameshot.profile
@@ -0,0 +1,68 @@
+# Firejail profile for flameshot
+# Description: Powerful yet simple-to-use screenshot software
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include flameshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.config/Dharkael
+noblacklist ${HOME}/.config/flameshot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#mkdir ${HOME}/.config/Dharkael
+#mkdir ${HOME}/.config/flameshot
+#whitelist ${PICTURES}
+#whitelist ${HOME}/.config/Dharkael
+#whitelist ${HOME}/.config/flameshot
+whitelist /usr/share/flameshot
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin flameshot
+private-cache
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
+private-dev
+#private-tmp
+
+dbus-user filter
+dbus-user.own org.dharkael.Flameshot
+dbus-user.own org.flameshot.Flameshot
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.portal.Desktop
+dbus-user.talk org.gnome.Shell
+dbus-user.talk org.kde.KWin
+dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.own org.kde.*
+dbus-system none
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
new file mode 100644
index 000000000..310fb378f
--- /dev/null
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -0,0 +1,22 @@
+# Firejail profile for flashpeak-slimjet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include flashpeak-slimjet.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/slimjet
+noblacklist ${HOME}/.config/slimjet
+
+mkdir ${HOME}/.cache/slimjet
+mkdir ${HOME}/.config/slimjet
+whitelist ${HOME}/.cache/slimjet
+whitelist ${HOME}/.config/slimjet
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 79dab0751..bc173d0f1 100644
--- a/etc/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -1,31 +1,38 @@
 # Firejail profile for flowblade
+# Description: Non-linear video editor
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/flowblade.local
+include flowblade.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/flowblade
 noblacklist ${HOME}/.flowblade
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
new file mode 100644
index 000000000..1210f365c
--- /dev/null
+++ b/etc/profile-a-l/fluxbox.profile
@@ -0,0 +1,18 @@
+# Firejail profile for fluxbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fluxbox.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in fluxbox will run in this profile
+noblacklist ${HOME}/.fluxbox
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
new file mode 100644
index 000000000..02db368b7
--- /dev/null
+++ b/etc/profile-a-l/font-manager.profile
@@ -0,0 +1,57 @@
+# Firejail profile for font-manager
+# Description: A simple font management application for GTK desktop environments
+# This file is overwritten after every install/update
+# Persistent local customizations
+include font-manager.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/font-manager
+noblacklist ${HOME}/.config/font-manager
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/font-manager
+mkdir ${HOME}/.config/font-manager
+whitelist ${HOME}/.cache/font-manager
+whitelist ${HOME}/.config/font-manager
+whitelist /usr/share/font-manager
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none - issues on older versions
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin font-manager,python*,yelp
+private-dev
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
new file mode 100644
index 000000000..6020464b3
--- /dev/null
+++ b/etc/profile-a-l/fontforge.profile
@@ -0,0 +1,41 @@
+# Firejail profile for fontforge
+# Description: Font editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fontforge.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.FontForge
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/fossamail.profile b/etc/profile-a-l/fossamail.profile
new file mode 100644
index 000000000..2d700d336
--- /dev/null
+++ b/etc/profile-a-l/fossamail.profile
@@ -0,0 +1,23 @@
+# Firejail profile for fossamail
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fossamail.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/fossamail
+noblacklist ${HOME}/.fossamail
+noblacklist ${HOME}/.gnupg
+
+mkdir ${HOME}/.cache/fossamail
+mkdir ${HOME}/.fossamail
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.cache/fossamail
+whitelist ${HOME}/.fossamail
+whitelist ${HOME}/.gnupg
+include whitelist-common.inc
+
+# allow browsers
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
new file mode 100644
index 000000000..eb0c43ca5
--- /dev/null
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -0,0 +1,19 @@
+# Firejail profile for four-in-a-row
+# Description: four-in-a-row game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include four-in-a-row.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+whitelist /usr/share/four-in-a-row
+
+private-bin four-in-a-row
+
+dbus-user.own org.gnome.Four-in-a-row
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
new file mode 100644
index 000000000..265eec1ca
--- /dev/null
+++ b/etc/profile-a-l/fractal.profile
@@ -0,0 +1,58 @@
+# Firejail profile for fractal
+# Description: Desktop client for Matrix
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fractal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/fractal
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/fractal
+whitelist ${HOME}/.cache/fractal
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin fractal
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Fractal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
new file mode 100644
index 000000000..9b780a572
--- /dev/null
+++ b/etc/profile-a-l/franz.profile
@@ -0,0 +1,47 @@
+# Firejail profile for franz
+# This file is overwritten after every install/update
+# Persistent local customizations
+include franz.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.cache/Franz
+noblacklist ${HOME}/.config/Franz
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/Franz
+mkdir ${HOME}/.config/Franz
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Franz
+whitelist ${HOME}/.config/Franz
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
new file mode 100644
index 000000000..827dc8be9
--- /dev/null
+++ b/etc/profile-a-l/freecad.profile
@@ -0,0 +1,45 @@
+# Firejail profile for freecad
+# Description: Extensible Open Source CAx program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freecad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/FreeCAD
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin freecad,freecadcmd,python*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
new file mode 100644
index 000000000..2b2cdae29
--- /dev/null
+++ b/etc/profile-a-l/freecadcmd.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freecad
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freecadcms.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include freecad.profile
diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
new file mode 100644
index 000000000..bf034a709
--- /dev/null
+++ b/etc/profile-a-l/freeciv-gtk3.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freeciv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv-gtk3.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include freeciv.profile
diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
new file mode 100644
index 000000000..942058fa6
--- /dev/null
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freeciv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv-mp-gtk3.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include freeciv.profile
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
new file mode 100644
index 000000000..5126e2d37
--- /dev/null
+++ b/etc/profile-a-l/freeciv.profile
@@ -0,0 +1,47 @@
+# Firejail profile for freeciv
+# Description: A multi-player strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeciv.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.freeciv
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.freeciv
+whitelist ${HOME}/.freeciv
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
new file mode 100644
index 000000000..4467b5869
--- /dev/null
+++ b/etc/profile-a-l/freecol.profile
@@ -0,0 +1,58 @@
+# Firejail profile for freecol
+# Description: Turn-based multi-player strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freecol.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.freecol
+noblacklist ${HOME}/.cache/freecol
+noblacklist ${HOME}/.config/freecol
+noblacklist ${HOME}/.local/share/freecol
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.cache/freecol
+mkdir ${HOME}/.config/freecol
+mkdir ${HOME}/.local/share/freecol
+whitelist ${HOME}/.freecol
+whitelist ${HOME}/.java
+whitelist ${HOME}/.cache/freecol
+whitelist ${HOME}/.config/freecol
+whitelist ${HOME}/.local/share/freecol
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
new file mode 100644
index 000000000..fbe3d45e3
--- /dev/null
+++ b/etc/profile-a-l/freemind.profile
@@ -0,0 +1,53 @@
+# Firejail profile for freemind
+# Description: Free mind mapping software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freemind.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.freemind
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,cp,dirname,dpkg,echo,freemind,grep,java,lsb_release,mkdir,readlink,rpm,sed,sh,uname,which
+private-cache
+private-dev
+#private-etc alternatives,fonts,java
+private-tmp
+private-opt none
+private-srv none
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile
new file mode 100644
index 000000000..b6ca167eb
--- /dev/null
+++ b/etc/profile-a-l/freeoffice-planmaker.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freeoffice-planmaker
+# Description: SoftMaker FreeOffice - spreadsheet program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-planmaker.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile
new file mode 100644
index 000000000..43661028c
--- /dev/null
+++ b/etc/profile-a-l/freeoffice-presentations.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for freeoffice-presentations
+# Description: SoftMaker FreeOffice - presentations software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-presentations.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile
new file mode 100644
index 000000000..f7d30eaed
--- /dev/null
+++ b/etc/profile-a-l/freeoffice-textmaker.profile
@@ -0,0 +1,9 @@
+# Firejail profile alias for freeoffice-textmaker
+# Description: SoftMaker Office - word processor
+# This file is overwritten after every install/update
+include freeoffice-textmaker.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
new file mode 100644
index 000000000..7beb2bcba
--- /dev/null
+++ b/etc/profile-a-l/freetube.profile
@@ -0,0 +1,22 @@
+# Firejail profile for freetube
+# Description: Youtube client with local subscription feature
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freetube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/FreeTube
+
+include allow-bin-sh.inc
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/FreeTube
+whitelist ${HOME}/.config/FreeTube
+
+private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+
+# Redirect
+include electron.profile
diff --git a/etc/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 08eac5595..6382b80af 100644
--- a/etc/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -2,10 +2,11 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include /etc/firejail/clamav.local
+include clamav.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
+include disable-exec.inc
 
 caps.keep setgid,setuid
 ipc-namespace
@@ -13,9 +14,11 @@ netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -24,11 +27,10 @@ tracelog
 
 disable-mnt
 private
+private-cache
 private-dev
 private-tmp
 writable-var
 writable-var-log
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
new file mode 100644
index 000000000..fa08b4956
--- /dev/null
+++ b/etc/profile-a-l/frogatto.profile
@@ -0,0 +1,52 @@
+# Firejail profile for frogatto
+# Description: 2D platformer game starring a quixotic frog
+# This file is overwritten after every install/update
+# Persistent local customizations
+include frogatto.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.frogatto
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.frogatto
+whitelist ${HOME}/.frogatto
+whitelist /usr/libexec/frogatto
+whitelist /usr/share/frogatto
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin frogatto,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
new file mode 100644
index 000000000..bb35c9447
--- /dev/null
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -0,0 +1,50 @@
+# Firejail profile for frozen-bubble
+# Description: Cool game where you pop out the bubbles
+# This file is overwritten after every install/update
+# Persistent local customizations
+include frozen-bubble.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.frozen-bubble
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.frozen-bubble
+whitelist ${HOME}/.frozen-bubble
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin frozen-bubble
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
new file mode 100644
index 000000000..1009f345b
--- /dev/null
+++ b/etc/profile-a-l/funnyboat.profile
@@ -0,0 +1,56 @@
+# Firejail profile for funnyboat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include funnyboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.funnyboat
+
+ignore noexec /dev/shm
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.funnyboat
+whitelist ${HOME}/.funnyboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/funnyboat
+# Debian:
+whitelist /usr/share/games/funnyboat
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
new file mode 100644
index 000000000..945dea146
--- /dev/null
+++ b/etc/profile-a-l/gajim-history-manager.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for gajim-history-manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gajim-history-manager.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gajim.profile
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
new file mode 100644
index 000000000..b0d017db9
--- /dev/null
+++ b/etc/profile-a-l/gajim.profile
@@ -0,0 +1,79 @@
+# Firejail profile for gajim
+# Description: GTK+-based Jabber client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gajim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.cache/gajim
+noblacklist ${HOME}/.config/gajim
+noblacklist ${HOME}/.local/share/gajim
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads.
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/gajim
+mkdir ${HOME}/.config/gajim
+mkdir ${HOME}/.local/share/gajim
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.cache/gajim
+whitelist ${HOME}/.config/gajim
+whitelist ${HOME}/.local/share/gajim
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.own org.gajim.Gajim
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.kde.kwalletd5
+dbus-user.talk org.mpris.MediaPlayer2.*
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+# Add the next line to your gajim.local to enable location plugin support.
+#dbus-system.talk org.freedesktop.GeoClue2
+
+join-or-start gajim
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
new file mode 100644
index 000000000..50b1c319c
--- /dev/null
+++ b/etc/profile-a-l/galculator.profile
@@ -0,0 +1,53 @@
+# Firejail profile for galculator
+# Description: Scientific calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include galculator.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/galculator
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/galculator
+whitelist ${HOME}/.config/galculator
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+#hostname galculator - breaks Arch Linux
+#ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin galculator
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
new file mode 100644
index 000000000..9c8200dc4
--- /dev/null
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -0,0 +1,18 @@
+# Firejail profile for gallery-dl
+# Description: Downloader of images from various sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gallery-dl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/gallery-dl
+noblacklist ${HOME}/.gallery-dl.conf
+
+private-bin gallery-dl
+private-etc gallery-dl.conf
+
+# Redirect
+include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
new file mode 100644
index 000000000..8263423a0
--- /dev/null
+++ b/etc/profile-a-l/gapplication.profile
@@ -0,0 +1,73 @@
+# Firejail profile for gapplication
+# Description: D-Bus application launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gapplication.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin gapplication
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+# Add the next line to your gapplication.local to filter D-Bus names.
+# You might need to add additional dbus-user.talk rules (see 'gapplication list-apps').
+#dbus-user filter
+dbus-user.talk org.gnome.Boxes
+dbus-user.talk org.gnome.Builder
+dbus-user.talk org.gnome.Calendar
+dbus-user.talk org.gnome.ChromeGnomeShell
+dbus-user.talk org.gnome.DejaDup
+dbus-user.talk org.gnome.DiskUtility
+dbus-user.talk org.gnome.Extensions
+dbus-user.talk org.gnome.Maps
+dbus-user.talk org.gnome.Nautilus
+dbus-user.talk org.gnome.Shell.PortalHelper
+dbus-user.talk org.gnome.Software
+dbus-user.talk org.gnome.Weather
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/gcalccmd.profile b/etc/profile-a-l/gcalccmd.profile
new file mode 100644
index 000000000..691d6b0c4
--- /dev/null
+++ b/etc/profile-a-l/gcalccmd.profile
@@ -0,0 +1,13 @@
+# Firejail profile for gcalccmd
+# Description: GNOME console calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gcalccmd.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin gcalccmd
+
+# Redirect
+include gnome-calculator.profile
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
new file mode 100644
index 000000000..388f4c0df
--- /dev/null
+++ b/etc/profile-a-l/gcloud.profile
@@ -0,0 +1,43 @@
+# Firejail profile for gcloud
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gcloud.local
+# Persistent global definitions
+include globals.local
+
+# noexec ${HOME} will break user-local installs of gcloud tooling
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.boto
+noblacklist ${HOME}/.config/gcloud
+noblacklist /var/run/docker.sock
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+# required for sudo-free docker
+#nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
new file mode 100644
index 000000000..cb39174e5
--- /dev/null
+++ b/etc/profile-a-l/gconf-editor.profile
@@ -0,0 +1,17 @@
+# Firejail profile for gconf-editor
+# Description: Graphical gconf registry editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-editor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+
+whitelist /usr/share/gconf-editor
+
+ignore x11 none
+
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconf-merge-schema.profile b/etc/profile-a-l/gconf-merge-schema.profile
new file mode 100644
index 000000000..619f801b0
--- /dev/null
+++ b/etc/profile-a-l/gconf-merge-schema.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconf-merge-schema
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-merge-schema.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconf-merge-tree.profile b/etc/profile-a-l/gconf-merge-tree.profile
new file mode 100644
index 000000000..2f6bfe5e5
--- /dev/null
+++ b/etc/profile-a-l/gconf-merge-tree.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconf-merge-tree
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-merge-tree.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
new file mode 100644
index 000000000..b01d88f80
--- /dev/null
+++ b/etc/profile-a-l/gconf.profile
@@ -0,0 +1,61 @@
+# Firejail profile for gconf
+# Description: An obsolete configuration database system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/gconf
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+#include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/gconf
+whitelist ${HOME}/.config/gconf
+whitelist /usr/share/GConf
+whitelist /usr/share/gconf
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
+private-cache
+private-dev
+private-etc alternatives,fonts,gconf
+private-lib GConf,libpython*,python2*
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gconfpkg.profile b/etc/profile-a-l/gconfpkg.profile
new file mode 100644
index 000000000..5bfc1250a
--- /dev/null
+++ b/etc/profile-a-l/gconfpkg.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconfpkg
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconfpkg.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gconftool-2.profile b/etc/profile-a-l/gconftool-2.profile
new file mode 100644
index 000000000..947e4252f
--- /dev/null
+++ b/etc/profile-a-l/gconftool-2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gconftool-2
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconftool-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gconf.profile
diff --git a/etc/geany.profile b/etc/profile-a-l/geany.profile
index 35e405319..f244cb526 100644
--- a/etc/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -1,29 +1,35 @@
 # Firejail profile for geany
+# Description: Fast and lightweight IDE
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/geany.local
+include geany.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/geany
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
new file mode 100644
index 000000000..29c620556
--- /dev/null
+++ b/etc/profile-a-l/geary.profile
@@ -0,0 +1,86 @@
+# Firejail profile for geary
+# Description: Lightweight email client designed for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geary.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/evolution
+noblacklist ${HOME}/.cache/folks
+noblacklist ${HOME}/.cache/geary
+noblacklist ${HOME}/.config/evolution
+noblacklist ${HOME}/.config/geary
+noblacklist ${HOME}/.local/share/evolution
+noblacklist ${HOME}/.local/share/geary
+noblacklist ${HOME}/.mozilla
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.cache/folks
+mkdir ${HOME}/.cache/geary
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.config/geary
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/geary
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.cache/folks
+whitelist ${HOME}/.cache/geary
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.config/geary
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/geary
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist /usr/share/geary
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# disable-mnt
+# Add 'ignore private-bin' to geary.local for hyperlink support
+private-bin geary
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Geary
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.Contacts
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.gnome.evolution.dataserver.AddressBook10
+dbus-user.talk org.gnome.evolution.dataserver.Sources5
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
new file mode 100644
index 000000000..0726d17bd
--- /dev/null
+++ b/etc/profile-a-l/gedit.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gedit
+# Description: Official text editor of the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gedit.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/gedit
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+machine-id
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# private-bin gedit
+private-dev
+# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
+#private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
new file mode 100644
index 000000000..f0e17963c
--- /dev/null
+++ b/etc/profile-a-l/geekbench.profile
@@ -0,0 +1,54 @@
+# Firejail profile for geekbench
+# Description: A cross-platform benchmark that measures processor and memory performance
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geekbench.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname geekbench
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,geekbenc*,sh
+private-cache
+private-dev
+private-etc alternatives,group,lsb-release,passwd
+private-lib gcc/*/*/libstdc++.so.*
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
+read-only ${HOME}
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
new file mode 100644
index 000000000..fbb509d89
--- /dev/null
+++ b/etc/profile-a-l/geeqie.profile
@@ -0,0 +1,33 @@
+# Firejail profile for geeqie
+# Description: Image viewer using GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include geeqie.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/geeqie
+noblacklist ${HOME}/.config/geeqie
+noblacklist ${HOME}/.local/share/geeqie
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+# private-bin geeqie
+private-dev
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
new file mode 100644
index 000000000..388f6496d
--- /dev/null
+++ b/etc/profile-a-l/gfeeds.profile
@@ -0,0 +1,70 @@
+# Firejail profile for gfeeds
+# Description: RSS/Atom feed reader for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gfeeds.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/gfeeds
+noblacklist ${HOME}/.cache/org.gabmus.gfeeds
+noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
+noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/gfeeds
+mkdir ${HOME}/.cache/org.gabmus.gfeeds
+mkfile ${HOME}/.config/org.gabmus.gfeeds.json
+mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+whitelist ${HOME}/.cache/gfeeds
+whitelist ${HOME}/.cache/org.gabmus.gfeeds
+whitelist ${HOME}/.config/org.gabmus.gfeeds.json
+whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+whitelist /usr/libexec/webkit2gtk-4.0
+whitelist /usr/share/gfeeds
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gfeeds,python3*
+# private-cache -- feeds are stored in ~/.cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gabmus.gfeeds
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
new file mode 100644
index 000000000..b2adaa8e4
--- /dev/null
+++ b/etc/profile-a-l/gget.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gget
+# Description: a cli. to get things. from git repos
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gget.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gget
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile
new file mode 100644
index 000000000..c65d7e709
--- /dev/null
+++ b/etc/profile-a-l/ghb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for handbrake
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ghb.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include handbrake.profile
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
new file mode 100644
index 000000000..3dfdc0184
--- /dev/null
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -0,0 +1,59 @@
+# Firejail profile for ghostwriter
+# Description: Cross-platform, aesthetic, distraction-free Markdown editor.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ghostwriter.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ghostwriter
+noblacklist ${HOME}/.local/share/ghostwriter
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/ghostwriter
+whitelist /usr/share/mozilla-dicts
+whitelist /usr/share/texlive
+whitelist /usr/share/pandoc*
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+seccomp.block-secondary
+shell none
+#tracelog -- breaks
+
+private-bin context,gettext,ghostwriter,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-system none
diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
new file mode 100644
index 000000000..ea099b0a5
--- /dev/null
+++ b/etc/profile-a-l/gimp-2.10.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for gimp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gimp-2.10.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gimp.profile
diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
new file mode 100644
index 000000000..af0793c58
--- /dev/null
+++ b/etc/profile-a-l/gimp-2.8.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for gimp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gimp-2.8.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gimp.profile
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
new file mode 100644
index 000000000..df9c2ac7a
--- /dev/null
+++ b/etc/profile-a-l/gimp.profile
@@ -0,0 +1,65 @@
+# Firejail profile for gimp
+# Description: GNU Image Manipulation Program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gimp.local
+# Persistent global definitions
+include globals.local
+
+# Add the next lines to your gimp.local in order to support scanning via xsane (see #3640).
+# TODO: Replace 'ignore seccomp' with a less permissive option.
+#ignore seccomp
+#ignore dbus-system
+#ignore net
+#protocol unix,inet,inet6
+
+# gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
+# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/babl
+noblacklist ${HOME}/.cache/gegl-0.4
+noblacklist ${HOME}/.cache/gimp
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.gimp*
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# See issue #4367, gimp 2.10.22-3: gegl:introspect broken
+noblacklist /sbin
+noblacklist /usr/sbin
+
+include disable-common.inc
+include disable-exec.inc
+include disable-devel.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gegl-0.4
+whitelist /usr/share/gimp
+whitelist /usr/share/mypaint-data
+whitelist /usr/share/lensfun
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix
+seccomp !mbind
+shell none
+tracelog
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gist-paste.profile b/etc/profile-a-l/gist-paste.profile
new file mode 100644
index 000000000..56b3176ed
--- /dev/null
+++ b/etc/profile-a-l/gist-paste.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gist-paste
+# Description: Potentially the best command line gister
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gist-paste.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gist.profile
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
new file mode 100644
index 000000000..80fa18119
--- /dev/null
+++ b/etc/profile-a-l/gist.profile
@@ -0,0 +1,61 @@
+# Firejail profile for gist
+# Description: Potentially the best command line gister
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gist.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.gist
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gist
+whitelist ${HOME}/.gist
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
new file mode 100644
index 000000000..f77adef63
--- /dev/null
+++ b/etc/profile-a-l/git-cola.profile
@@ -0,0 +1,87 @@
+# Firejail profile for git-cola
+# Description: Linux native frontend for Git
+# This file is overwritten after every install/update
+# Persistent local customizations
+include git-cola.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.subversion
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.config/git-cola
+# Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings.
+#noblacklist ${HOME}/
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+# Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer.
+whitelist /usr/share/git
+whitelist /usr/share/git-cola
+whitelist /usr/share/git-core
+whitelist /usr/share/git-gui
+whitelist /usr/share/gitk
+whitelist /usr/share/gitweb
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local.
+#private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-tmp
+writable-run-user
+
+# dbus-user filtering breaks meld as diff viewer
+# Add the next line to your git-cola.local if you don't use meld.
+#dbus-user filter
+# Add the next line to your git-cola.local if you need keyring access
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
+
+read-only ${HOME}/.git-credentials
+
+# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts.
+read-only ${HOME}/.ssh
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
new file mode 100644
index 000000000..b0318e4a3
--- /dev/null
+++ b/etc/profile-a-l/git.profile
@@ -0,0 +1,61 @@
+# Firejail profile for git
+# Description: Fast, scalable, distributed revision control system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include git.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.nanorc
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+
+whitelist /usr/share/git
+whitelist /usr/share/git-core
+whitelist /usr/share/gitgui
+whitelist /usr/share/gitweb
+whitelist /usr/share/nano
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
new file mode 100644
index 000000000..314b797c0
--- /dev/null
+++ b/etc/profile-a-l/gitg.profile
@@ -0,0 +1,64 @@
+# Firejail profile for gitg
+# Description: Git repository viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gitg.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/gitg
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gitconfig
+#whitelist ${HOME}/.git-credentials
+#whitelist ${HOME}/.local/share/gitg
+#whitelist ${HOME}/.ssh
+#include whitelist-common.inc
+
+whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin git,gitg,ssh
+private-cache
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.gitg
+dbus-user.talk ca.desrt.dconf
+# Add the next line to your gitg.local if you need keyring access.
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
new file mode 100644
index 000000000..325c54ced
--- /dev/null
+++ b/etc/profile-a-l/github-desktop.profile
@@ -0,0 +1,40 @@
+# Firejail profile for github-desktop
+# Description: Extend your GitHub workflow beyond your browser with GitHub Desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include github-desktop.local
+# Persistent global definitions
+include globals.local
+
+# Note: On debian-based distributions the binary might be located in
+# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
+# If that's the case you can start GitHub Desktop with firejail via
+# `firejail "/opt/GitHub Desktop/github-desktop"`.
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/GitHub Desktop
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+
+# no3d
+nosound
+
+# private-bin github-desktop
+?HAS_APPIMAGE: ignore private-dev
+# private-lib
+
+# memory-deny-write-execute
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
new file mode 100644
index 000000000..5dfb48189
--- /dev/null
+++ b/etc/profile-a-l/gitter.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gitter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gitter.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/Gitter
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Gitter
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/autostart
+whitelist ${HOME}/.config/Gitter
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin bash,env,gitter
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
+private-opt Gitter
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
new file mode 100644
index 000000000..a52272852
--- /dev/null
+++ b/etc/profile-a-l/gjs.profile
@@ -0,0 +1,45 @@
+# Firejail profile for gjs
+# Description: Mozilla-based javascript bindings for the GNOME platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gjs.local
+# Persistent global definitions
+include globals.local
+
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
+noblacklist ${HOME}/.cache/libgweather
+noblacklist ${HOME}/.cache/org.gnome.Books
+noblacklist ${HOME}/.config/libreoffice
+noblacklist ${HOME}/.local/share/gnome-photos
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin gjs,gnome-books,gnome-documents,gnome-maps,gnome-photos,gnome-weather
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile
new file mode 100644
index 000000000..d783940f3
--- /dev/null
+++ b/etc/profile-a-l/gl-117-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gl-117-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gl-117-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin gl-117-wrapper
+
+# Redirect
+include gl-117.profile
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
new file mode 100644
index 000000000..35d969e6d
--- /dev/null
+++ b/etc/profile-a-l/gl-117.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gl-117
+# Description: Action flight simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gl-117.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gl-117
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gl-117
+whitelist ${HOME}/.gl-117
+whitelist /usr/share/gl-117
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gl-117
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile
new file mode 100644
index 000000000..7dc2cf65e
--- /dev/null
+++ b/etc/profile-a-l/glaxium-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for glaxium-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include glaxium-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin glaxium-wrapper
+
+# Redirect
+include glaxium.profile
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
new file mode 100644
index 000000000..dec0daef2
--- /dev/null
+++ b/etc/profile-a-l/glaxium.profile
@@ -0,0 +1,52 @@
+# Firejail profile for glaxium
+# Description: 3d spaceship shoot-em-up
+# This file is overwritten after every install/update
+# Persistent local customizations
+include glaxium.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.glaxiumrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.glaxiumrc
+whitelist ${HOME}/.glaxiumrc
+whitelist /usr/share/glaxium
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin glaxium
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/globaltime.profile b/etc/profile-a-l/globaltime.profile
index 6961a56e9..d07f0ace4 100644
--- a/etc/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -1,34 +1,37 @@
 # Firejail profile for globaltime
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/globaltime.local
+include globaltime.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/globaltime
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
 disable-mnt
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
new file mode 100644
index 000000000..4aa4b6c20
--- /dev/null
+++ b/etc/profile-a-l/gmpc.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gmpc
+# Description: MPD client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gmpc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gmpc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/gmpc
+whitelist ${HOME}/.config/gmpc
+whitelist ${MUSIC}
+whitelist /usr/share/gmpc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private-bin gmpc
+private-cache
+private-etc alternatives,fonts
+private-tmp
+writable-run-user
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
new file mode 100644
index 000000000..777c81dbe
--- /dev/null
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-2048
+# Description: Sliding tile puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-2048.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-2048
+
+mkdir ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
+
+private-bin gnome-2048
+
+dbus-user.own org.gnome.TwentyFortyEight
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
new file mode 100644
index 000000000..5b7eaa78d
--- /dev/null
+++ b/etc/profile-a-l/gnome-books.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gnome-books
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-books.local
+# Persistent global definitions
+include globals.local
+
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
+noblacklist ${HOME}/.cache/org.gnome.Books
+noblacklist ${DOCUMENTS}
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin gjs,gnome-books
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
new file mode 100644
index 000000000..9fe9ed6ba
--- /dev/null
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gnome-builder
+# Description: IDE for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-builder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bash_history
+
+noblacklist ${HOME}/.cache/gnome-builder
+noblacklist ${HOME}/.config/gnome-builder
+noblacklist ${HOME}/.local/share/gnome-builder
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+
+read-write ${HOME}/.bash_history
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
new file mode 100644
index 000000000..ac130da21
--- /dev/null
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gnome-calculator
+# Description: GNOME desktop calculator
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gnome-calculator.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+#net none -- breaks currency conversion
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-calculator
+private-cache
+private-dev
+#private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Calculator
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
new file mode 100644
index 000000000..c8903a991
--- /dev/null
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -0,0 +1,63 @@
+# Firejail profile for gnome-calendar
+# Description: Calendar for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-calendar.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gnome-calendar
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Calendar
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.evolution.dataserver.*
+#dbus-user.talk org.gnome.OnlineAccounts
+#dbus-user.talk org.gnome.ControlCenter
+# NOTE: dbus-system none fails, filter without rules works.
+dbus-system filter
+#dbus-system.talk org.freedesktop.timedate1
+#dbus-system.talk org.freedesktop.login1
+#dbus-system.talk org.freedesktop.GeoClue2
+
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-character-map.profile b/etc/profile-a-l/gnome-character-map.profile
new file mode 100644
index 000000000..27804fdd0
--- /dev/null
+++ b/etc/profile-a-l/gnome-character-map.profile
@@ -0,0 +1,10 @@
+# Firejail profile for gnome-character-map
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-character-map.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gucharmap.profile
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
new file mode 100644
index 000000000..aaa1e3f5a
--- /dev/null
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnome-characters
+# Description: Character map application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-characters.local
+# Persistent global definitions
+include globals.local
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/org.gnome.Characters
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# Add the next line to your gnome-characters.local if you don't need access to recently used chars.
+#private
+private-bin gjs,gnome-characters
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
+private-tmp
+
+# Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
+# dbus-user none
+# dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
new file mode 100644
index 000000000..d038d775a
--- /dev/null
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gnome-chess
+# Description: Simple chess game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-chess.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnome-chess
+noblacklist ${HOME}/.local/share/gnome-chess
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#mkdir ${HOME}/.local/share/gnome-chess
+#whitelist ${HOME}/.local/share/gnome-chess
+#include whitelist-common.inc
+
+whitelist /usr/share/gnuchess
+whitelist /usr/share/gnome-chess
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin fairymax,gnome-chess,gnuchess,hoichess
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
+private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
new file mode 100644
index 000000000..96a39f6ce
--- /dev/null
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gnome-clocks
+# Description: Simple GNOME app with stopwatch, timer, and world clock support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-clocks.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gnome-clocks
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-clocks,gsound-play
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
new file mode 100644
index 000000000..f96f750dd
--- /dev/null
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -0,0 +1,40 @@
+# Firejail profile for gnome-contacts
+# Description: Contacts manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-contacts.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+#no3d - breaks on Arch
+nodvd
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
new file mode 100644
index 000000000..0ed3c7541
--- /dev/null
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gnome-documents
+# Description: Document manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-documents.local
+# Persistent global definitions
+include globals.local
+
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
+noblacklist ${HOME}/.config/libreoffice
+noblacklist ${DOCUMENTS}
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
new file mode 100644
index 000000000..294729152
--- /dev/null
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -0,0 +1,37 @@
+# Firejail profile for gnome-font-viewer
+# Description: Font viewer for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-font-viewer.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
new file mode 100644
index 000000000..19a4bc5c7
--- /dev/null
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gnome-hexgl
+# Description: Gthree port of HexGL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-hexgl.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/mesa_shader_cache
+whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gnome-hexgl
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/profile-a-l/gnome-keyring-3.profile b/etc/profile-a-l/gnome-keyring-3.profile
new file mode 100644
index 000000000..e9961e4f0
--- /dev/null
+++ b/etc/profile-a-l/gnome-keyring-3.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-keyring-3
+# Description: Stores passwords and encryption keys
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-keyring-3.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gnome-keyring.profile
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
new file mode 100644
index 000000000..b74325102
--- /dev/null
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -0,0 +1,62 @@
+# Firejail profile for gnome-keyring
+# Description: Stores passwords and encryption keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gnome-keyring.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+#private-bin gnome-keyrin*,secret-tool
+private-cache
+private-dev
+#private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
+private-tmp
+
+# dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
new file mode 100644
index 000000000..c67a5c0da
--- /dev/null
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-klotski
+# Description: Sliding block puzzles game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-klotski.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-klotski
+
+mkdir ${HOME}/.local/share/gnome-klotski
+whitelist ${HOME}/.local/share/gnome-klotski
+
+private-bin gnome-klotski
+
+dbus-user.own org.gnome.Klotski
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
new file mode 100644
index 000000000..26c2c4409
--- /dev/null
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gnome-latex
+# Description: LaTeX editor for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-latex.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnome-latex
+noblacklist ${HOME}/.local/share/gnome-latex
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/share/gnome-latex
+whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+# May cause issues.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-cache
+private-dev
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+
+dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
new file mode 100644
index 000000000..2c15f7592
--- /dev/null
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gnome-logs
+# Description: Viewer for the systemd journal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-logs.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /var/log/journal
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+noinput
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-logs
+private-cache
+private-dev
+private-etc alternatives,fonts,localtime,machine-id
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+writable-var-log
+
+dbus-user filter
+dbus-user.own org.gnome.Logs
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
new file mode 100644
index 000000000..42409dce8
--- /dev/null
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -0,0 +1,16 @@
+# Firejail profile for gnome-mahjongg
+# Description: A matching game played with Mahjongg tiles
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mahjongg.local
+# Persistent global definitions
+include globals.local
+
+whitelist /usr/share/gnome-mahjongg
+
+private-bin gnome-mahjongg
+
+dbus-user.own org.gnome.Mahjongg
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
new file mode 100644
index 000000000..7732117ac
--- /dev/null
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -0,0 +1,76 @@
+# Firejail profile for gnome-maps
+# Description: Map application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-maps.local
+# Persistent global definitions
+include globals.local
+
+# Some distributions use gapplications to start gnome-maps over D-Bus. As firecfg cannot handle that, you need to run the following command.
+# sed -e "s/Exec=gapplication launch org.gnome.Maps %U/Exec=gnome-maps %U/" -e "s/DBusActivatable=true/DBusActivatable=false/" "/usr/share/applications/org.gnome.Maps.desktop" > "~/.local/share/applications/org.gnome.Maps.desktop"
+
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
+noblacklist ${HOME}/.cache/champlain
+noblacklist ${HOME}/.cache/org.gnome.Maps
+noblacklist ${HOME}/.local/share/maps-places.json
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/champlain
+mkfile ${HOME}/.local/share/maps-places.json
+whitelist ${HOME}/.cache/champlain
+whitelist ${HOME}/.local/share/maps-places.json
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+whitelist /usr/share/gnome-maps
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gjs,gnome-maps
+# private-cache -- gnome-maps cache all maps/satelite-images
+private-dev
+private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Maps
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system filter
+#dbus-system.talk org.freedesktop.NetworkManager
+dbus-system.talk org.freedesktop.GeoClue2
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
new file mode 100644
index 000000000..4fe8986c2
--- /dev/null
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -0,0 +1,20 @@
+# Firejail profile for gnome-mines
+# Description: The popular logic puzzle minesweeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mines.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-mines
+
+mkdir ${HOME}/.local/share/gnome-mines
+whitelist ${HOME}/.local/share/gnome-mines
+whitelist /usr/share/gnome-mines
+
+private-bin gnome-mines
+
+dbus-user.own org.gnome.Mines
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
new file mode 100644
index 000000000..f8f40ea54
--- /dev/null
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -0,0 +1,34 @@
+# Firejail profile for gnome-mplayer
+# Description: GTK/Gnome interface around MPlayer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+
+# private-bin gnome-mplayer,mplayer
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
new file mode 100644
index 000000000..dfb95d27b
--- /dev/null
+++ b/etc/profile-a-l/gnome-mpv.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for celluloid (formerly GNOME MPV)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mpv.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include celluloid.profile
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
new file mode 100644
index 000000000..a00edfa37
--- /dev/null
+++ b/etc/profile-a-l/gnome-music.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gnome-music
+# Description: GNOME music player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-music.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-music
+noblacklist ${MUSIC}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin calls a file manager - whatever is installed!
+#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
+private-dev
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
new file mode 100644
index 000000000..abf3dd759
--- /dev/null
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -0,0 +1,48 @@
+# Firejail profile for gnome-nettool
+# Description: Graphical interface for various networking tools
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-nettool.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gnome-nettool
+#include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.keep net_raw
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+# ping needs to elevate privileges, noroot and nonewprivs will kill it
+#nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+#seccomp
+#shell none
+
+disable-mnt
+private
+private-cache
+private-dev
+private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
new file mode 100644
index 000000000..b22810d34
--- /dev/null
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -0,0 +1,23 @@
+# Firejail profile for gnome-nibbles
+# Description: A worm game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-nibbles.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+noblacklist ${HOME}/.local/share/gnome-nibbles
+
+mkdir ${HOME}/.local/share/gnome-nibbles
+whitelist ${HOME}/.local/share/gnome-nibbles
+whitelist /usr/share/gnome-nibbles
+
+private-bin gnome-nibbles
+
+dbus-user.own org.gnome.Nibbles
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
new file mode 100644
index 000000000..b69899c70
--- /dev/null
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -0,0 +1,62 @@
+# Firejail profile for gnome-passwordsafe
+# Description: Password manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-passwordsafe.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/cracklib
+whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-passwordsafe,python3*
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,passwd
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.PasswordSafe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
new file mode 100644
index 000000000..4fd78eaab
--- /dev/null
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -0,0 +1,43 @@
+# Firejail profile for gnome-photos
+# Description: Access, organize and share your photos with GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-photos.local
+# Persistent global definitions
+include globals.local
+
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
+noblacklist ${HOME}/.local/share/gnome-photos
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# private-bin gjs,gnome-photos
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
new file mode 100644
index 000000000..3ab2e4aad
--- /dev/null
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -0,0 +1,41 @@
+# Firejail profile for gnome-pie
+# Description: Alternative AppMenu
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-pie.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnome-pie
+
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+# net none - breaks dbus
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
new file mode 100644
index 000000000..256a0c69f
--- /dev/null
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnome-pomodoro
+# Description: time management utility for GNOME based on the pomodoro technique
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-pomodoro.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-pomodoro
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/gnome-pomodoro
+whitelist ${HOME}/.local/share/gnome-pomodoro
+whitelist /usr/share/gnome-pomodoro
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-pomodoro
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Pomodoro
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.local/share/gnome-pomodoro
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
new file mode 100644
index 000000000..01162b552
--- /dev/null
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -0,0 +1,53 @@
+# Firejail profile for gnome-recipes
+# Description: Recipe application for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-recipes.local
+# Persistent global definitions
+include globals.local
+
+
+noblacklist ${HOME}/.cache/gnome-recipes
+noblacklist ${HOME}/.local/share/gnome-recipes
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/gnome-recipes
+mkdir ${HOME}/.local/share/gnome-recipes
+whitelist ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.local/share/gnome-recipes
+whitelist /usr/share/gnome-recipes
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin gnome-recipes,tar
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
new file mode 100644
index 000000000..7ee01dec1
--- /dev/null
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -0,0 +1,33 @@
+# Firejail profile for gnome-ring
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-ring.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-ring
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+# private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
new file mode 100644
index 000000000..8835f2b93
--- /dev/null
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-robots
+# Description: Based on classic BSD Robots
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-robots.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+whitelist /usr/share/gnome-robots
+
+private-bin gnome-robots
+
+dbus-user.own org.gnome.Robots
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
new file mode 100644
index 000000000..8c3db651f
--- /dev/null
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -0,0 +1,65 @@
+# Firejail profile for gnome-schedule
+# Description: Graphical interface to crontab and at for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-schedule.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnome/gnome-schedule
+
+# Needs at and crontab to read/write user cron
+noblacklist ${PATH}/at
+noblacklist ${PATH}/crontab
+
+# Needs access to these files/dirs
+noblacklist /etc/cron.allow
+noblacklist /etc/cron.deny
+noblacklist /etc/shadow
+noblacklist /var/spool/cron
+
+# cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
+# add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.gnome/gnome-schedule
+whitelist ${HOME}/.gnome/gnome-schedule
+whitelist /usr/share/gnome-schedule
+whitelist /var/spool/atd
+whitelist /var/spool/cron
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.keep chown,dac_override,setgid,setuid
+ipc-namespace
+machine-id
+#net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+noinput
+nosound
+notv
+nou2f
+novideo
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+writable-var
+
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
new file mode 100644
index 000000000..f5afa9fb3
--- /dev/null
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gnome-screenshot
+# Description: GNOME screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-screenshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/gnome-screenshot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-screenshot
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system none
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
new file mode 100644
index 000000000..159145b1b
--- /dev/null
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -0,0 +1,44 @@
+# Firejail profile for gnome-sound-recorder
+# Description: simple sound recordings for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sound-recorder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.local/share/Trash
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-tmp
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
new file mode 100644
index 000000000..12fd48a86
--- /dev/null
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-sudoku
+# Description: puzzle game for the popular Japanese sudoku logic puzzle
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sudoku.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-sudoku
+
+mkdir ${HOME}/.local/share/gnome-sudoku
+whitelist ${HOME}/.local/share/gnome-sudoku
+
+private-bin gnome-sudoku
+
+dbus-user.own org.gnome.Sudoku
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
new file mode 100644
index 000000000..3f9497e80
--- /dev/null
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -0,0 +1,56 @@
+# Firejail profile for gnome-system-log
+# Description: View your system logs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-system-log.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /var/log
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks dbus
+no3d
+nodvd
+# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
+# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin gnome-system-log
+private-cache
+private-dev
+private-etc alternatives,fonts,localtime,machine-id
+private-lib
+private-tmp
+writable-var-log
+
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
+# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
+read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
new file mode 100644
index 000000000..2341334f7
--- /dev/null
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-taquin
+# Description: A sliding puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-taquin.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+whitelist /usr/share/gnome-taquin
+
+private-bin gnome-taquin
+
+dbus-user.own org.gnome.Taquin
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-tetravex.profile b/etc/profile-a-l/gnome-tetravex.profile
new file mode 100644
index 000000000..6e820dd70
--- /dev/null
+++ b/etc/profile-a-l/gnome-tetravex.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gnome-tetravex
+# Description: A simple puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-tetravex.local
+# Persistent global definitions
+include globals.local
+
+private-bin gnome-tetravex
+
+dbus-user.own org.gnome.Tetravex
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
new file mode 100644
index 000000000..4640f7f43
--- /dev/null
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -0,0 +1,64 @@
+# Firejail profile for gnome-todo
+# Description: Personal task manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-todo.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gnome-todo
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private
+private-bin gnome-todo
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Todo
+dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
+dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+dbus-user.talk org.gnome.evolution.dataserver.Sources5
+#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
+#dbus-system filter
+#dbus-system.talk org.freedesktop.login1
+
+read-only ${HOME}
diff --git a/etc/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index 9c94404d1..aef6b0fdd 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -1,37 +1,40 @@
 # Firejail profile for gnome-twitch
+# Description: GNOME Twitch app for watching Twitch.tv streams without a browser or flash
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/gnome-twitch.local
+include gnome-twitch.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.cache/gnome-twitch
 noblacklist ${HOME}/.local/share/gnome-twitch
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.cache/gnome-twitch
 mkdir ${HOME}/.local/share/gnome-twitch
 whitelist ${HOME}/.cache/gnome-twitch
 whitelist ${HOME}/.local/share/gnome-twitch
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
+disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
new file mode 100644
index 000000000..5592879ec
--- /dev/null
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -0,0 +1,49 @@
+# Firejail profile for gnome-weather
+# Description: Access current conditions and forecasts
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-weather.local
+# Persistent global definitions
+include globals.local
+
+# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
+
+noblacklist ${HOME}/.cache/libgweather
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# private-bin gjs,gnome-weather
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-tmp
+
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
new file mode 100644
index 000000000..4ad39a988
--- /dev/null
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -0,0 +1,49 @@
+# Firejail profile for gnome_games-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome_games-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
new file mode 100644
index 000000000..2d4ce2437
--- /dev/null
+++ b/etc/profile-a-l/gnote.profile
@@ -0,0 +1,60 @@
+# Firejail profile for gnote
+# Description: A simple note-taking application for Gnome
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnote.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnote
+noblacklist ${HOME}/.local/share/gnote
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/gnote
+mkdir ${HOME}/.local/share/gnote
+whitelist ${HOME}/.config/gnote
+whitelist ${HOME}/.local/share/gnote
+whitelist /usr/libexec/webkit2gtk-4.0
+whitelist /usr/share/gnote
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnote
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Gnote
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
new file mode 100644
index 000000000..902e76416
--- /dev/null
+++ b/etc/profile-a-l/gnubik.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gnubik
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnubik.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gnubik
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gnubik
+private-cache
+private-dev
+private-etc drirc,fonts,gtk-2.0
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
new file mode 100644
index 000000000..b3c19e97f
--- /dev/null
+++ b/etc/profile-a-l/godot.profile
@@ -0,0 +1,45 @@
+# Firejail profile for godot
+# Description: multi-platform 2D and 3D game engine with a feature-rich editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include godot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/godot
+noblacklist ${HOME}/.config/godot
+noblacklist ${HOME}/.local/share/godot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+
+# private-bin godot
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
new file mode 100644
index 000000000..2ff3bc8d9
--- /dev/null
+++ b/etc/profile-a-l/goobox.profile
@@ -0,0 +1,35 @@
+# Firejail profile for goobox
+# Description: CD player and ripper with GNOME 3 integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include goobox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin goobox
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+# private-tmp
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
new file mode 100644
index 000000000..ebe5e870b
--- /dev/null
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -0,0 +1,28 @@
+# Firejail profile for google-chrome-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome-beta.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/google-chrome-beta
+noblacklist ${HOME}/.config/google-chrome-beta
+
+noblacklist ${HOME}/.config/chrome-beta-flags.conf
+noblacklist ${HOME}/.config/chrome-beta-flags.config
+
+mkdir ${HOME}/.cache/google-chrome-beta
+mkdir ${HOME}/.config/google-chrome-beta
+whitelist ${HOME}/.cache/google-chrome-beta
+whitelist ${HOME}/.config/google-chrome-beta
+
+whitelist ${HOME}/.config/chrome-beta-flags.conf
+whitelist ${HOME}/.config/chrome-beta-flags.config
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
new file mode 100644
index 000000000..88cd43490
--- /dev/null
+++ b/etc/profile-a-l/google-chrome-stable.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for google-chrome
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome-stable.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include google-chrome.profile
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
new file mode 100644
index 000000000..4d303f71b
--- /dev/null
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -0,0 +1,28 @@
+# Firejail profile for google-chrome-unstable
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome-unstable.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/google-chrome-unstable
+noblacklist ${HOME}/.config/google-chrome-unstable
+
+noblacklist ${HOME}/.config/chrome-unstable-flags.conf
+noblacklist ${HOME}/.config/chrome-unstable-flags.config
+
+mkdir ${HOME}/.cache/google-chrome-unstable
+mkdir ${HOME}/.config/google-chrome-unstable
+whitelist ${HOME}/.cache/google-chrome-unstable
+whitelist ${HOME}/.config/google-chrome-unstable
+
+whitelist ${HOME}/.config/chrome-unstable-flags.conf
+whitelist ${HOME}/.config/chrome-unstable-flags.config
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
new file mode 100644
index 000000000..ed2595f72
--- /dev/null
+++ b/etc/profile-a-l/google-chrome.profile
@@ -0,0 +1,28 @@
+# Firejail profile for google-chrome
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-chrome.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/google-chrome
+noblacklist ${HOME}/.config/google-chrome
+
+noblacklist ${HOME}/.config/chrome-flags.conf
+noblacklist ${HOME}/.config/chrome-flags.config
+
+mkdir ${HOME}/.cache/google-chrome
+mkdir ${HOME}/.config/google-chrome
+whitelist ${HOME}/.cache/google-chrome
+whitelist ${HOME}/.config/google-chrome
+
+whitelist ${HOME}/.config/chrome-flags.conf
+whitelist ${HOME}/.config/chrome-flags.config
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
new file mode 100644
index 000000000..249ae187d
--- /dev/null
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -0,0 +1,29 @@
+# Firejail profile for google-earth-pro
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-earth-pro.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed.
+# See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details.
+# Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906).
+# As an alternative one could use the web version: https://earth.google.com/web/.
+# The desktop version from the AUR can be made to work with firejail by appending the below snippet
+# to /usr/bin/googleearth-pro:
+# <--- snippet --->
+# Post-shutdown cleaning
+#_lock_app_running="${HOME}/.googleearth/instance-running-lock"
+#[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}"
+#_lock_collada_cache="/tmp/geColladaModelCacheLock"
+#[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}"
+#_lock_icon_cache="/tmp/geIconCacheLock"
+#[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}"
+# <--- end of snippet --->
+
+# If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local.
+private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings
+
+# Redirect
+include google-earth.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
new file mode 100644
index 000000000..0153a58d1
--- /dev/null
+++ b/etc/profile-a-l/google-earth.profile
@@ -0,0 +1,42 @@
+# Firejail profile for google-earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-earth.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Google
+noblacklist ${HOME}/.googleearth
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Google
+mkdir ${HOME}/.googleearth
+whitelist ${HOME}/.config/Google
+whitelist ${HOME}/.googleearth
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin bash,dirname,google-earth,grep,ls,sed,sh
+private-dev
+private-opt google
+
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..fe61d727e
--- /dev/null
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -0,0 +1,42 @@
+# Firejail profile for google-play-music-desktop-player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include google-play-music-desktop-player.local
+# Persistent global definitions
+include globals.local
+
+# noexec /tmp breaks mpris support
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Google Play Music Desktop Player
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Google Play Music Desktop Player
+# whitelist ${HOME}/.config/pulse
+# whitelist ${HOME}/.pulse
+whitelist ${HOME}/.config/Google Play Music Desktop Player
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
new file mode 100644
index 000000000..b8e2b04df
--- /dev/null
+++ b/etc/profile-a-l/googler-common.profile
@@ -0,0 +1,61 @@
+# Firejail profile for googler clones
+# Description: common profile for googler clones
+# This file is overwritten after every install/update
+# Persistent local customizations
+include googler-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.w3m
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.w3m
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin env,python3*,sh,w3m
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile
new file mode 100644
index 000000000..9d67006f6
--- /dev/null
+++ b/etc/profile-a-l/googler.profile
@@ -0,0 +1,13 @@
+# Firejail profile for googler
+# Description: Search Google from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include googler.local
+# Persistent global definitions
+include globals.local
+
+private-bin googler
+
+# Redirect
+include googler-common.profile
diff --git a/etc/gpa.profile b/etc/profile-a-l/gpa.profile
index 8d721e2c0..091851fa8 100644
--- a/etc/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -1,25 +1,28 @@
 # Firejail profile for gpa
+# Description: GNU Privacy Assistant (GPA)
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/gpa.local
+include gpa.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
-noblacklist ~/.gnupg
+noblacklist ${HOME}/.gnupg
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
new file mode 100644
index 000000000..c6ecef5ec
--- /dev/null
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -0,0 +1,52 @@
+# Firejail profile for gpg-agent
+# Description: GNU privacy guard - cryptographic agent
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg-agent.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin gpg-agent,gpg
+private-cache
+private-dev
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
new file mode 100644
index 000000000..cf58ebdb0
--- /dev/null
+++ b/etc/profile-a-l/gpg.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gpg
+# Description: GNU Privacy Guard -- minimalist public key operations
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin gpg,gpg-agent
+private-cache
+private-dev
+
+# On Arch 'archlinux-keyring' needs read-write access to /etc/pacman.d/gnupg
+# and /usr/share/pacman/keyrings. Although this works, it makes
+# installing/upgrading archlinux-keyring extremely slow.
+read-write /etc/pacman.d/gnupg
+read-write /usr/share/pacman/keyrings
diff --git a/etc/profile-a-l/gpg2.profile b/etc/profile-a-l/gpg2.profile
new file mode 100644
index 000000000..b831b0f62
--- /dev/null
+++ b/etc/profile-a-l/gpg2.profile
@@ -0,0 +1,13 @@
+# Firejail profile for gpg2
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gpg2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# private-bin gpg2
+
+# Redirect
+include gpg.profile
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
new file mode 100644
index 000000000..9a782b238
--- /dev/null
+++ b/etc/profile-a-l/gpicview.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gpicview
+# Description: Lightweight image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gpicview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gpicview
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist /usr/share/gpicview
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin gpicview
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
new file mode 100644
index 000000000..54e52d695
--- /dev/null
+++ b/etc/profile-a-l/gpredict.profile
@@ -0,0 +1,41 @@
+# Firejail profile for gpredict
+# Description: Satellite tracking program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gpredict.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Gpredict
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Gpredict
+whitelist ${HOME}/.config/Gpredict
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin gpredict
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-tmp
+
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
new file mode 100644
index 000000000..31f95fb80
--- /dev/null
+++ b/etc/profile-a-l/gradio.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gradio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gradio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/gradio
+noblacklist ${HOME}/.local/share/gradio
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/gradio
+mkdir ${HOME}/.local/share/gradio
+whitelist ${HOME}/.cache/gradio
+whitelist ${HOME}/.local/share/gradio
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gradio
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own de.haeckerfelix.gradio
+dbus-user.own org.mpris.MediaPlayer2.gradio
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
new file mode 100644
index 000000000..4baca353b
--- /dev/null
+++ b/etc/profile-a-l/gramps.profile
@@ -0,0 +1,51 @@
+# Firejail profile for gramps
+# Description: genealogy program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gramps.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gramps
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gramps
+whitelist ${HOME}/.gramps
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
new file mode 100644
index 000000000..c5bcc85f3
--- /dev/null
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gravity-beams-and-evaporating-stars
+# Description: a game about hurling asteroids into the sun
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gravity-beams-and-evaporating-stars.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gravity-beams-and-evaporating-stars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gravity-beams-and-evaporating-stars
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gsettings-data-convert.profile b/etc/profile-a-l/gsettings-data-convert.profile
new file mode 100644
index 000000000..6f1d43939
--- /dev/null
+++ b/etc/profile-a-l/gsettings-data-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gsettings-data-convert
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings-data-convert.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gsettings-schema-convert.profile b/etc/profile-a-l/gsettings-schema-convert.profile
new file mode 100644
index 000000000..5c8b0e2e2
--- /dev/null
+++ b/etc/profile-a-l/gsettings-schema-convert.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gsettings-schema-convert
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings-schema-convert.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gconf.profile
diff --git a/etc/profile-a-l/gsettings.profile b/etc/profile-a-l/gsettings.profile
new file mode 100644
index 000000000..2203fac15
--- /dev/null
+++ b/etc/profile-a-l/gsettings.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gsettings
+# Description: GSettings configuration tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include dconf.profile
diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile
new file mode 100644
index 000000000..e3a02e7bc
--- /dev/null
+++ b/etc/profile-a-l/gtar.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for tar
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include tar.profile
diff --git a/etc/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 287e214e1..4218f8545 100644
--- a/etc/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -1,26 +1,30 @@
 # Firejail profile for gthumb
+# Description: Image viewer and browser
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/gthumb.local
+include gthumb.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/gthumb
-noblacklist ~/.Steam
-noblacklist ~/.steam
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -28,5 +32,6 @@ shell none
 tracelog
 
 private-bin gthumb
+private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile
new file mode 100644
index 000000000..9c212ff6e
--- /dev/null
+++ b/etc/profile-a-l/gtk-pipe-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-pipe-viewer
+# Description: Gtk front-end to pipe-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-pipe-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+# Redirect
+include pipe-viewer.profile
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
new file mode 100644
index 000000000..978b3d896
--- /dev/null
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+# Redirect
+include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
new file mode 100644
index 000000000..3231374b7
--- /dev/null
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -0,0 +1,56 @@
+# Firejail profile for gtk-update-icon-cache
+# Description: Icon theme caching utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gtk-update-icon-cache.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin gtk-update-icon-cache
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile
new file mode 100644
index 000000000..c814f0fef
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+# Redirect
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
new file mode 100644
index 000000000..787c7bd90
--- /dev/null
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -0,0 +1,17 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
new file mode 100644
index 000000000..988882622
--- /dev/null
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -0,0 +1,17 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
diff --git a/etc/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 14662443c..39fb177dd 100644
--- a/etc/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -1,23 +1,29 @@
 # Firejail profile for guayadeque
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/guayadeque.local
+include guayadeque.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.guayadeque
+noblacklist ${MUSIC}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
@@ -27,5 +33,3 @@ private-bin guayadeque
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
new file mode 100644
index 000000000..d47000e89
--- /dev/null
+++ b/etc/profile-a-l/gucharmap.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gucharmap
+# Description: Unicode character picker and font browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gucharmap.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+#net none - breaks dbus
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-character-map,gucharmap
+private-cache
+private-dev
+private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,X11,xdg
+private-lib
+private-tmp
+
+# breaks state saving
+# dbus-user none
+# dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
new file mode 100644
index 000000000..2223c37a1
--- /dev/null
+++ b/etc/profile-a-l/gummi.profile
@@ -0,0 +1,23 @@
+# Firejail profile for gummi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gummi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/gummi
+noblacklist ${HOME}/.config/gummi
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
+
+# Redirect
+include latex-common.profile
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
new file mode 100644
index 000000000..584d88f85
--- /dev/null
+++ b/etc/profile-a-l/gunzip.profile
@@ -0,0 +1,13 @@
+# Firejail profile for gunzip
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gunzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-bin-sh.inc
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
new file mode 100644
index 000000000..8ddde3c47
--- /dev/null
+++ b/etc/profile-a-l/guvcview.profile
@@ -0,0 +1,55 @@
+# Firejail profile for guvcview
+# Description: GTK+ base UVC Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include guvcview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/guvcview2
+
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/guvcview2
+whitelist ${HOME}/.config/guvcview2
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin guvcview
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
new file mode 100644
index 000000000..8c4453a8b
--- /dev/null
+++ b/etc/profile-a-l/gwenview.profile
@@ -0,0 +1,54 @@
+# Firejail profile for gwenview
+# Description: Image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gwenview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/gwenviewrc
+noblacklist ${HOME}/.config/org.kde.gwenviewrc
+noblacklist ${HOME}/.gimp*
+noblacklist ${HOME}/.kde/share/apps/gwenview
+noblacklist ${HOME}/.kde/share/config/gwenviewrc
+noblacklist ${HOME}/.kde4/share/apps/gwenview
+noblacklist ${HOME}/.kde4/share/config/gwenviewrc
+noblacklist ${HOME}/.local/share/gwenview
+noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
+noblacklist ${HOME}/.local/share/org.kde.gwenview
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+# tracelog
+
+private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
+private-dev
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/gzexe.profile b/etc/profile-a-l/gzexe.profile
new file mode 100644
index 000000000..bb570d553
--- /dev/null
+++ b/etc/profile-a-l/gzexe.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gzexe
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gzexe.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
new file mode 100644
index 000000000..b261c16f4
--- /dev/null
+++ b/etc/profile-a-l/gzip.profile
@@ -0,0 +1,15 @@
+# Firejail profile for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include gzip.local
+# Persistent global definitions
+include globals.local
+
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
+# all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
new file mode 100644
index 000000000..42371a853
--- /dev/null
+++ b/etc/profile-a-l/handbrake-gtk.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for handbrake
+# This file is overwritten after every install/update
+# Persistent local customizations
+include handbrake-gtk.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include handbrake.profile
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
new file mode 100644
index 000000000..9ad9aef33
--- /dev/null
+++ b/etc/profile-a-l/handbrake.profile
@@ -0,0 +1,39 @@
+# Firejail profile for handbrake
+# Description: Versatile DVD ripper and video transcoder (GTK+ GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include handbrake.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ghb
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
new file mode 100644
index 000000000..3be349176
--- /dev/null
+++ b/etc/profile-a-l/hashcat.profile
@@ -0,0 +1,46 @@
+# Firejail profile for hashcat
+# Description: World's fastest and most advanced password recovery utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include hashcat.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.hashcat
+noblacklist /usr/include
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+x11 none
+
+disable-mnt
+private-bin hashcat
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
new file mode 100644
index 000000000..8c1ada1d1
--- /dev/null
+++ b/etc/profile-a-l/hasher-common.profile
@@ -0,0 +1,59 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include hasher-common.local
+
+# common profile for hasher/checksum tools
+
+blacklist ${RUNUSER}
+
+# Comment/uncomment the relevant include file(s) in your hasher-common.local
+# to (un)restrict file access for **all** hashers. Another option is to do this **per hasher**
+# in the relevant <hasher>.local. Beware that things tend to break when overtightening
+# profiles. For example, because you only need to hash/check files in ${DOWNLOADS},
+# other applications may need access to ${HOME}/.local/share.
+
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc.
+#include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+# Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache.
+#private-cache
+private-dev
+# Add the next line to your hasher-common.local if you don't need to hash files in /tmp.
+#private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
new file mode 100644
index 000000000..9c6f162c6
--- /dev/null
+++ b/etc/profile-a-l/hedgewars.profile
@@ -0,0 +1,37 @@
+# Firejail profile for hedgewars
+# Description: Funny turn-based artillery game, featuring fighting hedgehogs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hedgewars.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.hedgewars
+
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.hedgewars
+whitelist ${HOME}/.hedgewars
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+seccomp
+tracelog
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
new file mode 100644
index 000000000..88448ad45
--- /dev/null
+++ b/etc/profile-a-l/hexchat.profile
@@ -0,0 +1,58 @@
+# Firejail profile for hexchat
+# Description: IRC client for X based on X-Chat 2
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hexchat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/hexchat
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/hexchat
+whitelist ${HOME}/.config/hexchat
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+#machine-id -- breaks sound
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# debug note: private-bin requires perl, python, etc on some systems
+private-bin hexchat,python*,sh
+private-dev
+#private-lib - python problems
+private-tmp
+
+# memory-deny-write-execute - breaks python
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
new file mode 100644
index 000000000..0145f7ceb
--- /dev/null
+++ b/etc/profile-a-l/highlight.profile
@@ -0,0 +1,41 @@
+# Firejail profile for highlight
+# Description: Universal source code to formatted text converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include highlight.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin highlight
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hitori.profile b/etc/profile-a-l/hitori.profile
new file mode 100644
index 000000000..6d67f4587
--- /dev/null
+++ b/etc/profile-a-l/hitori.profile
@@ -0,0 +1,14 @@
+# Firejail profile for hitori
+# Description: Play the Hitori puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hitori.local
+# Persistent global definitions
+include globals.local
+
+private-bin hitori
+
+dbus-user.own org.gnome.Hitori
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..f2dac5881
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/homebank
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
new file mode 100644
index 000000000..984e90e1f
--- /dev/null
+++ b/etc/profile-a-l/host.profile
@@ -0,0 +1,52 @@
+# Firejail profile for host
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include host.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+noblacklist ${PATH}/host
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,host,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
new file mode 100644
index 000000000..0a9c831f3
--- /dev/null
+++ b/etc/profile-a-l/hugin.profile
@@ -0,0 +1,42 @@
+# Firejail profile for hugin
+# Description: Panorama photo stitcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hugin.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.hugin
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin align_image_stack,autooptimiser,calibrate_lens_gui,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,enblend,fulla,geocpset,hugin,hugin_executor,hugin_hdrmerge,hugin_lensdb,hugin_stitch_project,icpfind,linefind,nona,pano_modify,pano_trafo,PTBatcherGUI,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
new file mode 100644
index 000000000..f210a264f
--- /dev/null
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -0,0 +1,51 @@
+# Firejail profile for hyperrogue
+# Description: An SDL roguelike in a non-euclidean world
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hyperrogue.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/hyperrogue.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/hyperrogue.ini
+whitelist ${HOME}/hyperrogue.ini
+whitelist /usr/share/hyperrogue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin hyperrogue
+private-cache
+private-cwd ${HOME}
+private-dev
+private-etc fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
new file mode 100644
index 000000000..c875cad72
--- /dev/null
+++ b/etc/profile-a-l/i2prouter.profile
@@ -0,0 +1,72 @@
+# Firejail profile for I2P
+# Description: A distributed anonymous network
+# This file is overwritten after every install/update
+# Persistent local customizations
+include i2prouter.local
+# Persistent global definitions
+include globals.local
+
+# Notice: default browser will most likely not be able to automatically open, due to sandbox.
+# Auto-opening default browser can be disabled in the I2P router console.
+# This profile will not currently work with any Arch User Repository I2P packages,
+# use the distro-independent official I2P java installer instead.
+
+# Only needed when i2prouter binary resides in home directory (official I2P java installer does so).
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/i2p
+noblacklist ${HOME}/.i2p
+noblacklist ${HOME}/.local/share/i2p
+noblacklist ${HOME}/i2p
+# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
+noblacklist /usr/sbin
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/i2p
+mkdir ${HOME}/.i2p
+mkdir ${HOME}/.local/share/i2p
+mkdir ${HOME}/i2p
+whitelist ${HOME}/.config/i2p
+whitelist ${HOME}/.i2p
+whitelist ${HOME}/.local/share/i2p
+whitelist ${HOME}/i2p
+# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
+whitelist /usr/sbin/wrapper*
+
+include whitelist-common.inc
+
+# May break I2P if wrapper resides in the home directory (official I2P java installer does so).
+# When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local,
+# as it places the wrapper in /usr/sbin/
+#apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
new file mode 100644
index 000000000..e96b1843c
--- /dev/null
+++ b/etc/profile-a-l/i3.profile
@@ -0,0 +1,18 @@
+# Firejail profile for i3
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include i3.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in i3 will run in this profile
+noblacklist ${HOME}/.config/i3
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
new file mode 100644
index 000000000..863dc8acf
--- /dev/null
+++ b/etc/profile-a-l/iagno.profile
@@ -0,0 +1,40 @@
+# Firejail profile for iagno
+# Description: Reversi clone for Gnome desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iagno.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin iagno
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
new file mode 100644
index 000000000..660343a29
--- /dev/null
+++ b/etc/profile-a-l/icecat.profile
@@ -0,0 +1,20 @@
+# Firejail profile for icecat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include icecat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+
+mkdir ${HOME}/.cache/mozilla/icecat
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/icecat
+whitelist ${HOME}/.mozilla
+
+# private-etc must first be enabled in firefox-common.profile
+#private-etc icecat
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/icedove.profile b/etc/profile-a-l/icedove.profile
new file mode 100644
index 000000000..19690cd5a
--- /dev/null
+++ b/etc/profile-a-l/icedove.profile
@@ -0,0 +1,28 @@
+# Firejail profile for icedove
+# This file is overwritten after every install/update
+# Persistent local customizations
+include icedove.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Users have icedove set to open a browser by clicking a link in an email
+# We are not allowed to blacklist browser-specific directories
+
+noblacklist ${HOME}/.cache/icedove
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.icedove
+
+mkdir ${HOME}/.cache/icedove
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.icedove
+whitelist ${HOME}/.cache/icedove
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.icedove
+include whitelist-common.inc
+
+ignore private-tmp
+
+# allow browsers
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
new file mode 100644
index 000000000..badd2648a
--- /dev/null
+++ b/etc/profile-a-l/iceweasel.profile
@@ -0,0 +1,13 @@
+# Firejail profile for iceweasel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iceweasel.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# private-etc must first be enabled in firefox-common.profile
+#private-etc iceweasel
+
+# Redirect
+include firefox.profile
diff --git a/etc/profile-a-l/idea.profile b/etc/profile-a-l/idea.profile
new file mode 100644
index 000000000..4e43bb629
--- /dev/null
+++ b/etc/profile-a-l/idea.profile
@@ -0,0 +1,10 @@
+# Firejail profile for idea
+# This file is overwritten after every install/update
+# Persistent local customizations
+include idea.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include idea.sh.profile
diff --git a/etc/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index caec416e9..7716a5f1a 100644
--- a/etc/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -1,37 +1,41 @@
 # Firejail profile for idea.sh
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/idea.sh.local
+include idea.sh.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.IdeaIC*
 noblacklist ${HOME}/.android
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
+private-cache
 private-dev
 # private-tmp
 
diff --git a/etc/profile-a-l/ideaIC.profile b/etc/profile-a-l/ideaIC.profile
new file mode 100644
index 000000000..7e1778f58
--- /dev/null
+++ b/etc/profile-a-l/ideaIC.profile
@@ -0,0 +1,10 @@
+# Firejail profile for ideaIC
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ideaIC.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include idea.sh.profile
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
new file mode 100644
index 000000000..4da127fab
--- /dev/null
+++ b/etc/profile-a-l/imagej.profile
@@ -0,0 +1,41 @@
+# Firejail profile for imagej
+# Description: Image processing program with a focus on microscopy images
+# This file is overwritten after every install/update
+# Persistent local customizations
+include imagej.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.imagej
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,tail,touch,tr,uname,update-java-alternatives,whoami,xprop
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
new file mode 100644
index 000000000..54cad08c7
--- /dev/null
+++ b/etc/profile-a-l/img2txt.profile
@@ -0,0 +1,52 @@
+# Firejail profile for img2txt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include img2txt.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/imlib2
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+# private-bin img2txt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
new file mode 100644
index 000000000..31ad641c1
--- /dev/null
+++ b/etc/profile-a-l/impressive.profile
@@ -0,0 +1,57 @@
+# Firejail profile for impressive
+# Description: presentation tool with eye candy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include impressive.local
+# Persistent global definitions
+#include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist /sbin
+noblacklist /usr/sbin
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/mesa_shader_cache
+whitelist /usr/share/opengl-games-utils
+whitelist /usr/share/zenity
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
new file mode 100644
index 000000000..5e54b5441
--- /dev/null
+++ b/etc/profile-a-l/inkscape.profile
@@ -0,0 +1,61 @@
+# Firejail profile for inkscape
+# Description: Vector-based drawing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inkscape.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/inkscape
+noblacklist ${HOME}/.config/inkscape
+noblacklist ${HOME}/.inkscape
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+# Allow exporting .xcf files
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.gimp*
+
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/inkscape
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin inkscape,potrace,python* - problems on Debian stretch
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/inkview.profile b/etc/profile-a-l/inkview.profile
new file mode 100644
index 000000000..4f88b0258
--- /dev/null
+++ b/etc/profile-a-l/inkview.profile
@@ -0,0 +1,11 @@
+# Firejail profile for inkview
+# Description: an SVG slideshow program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inkview.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include inkscape.profile
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
new file mode 100644
index 000000000..a5cac12f2
--- /dev/null
+++ b/etc/profile-a-l/inox.profile
@@ -0,0 +1,22 @@
+# Firejail profile for inox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inox.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/inox
+noblacklist ${HOME}/.config/inox
+
+mkdir ${HOME}/.cache/inox
+mkdir ${HOME}/.config/inox
+whitelist ${HOME}/.cache/inox
+whitelist ${HOME}/.config/inox
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile
new file mode 100644
index 000000000..6753cb332
--- /dev/null
+++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile
@@ -0,0 +1,60 @@
+# Firejail profile for notejot
+# Description: Jot your ideas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include io.github.lainsce.Notejot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/io.github.lainsce.Notejot
+noblacklist ${HOME}/.local/share/io.github.lainsce.Notejot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/io.github.lainsce.Notejot
+mkdir ${HOME}/.local/share/io.github.lainsce.Notejot
+whitelist ${HOME}/.cache/io.github.lainsce.Notejot
+whitelist ${HOME}/.local/share/io.github.lainsce.Notejot
+whitelist /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin io.github.lainsce.Notejot
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own io.github.lainsce.Notejot
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile
new file mode 100644
index 000000000..3ad0f3a4f
--- /dev/null
+++ b/etc/profile-a-l/ipcalc-ng.profile
@@ -0,0 +1,11 @@
+# Firejail profile ipcalc-ng
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ipcalc-ng.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ipcalc.profile
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
new file mode 100644
index 000000000..ea4ee5ae1
--- /dev/null
+++ b/etc/profile-a-l/ipcalc.profile
@@ -0,0 +1,62 @@
+# Firejail profile for ipcalc
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ipcalc.local
+# Persistent global definitions
+include globals.local
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+# include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol unix
+seccomp
+shell none
+# tracelog
+
+disable-mnt
+private
+private-bin bash,ipcalc,ipcalc-ng,perl,sh
+# private-cache
+private-dev
+# empty etc directory
+private-etc none
+private-lib
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
new file mode 100644
index 000000000..20b24cedf
--- /dev/null
+++ b/etc/profile-a-l/iridium-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for iridium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iridium-browser.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include iridium.profile
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
new file mode 100644
index 000000000..3037d00e9
--- /dev/null
+++ b/etc/profile-a-l/iridium.profile
@@ -0,0 +1,22 @@
+# Firejail profile for iridium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include iridium.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/iridium
+noblacklist ${HOME}/.config/iridium
+
+mkdir ${HOME}/.cache/iridium
+mkdir ${HOME}/.config/iridium
+whitelist ${HOME}/.cache/iridium
+whitelist ${HOME}/.config/iridium
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/itch.profile b/etc/profile-a-l/itch.profile
index 7e8f0518d..37cde1577 100644
--- a/etc/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -1,31 +1,36 @@
 # Firejail profile for itch
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/itch.local
+include itch.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
 
+noblacklist ${HOME}/.itch
 noblacklist ${HOME}/.config/itch
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
+mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
+whitelist ${HOME}/.itch
 whitelist ${HOME}/.config/itch
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
new file mode 100644
index 000000000..5c4cc74c2
--- /dev/null
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -0,0 +1,42 @@
+# Firejail profile for jami-gnome
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami-gnome.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/jami
+noblacklist ${HOME}/.local/share/jami
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+#include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/jami
+mkdir ${HOME}/.local/share/jami
+whitelist ${HOME}/.config/jami
+whitelist ${HOME}/.local/share/jami
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+env QT_QPA_PLATFORM=xcb
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
new file mode 100644
index 000000000..37f99c2f0
--- /dev/null
+++ b/etc/profile-a-l/jd-gui.profile
@@ -0,0 +1,44 @@
+# Firejail profile for jd-gui
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jd-gui.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/jd-gui.cfg
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin bash,jd-gui,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/jdownloader.profile b/etc/profile-a-l/jdownloader.profile
new file mode 100644
index 000000000..b5f892a9d
--- /dev/null
+++ b/etc/profile-a-l/jdownloader.profile
@@ -0,0 +1,10 @@
+# Firejail profile for jdownloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jdownloader.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include JDownloader.profile
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
new file mode 100644
index 000000000..1209c5e11
--- /dev/null
+++ b/etc/profile-a-l/jerry.profile
@@ -0,0 +1,43 @@
+# Firejail profile for jerry
+# Description: Chess GUI
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jerry.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/dkl
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin bash,jerry,sh,stockfish
+private-dev
+private-etc fonts,gtk-2.0,gtk-3.0
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
new file mode 100644
index 000000000..edb7ed840
--- /dev/null
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -0,0 +1,27 @@
+# Firejail profile for jitsi-meet-desktop
+# Description: Jitsi Meet desktop application powered by Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jitsi-meet-desktop.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+ignore shell none
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Jitsi Meet
+
+nowhitelist ${DOWNLOADS}
+
+mkdir ${HOME}/.config/Jitsi Meet
+whitelist ${HOME}/.config/Jitsi Meet
+
+private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+
+# Redirect
+include electron.profile
diff --git a/etc/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 78a57ff46..0e578909a 100644
--- a/etc/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -1,16 +1,19 @@
 # Firejail profile for jitsi
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/jitsi.local
+include jitsi.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
-noblacklist ~/.jitsi
+noblacklist ${HOME}/.jitsi
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 nodvd
@@ -24,4 +27,5 @@ shell none
 tracelog
 
 disable-mnt
+private-cache
 private-tmp
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
new file mode 100644
index 000000000..8d391b90f
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -0,0 +1,16 @@
+# Firejail profile for jumpnbump-menu
+# Description: Level selection and config menu for the Jump 'n Bump game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump-menu.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+private-bin jumpnbump-menu,python3*
+
+# Redirect
+include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
new file mode 100644
index 000000000..77d3f6bf4
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -0,0 +1,49 @@
+# Firejail profile for jumpnbump
+# Description: Cute multiplayer platform game with bunnies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.jumpnbump
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.jumpnbump
+whitelist ${HOME}/.jumpnbump
+whitelist /usr/share/jumpnbump
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin jumpnbump
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
new file mode 100644
index 000000000..655257f08
--- /dev/null
+++ b/etc/profile-a-l/k3b.profile
@@ -0,0 +1,38 @@
+# Firejail profile for k3b
+# Description: Sophisticated CD/DVD burning application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include k3b.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/k3brc
+noblacklist ${HOME}/.kde/share/config/k3brc
+noblacklist ${HOME}/.kde4/share/config/k3brc
+noblacklist ${HOME}/.local/share/kxmlgui5/k3b
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource
+# net none
+netfilter
+no3d
+# nonewprivs - breaks privileged helpers
+noinput
+# noroot - breaks privileged helpers
+nosound
+notv
+novideo
+# protocol unix - breaks privileged helpers
+# seccomp - breaks privileged helpers
+shell none
+
+private-dev
+# private-tmp
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
new file mode 100644
index 000000000..8799a6f24
--- /dev/null
+++ b/etc/profile-a-l/kaffeine.profile
@@ -0,0 +1,42 @@
+# Firejail profile for kaffeine
+# Description: Versatile media player for KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kaffeine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kaffeinerc
+noblacklist ${HOME}/.kde/share/apps/kaffeine
+noblacklist ${HOME}/.kde/share/config/kaffeinerc
+noblacklist ${HOME}/.kde4/share/apps/kaffeine
+noblacklist ${HOME}/.kde4/share/config/kaffeinerc
+noblacklist ${HOME}/.local/share/kaffeine
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+# private-bin kaffeine
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
new file mode 100644
index 000000000..210b7cf03
--- /dev/null
+++ b/etc/profile-a-l/kalgebra.profile
@@ -0,0 +1,49 @@
+# Firejail profile for kalgebra
+# Description: 2D and 3D Graph Calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kalgebra.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kalgebrarc
+noblacklist ${HOME}/.local/share/kalgebra
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/kalgebramobile
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp !chroot
+shell none
+# tracelog
+
+disable-mnt
+private-bin kalgebra,kalgebramobile
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
new file mode 100644
index 000000000..3768d277e
--- /dev/null
+++ b/etc/profile-a-l/kalgebramobile.profile
@@ -0,0 +1,10 @@
+# Firejail profile for kalgebramobile
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kalgebramobile.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include kalgebra.profile
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
new file mode 100644
index 000000000..231299a2f
--- /dev/null
+++ b/etc/profile-a-l/karbon.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for krita
+# This file is overwritten after every install/update
+# Persistent local customizations
+include karbon.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/karbon
+
+# Redirect
+include krita.profile
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
new file mode 100644
index 000000000..d8b2dddb1
--- /dev/null
+++ b/etc/profile-a-l/kate.profile
@@ -0,0 +1,60 @@
+# Firejail profile for kate
+# Description: Powerful text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kate.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/katemetainfos
+noblacklist ${HOME}/.config/katepartrc
+noblacklist ${HOME}/.config/katerc
+noblacklist ${HOME}/.config/kateschemarc
+noblacklist ${HOME}/.config/katesyntaxhighlightingrc
+noblacklist ${HOME}/.config/katevirc
+noblacklist ${HOME}/.local/share/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
+noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
+noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
+noblacklist ${HOME}/.local/share/kxmlgui5/katepart
+noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
+noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+# include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin kate,kbuildsycoca4,kdeinit4
+private-dev
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
new file mode 100644
index 000000000..7b990bf41
--- /dev/null
+++ b/etc/profile-a-l/kazam.profile
@@ -0,0 +1,55 @@
+# Firejail profile for kazam
+# Description: Screen capture tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kazam.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+noblacklist ${HOME}/.config/kazam
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/kazam
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin kazam,python*
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
new file mode 100644
index 000000000..46e8ccb82
--- /dev/null
+++ b/etc/profile-a-l/kcalc.profile
@@ -0,0 +1,65 @@
+# Firejail profile for kcalc
+# Description: Simple and scientific calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kcalc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/kxmlgui5/kcalc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/kxmlgui5/kcalc
+mkfile ${HOME}/.config/kcalcrc
+mkfile ${HOME}/.kde/share/config/kcalcrc
+mkfile ${HOME}/.kde4/share/config/kcalcrc
+whitelist ${HOME}/.config/kcalcrc
+whitelist ${HOME}/.kde/share/config/kcalcrc
+whitelist ${HOME}/.kde4/share/config/kcalcrc
+whitelist ${HOME}/.local/share/kxmlgui5/kcalc
+whitelist /usr/share/config.kcfg/kcalc.kcfg
+whitelist /usr/share/kcalc
+whitelist /usr/share/kconf_update/kcalcrc.upd
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin kcalc
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
+# private-lib - problems on Arch
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
new file mode 100644
index 000000000..4ddd5dac5
--- /dev/null
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -0,0 +1,37 @@
+# Firejail profile for kdeinit4
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdeinit4.local
+# Persistent global definitions
+include globals.local
+
+# use outside KDE Plasma 4
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+# nosound - disabled for knotify
+noroot
+nou2f
+novideo
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin kbuildsycoca4,kded4,kdeinit4,knotify4
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
new file mode 100644
index 000000000..87808ced7
--- /dev/null
+++ b/etc/profile-a-l/kdenlive.profile
@@ -0,0 +1,41 @@
+# Firejail profile for kdenlive
+# Description: Non-linear video editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdenlive.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/kdenlive
+noblacklist ${HOME}/.config/kdenliverc
+noblacklist ${HOME}/.local/share/kdenlive
+noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+# net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
+private-dev
+# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
new file mode 100644
index 000000000..7c9be2bcc
--- /dev/null
+++ b/etc/profile-a-l/kdiff3.profile
@@ -0,0 +1,56 @@
+# Firejail profile for kdiff3
+# Description: KDiff3 is a file and folder diff and merge tool.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kdiff3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kdiff3fileitemactionrc
+noblacklist ${HOME}/.config/kdiff3rc
+
+# Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc.
+# By default we deny access only to .ssh and .gnupg.
+#include disable-common.inc
+blacklist ${HOME}/.ssh
+blacklist ${HOME}/.gnupg
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
+#include whitelist-usr-share-common.inc
+# Add the next line to your kdiff3.local if you don't need to compare files in /var.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin  kdiff3
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/keepass.profile b/etc/profile-a-l/keepass.profile
index c133ce0fb..f26c10be3 100644
--- a/etc/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -1,9 +1,10 @@
 # Firejail profile for keepass
+# Description: An easy-to-use password manager
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/keepass.local
+include keepass.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
@@ -12,28 +13,32 @@ noblacklist ${HOME}/.config/keepass
 noblacklist ${HOME}/.keepass
 noblacklist ${HOME}/.local/share/KeePass
 noblacklist ${HOME}/.local/share/keepass
+noblacklist ${DOCUMENTS}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile
new file mode 100644
index 000000000..72f79bef7
--- /dev/null
+++ b/etc/profile-a-l/keepass2.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for keepass
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepass2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include keepass.profile
diff --git a/etc/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 27ca408f5..768a3cef0 100644
--- a/etc/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -1,21 +1,25 @@
 # Firejail profile for keepassx
+# Description: Cross Platform Password Manager
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/keepassx.local
+include keepassx.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/*.kdb
 noblacklist ${HOME}/*.kdbx
 noblacklist ${HOME}/.config/keepassx
 noblacklist ${HOME}/.keepassx
+noblacklist ${DOCUMENTS}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
-include /etc/firejail/whitelist-var-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 machine-id
@@ -23,10 +27,12 @@ net none
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -35,9 +41,10 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,machine-id
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
new file mode 100644
index 000000000..f2704d67f
--- /dev/null
+++ b/etc/profile-a-l/keepassx2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for keepassx2
+# Description: Cross platform password manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassx2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirects
+include keepassx.profile
diff --git a/etc/profile-a-l/keepassxc-cli.profile b/etc/profile-a-l/keepassxc-cli.profile
new file mode 100644
index 000000000..925609384
--- /dev/null
+++ b/etc/profile-a-l/keepassxc-cli.profile
@@ -0,0 +1,11 @@
+# Firejail profile for keepassxc-cli
+# Description: command line interface for KeePassXC
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include keepassxc.profile
diff --git a/etc/profile-a-l/keepassxc-proxy.profile b/etc/profile-a-l/keepassxc-proxy.profile
new file mode 100644
index 000000000..b2b6763ee
--- /dev/null
+++ b/etc/profile-a-l/keepassxc-proxy.profile
@@ -0,0 +1,10 @@
+# Firejail profile for keepassxc-cli
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc-proxy.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include keepassxc.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
new file mode 100644
index 000000000..b915f6202
--- /dev/null
+++ b/etc/profile-a-l/keepassxc.profile
@@ -0,0 +1,110 @@
+# Firejail profile for keepassxc
+# Description: Cross Platform Password Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+noblacklist ${HOME}/.cache/keepassxc
+noblacklist ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.config/KeePassXCrc
+noblacklist ${HOME}/.keepassxc
+noblacklist ${DOCUMENTS}
+
+# Allow browser profiles, required for browser integration.
+noblacklist ${HOME}/.config/BraveSoftware
+noblacklist ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/google-chrome
+noblacklist ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.local/share/torbrowser
+noblacklist ${HOME}/.mozilla
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local.
+# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx.
+#mkdir ${HOME}/Documents/KeePassXC
+#whitelist ${HOME}/Documents/KeePassXC
+# Needed for KeePassXC-Browser.
+#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts
+#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/chromium/NativeMessagingHosts
+#mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts
+#mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts
+#mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts
+#mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.mozilla/native-messaging-hosts
+#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.cache/keepassxc
+#mkdir ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.cache/keepassxc
+#whitelist ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.config/KeePassXCrc
+#include whitelist-common.inc
+
+whitelist /usr/share/keepassxc
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !name_to_handle_at
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin keepassxc,keepassxc-cli,keepassxc-proxy
+private-dev
+private-etc alternatives,fonts,ld.so.cache,machine-id
+private-tmp
+
+dbus-user filter
+dbus-user.own org.keepassxc.KeePassXC.*
+dbus-user.talk com.canonical.Unity
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-user.talk org.gnome.ScreenSaver
+dbus-user.talk org.gnome.SessionManager
+dbus-user.talk org.xfce.ScreenSaver
+# Add the next line to your keepassxc.local to allow notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your keepassxc.local to allow the tray menu.
+#dbus-user.talk org.kde.StatusNotifierWatcher
+#dbus-user.own org.kde.*
+dbus-system filter
+dbus-system.talk org.freedesktop.login1
+
+# Mutex is stored in /tmp by default, which is broken by private-tmp.
+join-or-start keepassxc
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
new file mode 100644
index 000000000..40fe65e3f
--- /dev/null
+++ b/etc/profile-a-l/kfind.profile
@@ -0,0 +1,47 @@
+# Firejail profile for kfind
+# Description: File search utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kfind.local
+# Persistent global definitions
+include globals.local
+
+# searching in blacklisted or masked paths fails silently
+# adjust filesystem restrictions as necessary
+
+# noblacklist ${HOME}/.cache/kfind - disable-programs.inc is disabled, see below
+# noblacklist ${HOME}/.config/kfindrc
+# noblacklist ${HOME}/.kde/share/config/kfindrc
+# noblacklist ${HOME}/.kde4/share/config/kfindrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# include disable-programs.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+# private-bin kbuildsycoca4,kdeinit4,kfind
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
new file mode 100644
index 000000000..ec315b431
--- /dev/null
+++ b/etc/profile-a-l/kget.profile
@@ -0,0 +1,42 @@
+# Firejail profile for kget
+# Description: Download manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kget.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/kget
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+
+private-dev
+private-tmp
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/kid3-cli.profile b/etc/profile-a-l/kid3-cli.profile
new file mode 100644
index 000000000..bee62b5d9
--- /dev/null
+++ b/etc/profile-a-l/kid3-cli.profile
@@ -0,0 +1,6 @@
+# Firejail profile for kid3-cli
+# This file is overwritten after every install/update
+include kid3-cli.local
+
+# Redirect
+include kid3.profile
diff --git a/etc/profile-a-l/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
new file mode 100644
index 000000000..9bcede077
--- /dev/null
+++ b/etc/profile-a-l/kid3-qt.profile
@@ -0,0 +1,8 @@
+# Firejail profile for kid3-qt
+# This file is overwritten after every install/update
+include kid3-qt.local
+
+noblacklist ${HOME}/.config/Kid3
+
+# Redirect
+include kid3.profile
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
new file mode 100644
index 000000000..e66716eeb
--- /dev/null
+++ b/etc/profile-a-l/kid3.profile
@@ -0,0 +1,48 @@
+# Firejail profile for kid3
+# Description: Audio Tag Editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kid3.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.config/kid3rc
+noblacklist ${HOME}/.local/share/kxmlgui5/kid3
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+private-opt none
+private-srv none
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
new file mode 100644
index 000000000..1f42526d3
--- /dev/null
+++ b/etc/profile-a-l/kino.profile
@@ -0,0 +1,37 @@
+# Firejail profile for kino
+# Description: Non-linear editor for Digital Video data
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kino.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.kino-history
+noblacklist ${HOME}/.kinorc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
new file mode 100644
index 000000000..968402a8a
--- /dev/null
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -0,0 +1,51 @@
+# Firejail profile for kiwix-desktop
+# Description: view/manage ZIM files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kiwix-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/kiwix
+noblacklist ${HOME}/.local/share/kiwix-desktop
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/kiwix
+mkdir ${HOME}/.local/share/kiwix-desktop
+whitelist ${HOME}/.local/share/kiwix
+whitelist ${HOME}/.local/share/kiwix-desktop
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+# no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
new file mode 100644
index 000000000..f089658af
--- /dev/null
+++ b/etc/profile-a-l/klatexformula.profile
@@ -0,0 +1,45 @@
+# Firejail profile for klatexformula
+# Description: generating images from LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.kde/share/apps/klatexformula
+noblacklist ${HOME}/.klatexformula
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
new file mode 100644
index 000000000..3142cbca6
--- /dev/null
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for klatexformula_cmdl
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klatexformula_cmdl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include klatexformula.profile
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
new file mode 100644
index 000000000..f733fa42c
--- /dev/null
+++ b/etc/profile-a-l/klavaro.profile
@@ -0,0 +1,54 @@
+# Firejail profile for klavaro
+# Description: Yet another touch typing tutor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include klavaro.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/klavaro
+noblacklist ${HOME}/.local/share/klavaro
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/klavaro
+mkdir ${HOME}/.config/klavaro
+whitelist ${HOME}/.local/share/klavaro
+whitelist ${HOME}/.config/klavaro
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,klavaro,sh,tclsh,tclsh*
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+private-opt none
+private-srv none
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
new file mode 100644
index 000000000..2c645677c
--- /dev/null
+++ b/etc/profile-a-l/kmail.profile
@@ -0,0 +1,62 @@
+# Firejail profile for kmail
+# Description: Full featured graphical email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmail.local
+# Persistent global definitions
+include globals.local
+
+# kmail has problems launching akonadi in debian and ubuntu.
+# one solution is to have akonadi already running when kmail is started
+
+noblacklist ${HOME}/.cache/akonadi*
+noblacklist ${HOME}/.cache/kmail2
+noblacklist ${HOME}/.config/akonadi*
+noblacklist ${HOME}/.config/baloorc
+noblacklist ${HOME}/.config/emaildefaults
+noblacklist ${HOME}/.config/emailidentities
+noblacklist ${HOME}/.config/kmail2rc
+noblacklist ${HOME}/.config/kmailsearchindexingrc
+noblacklist ${HOME}/.config/mailtransports
+noblacklist ${HOME}/.config/specialmailcollectionsrc
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/akonadi*
+noblacklist ${HOME}/.local/share/apps/korganizer
+noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/emailidentities
+noblacklist ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
+noblacklist ${HOME}/.local/share/local-mail
+noblacklist ${HOME}/.local/share/notes
+noblacklist /tmp/akonadi-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# we need to allow chroot, io_getevents, ioprio_set, io_setup, io_submit system calls
+seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
+# tracelog
+
+private-dev
+# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
+# writable-run-user is needed for signing and encrypting emails
+writable-run-user
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
new file mode 100644
index 000000000..8d462c44c
--- /dev/null
+++ b/etc/profile-a-l/kmplayer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mplayer
+# Description: mplayer KDE GUI (movie player)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.local/share/kmplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# private-bin kmplayer,mplayer
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile
new file mode 100644
index 000000000..f155d0ad6
--- /dev/null
+++ b/etc/profile-a-l/knotes.profile
@@ -0,0 +1,18 @@
+# Firejail profile for knotes
+# Description: Sticky notes application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include knotes.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# knotes has problems launching akonadi in debian and ubuntu.
+# one solution is to have akonadi already running when knotes is started
+
+noblacklist ${HOME}/.config/knotesrc
+noblacklist ${HOME}/.local/share/knotes
+noblacklist ${HOME}/.local/share/kxmlgui5/knotes
+
+# Redirect
+include kmail.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
new file mode 100644
index 000000000..f901637f3
--- /dev/null
+++ b/etc/profile-a-l/kodi.profile
@@ -0,0 +1,55 @@
+# Firejail profile for kodi
+# Description: Open Source Home Theatre
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kodi.local
+# Persistent global definitions
+include globals.local
+
+# noexec ${HOME} breaks plugins
+ignore noexec ${HOME}
+# Add the following to your kodi.local if you use a CEC Adapter.
+#ignore nogroups
+#ignore noroot
+#ignore private-dev
+# Add the following to your kodi.local if you use the Lutris Kodi Addon
+#noblacklist /sbin
+#noblacklist /usr/sbin
+#noblacklist ${HOME}/.cache/lutris
+#noblacklist ${HOME}/.config/lutris
+#noblacklist ${HOME}/.local/share/lutris
+
+noblacklist ${HOME}/.kodi
+noblacklist ${MUSIC}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+# Seems to cause issues with Nvidia drivers sometimes (#3501)
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+private-tmp
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
new file mode 100644
index 000000000..723fef0d2
--- /dev/null
+++ b/etc/profile-a-l/konversation.profile
@@ -0,0 +1,45 @@
+# Firejail profile for konversation
+# Description: User friendly Internet Relay Chat (IRC) client for KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include konversation.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/konversationrc
+noblacklist ${HOME}/.config/konversation.notifyrc
+noblacklist ${HOME}/.kde/share/config/konversationrc
+noblacklist ${HOME}/.kde4/share/config/konversationrc
+noblacklist ${HOME}/.local/share/kxmlgui5/konversation
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin kbuildsycoca4,konversation
+private-cache
+private-dev
+private-tmp
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
new file mode 100644
index 000000000..9e75b03eb
--- /dev/null
+++ b/etc/profile-a-l/kopete.profile
@@ -0,0 +1,39 @@
+# Firejail profile for kopete
+# Description: Instant messaging and chat application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kopete.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.kde/share/apps/kopete
+noblacklist ${HOME}/.kde/share/config/kopeterc
+noblacklist ${HOME}/.kde4/share/apps/kopete
+noblacklist ${HOME}/.kde4/share/config/kopeterc
+noblacklist ${HOME}/.local/share/kxmlgui5/kopete
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /var/lib/winpopup
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+
+private-dev
+private-tmp
+writable-var
+
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
new file mode 100644
index 000000000..2d3225421
--- /dev/null
+++ b/etc/profile-a-l/krita.profile
@@ -0,0 +1,51 @@
+# Firejail profile for krita
+# Description: Pixel-based image manipulation program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include krita.local
+# Persistent global definitions
+include globals.local
+
+# noexec ${HOME} may break krita, see issue #1953
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/kritarc
+noblacklist ${HOME}/.local/share/krita
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
new file mode 100644
index 000000000..96eb6978d
--- /dev/null
+++ b/etc/profile-a-l/krunner.profile
@@ -0,0 +1,37 @@
+# Firejail profile for krunner
+# Description: Framework for providing different actions given a string query
+# This file is overwritten after every install/update
+# Persistent local customizations
+include krunner.local
+# Persistent global definitions
+include globals.local
+
+# - programs started in krunner run with this generic profile
+# - when a file is opened in krunner, the file viewer runs in its own sandbox
+#   with its own profile, if it is sandboxed automatically
+
+# noblacklist ${HOME}/.cache/krunner
+# noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+# noblacklist ${HOME}/.config/chromium
+noblacklist ${HOME}/.config/krunnerrc
+noblacklist ${HOME}/.kde/share/config/krunnerrc
+noblacklist ${HOME}/.kde4/share/config/krunnerrc
+# noblacklist ${HOME}/.local/share/baloo
+# noblacklist ${HOME}/.mozilla
+
+include disable-common.inc
+# include disable-devel.inc
+# include disable-interpreters.inc
+# include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+
+# private-cache
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
new file mode 100644
index 000000000..9d8aa1bd7
--- /dev/null
+++ b/etc/profile-a-l/ktorrent.profile
@@ -0,0 +1,64 @@
+# Firejail profile for ktorrent
+# Description: BitTorrent client based on the KDE platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktorrent.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ktorrentrc
+noblacklist ${HOME}/.kde/share/apps/ktorrent
+noblacklist ${HOME}/.kde/share/config/ktorrentrc
+noblacklist ${HOME}/.kde4/share/apps/ktorrent
+noblacklist ${HOME}/.kde4/share/config/ktorrentrc
+noblacklist ${HOME}/.local/share/ktorrent
+noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.kde/share/apps/ktorrent
+mkdir ${HOME}/.kde4/share/apps/ktorrent
+mkdir ${HOME}/.local/share/ktorrent
+mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
+mkfile ${HOME}/.config/ktorrentrc
+mkfile ${HOME}/.kde/share/config/ktorrentrc
+mkfile ${HOME}/.kde4/share/config/ktorrentrc
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/ktorrentrc
+whitelist ${HOME}/.kde/share/apps/ktorrent
+whitelist ${HOME}/.kde/share/config/ktorrentrc
+whitelist ${HOME}/.kde4/share/apps/ktorrent
+whitelist ${HOME}/.kde4/share/config/ktorrentrc
+whitelist ${HOME}/.local/share/ktorrent
+whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin kbuildsycoca4,kdeinit4,ktorrent
+private-dev
+# private-lib - problems on Arch
+private-tmp
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
new file mode 100644
index 000000000..051782172
--- /dev/null
+++ b/etc/profile-a-l/ktouch.profile
@@ -0,0 +1,53 @@
+# Firejail profile for KTouch
+# Description: a typing tutor by KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktouch.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.local/share/ktouch
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/ktouch2rc
+mkdir ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.local/share/ktouch
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ktouch
+private-cache
+private-dev
+private-etc alternatives,fonts,kde5rc,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
new file mode 100644
index 000000000..262ffb532
--- /dev/null
+++ b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
+# Firejail profile for kube
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/kube
+noblacklist ${HOME}/.config/kube
+noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.local/share/kube
+noblacklist ${HOME}/.local/share/sink
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/kube
+mkdir ${HOME}/.config/kube
+mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.local/share/kube
+mkdir ${HOME}/.local/share/sink
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/kube
+whitelist ${HOME}/.config/kube
+whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.local/share/kube
+whitelist ${HOME}/.local/share/sink
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/kube
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin kube,sink_synchronizer
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
new file mode 100644
index 000000000..5bbadfc73
--- /dev/null
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -0,0 +1,46 @@
+# Firejail profile for kwin_x11
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kwin_x11.local
+# Persistent global definitions
+include globals.local
+
+# fix automatical kwin_x11 sandboxing:
+# echo KDEWM=kwin_x11 >> ~/.pam_environment
+
+noblacklist ${HOME}/.cache/kwin
+noblacklist ${HOME}/.config/kwinrc
+noblacklist ${HOME}/.config/kwinrulesrc
+noblacklist ${HOME}/.local/share/kwin
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin kwin_x11
+private-dev
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
new file mode 100644
index 000000000..682c7782d
--- /dev/null
+++ b/etc/profile-a-l/kwrite.profile
@@ -0,0 +1,55 @@
+# Firejail profile for kwrite
+# Description: Simple text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kwrite.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/katepartrc
+noblacklist ${HOME}/.config/katerc
+noblacklist ${HOME}/.config/kateschemarc
+noblacklist ${HOME}/.config/katesyntaxhighlightingrc
+noblacklist ${HOME}/.config/katevirc
+noblacklist ${HOME}/.config/kwriterc
+noblacklist ${HOME}/.local/share/kwrite
+noblacklist ${HOME}/.local/share/kxmlgui5/kwrite
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound - KWrite is using ALSA!
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin kbuildsycoca4,kdeinit4,kwrite
+private-dev
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+join-or-start kwrite
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
new file mode 100644
index 000000000..7993e97e3
--- /dev/null
+++ b/etc/profile-a-l/latex-common.profile
@@ -0,0 +1,41 @@
+# Firejail profile for latex-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include latex-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /var/lib
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/latex.profile b/etc/profile-a-l/latex.profile
new file mode 100644
index 000000000..2230dd570
--- /dev/null
+++ b/etc/profile-a-l/latex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for latex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include latex.local
+# Persistent global definitions
+include globals.local
+
+private-bin latex
+
+# Redirect
+include latex-common.profile
+
diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
new file mode 100644
index 000000000..3b5b98493
--- /dev/null
+++ b/etc/profile-a-l/lbunzip2.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lbunzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
new file mode 100644
index 000000000..e628ceaae
--- /dev/null
+++ b/etc/profile-a-l/lbzcat.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lbzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
new file mode 100644
index 000000000..5d7935780
--- /dev/null
+++ b/etc/profile-a-l/lbzip2.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for gzip
+# Description: GNU compression utilities
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lbzip2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
new file mode 100644
index 000000000..75105abf2
--- /dev/null
+++ b/etc/profile-a-l/leafpad.profile
@@ -0,0 +1,41 @@
+# Firejail profile for leafpad
+# Description: GTK+ based simple text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include leafpad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/leafpad
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin leafpad
+private-dev
+private-lib
+private-tmp
+
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
new file mode 100644
index 000000000..db61bf941
--- /dev/null
+++ b/etc/profile-a-l/less.profile
@@ -0,0 +1,51 @@
+# Firejail profile for less
+# Description: Pager program similar to more
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include less.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.lesshst
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+noinput
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+# The user can have a custom coloring script configured in ${HOME}/.lessfilter.
+# Enable private-bin and private-lib if you are not using any filter.
+# private-bin less
+# private-lib
+private-cache
+private-dev
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.lesshst
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
new file mode 100644
index 000000000..c1ce4bb8d
--- /dev/null
+++ b/etc/profile-a-l/librecad.profile
@@ -0,0 +1,50 @@
+# Firejail profile for librecad
+# Persistent local customizations
+include librecad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/LibreCAD
+noblacklist ${HOME}/.local/share/LibreCAD
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/librecad
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+#nogroups
+#noinput
+nonewprivs
+noroot
+notv
+#nou2f
+novideo
+protocol unix,inet,inet6
+netfilter
+seccomp
+shell none
+#tracelog
+
+#disable-mnt
+private-bin librecad
+private-dev
+# private-etc cups,drirc,fonts,passwd,xdg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
new file mode 100644
index 000000000..328307705
--- /dev/null
+++ b/etc/profile-a-l/libreoffice.profile
@@ -0,0 +1,57 @@
+# Firejail profile for libreoffice
+# Description: Office productivity suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include libreoffice.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /usr/local/sbin
+noblacklist ${HOME}/.config/libreoffice
+
+# libreoffice uses java for some functionality.
+# Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+# Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode.
+# Add the next lines to your libreoffice.local to use the Ubuntu profile instead of firejail's apparmor profile.
+#ignore apparmor
+#ignore nonewprivs
+#ignore protocol
+#ignore seccomp
+#ignore tracelog
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
+private-cache
+private-dev
+private-tmp
+
+dbus-system none
+
+join-or-start libreoffice
diff --git a/etc/profile-a-l/librewolf-nightly.profile b/etc/profile-a-l/librewolf-nightly.profile
new file mode 100644
index 000000000..72df5a52a
--- /dev/null
+++ b/etc/profile-a-l/librewolf-nightly.profile
@@ -0,0 +1,13 @@
+# Firejail profile for librewolf-nightly
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf-nightly.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Add the next line to your librewolf-nightly.local to enable private-bin.
+#private-bin librewolf-nightly
+
+# Redirect
+include librewolf.profile
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
new file mode 100644
index 000000000..ebffbbabf
--- /dev/null
+++ b/etc/profile-a-l/librewolf.profile
@@ -0,0 +1,56 @@
+# Firejail profile for Librewolf
+# Description: Firefox fork based on privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include librewolf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/librewolf
+noblacklist ${HOME}/.librewolf
+
+mkdir ${HOME}/.cache/librewolf
+mkdir ${HOME}/.librewolf
+whitelist ${HOME}/.cache/librewolf
+whitelist ${HOME}/.librewolf
+
+# Add the next lines to your librewolf.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
+# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
+#whitelist ${RUNUSER}/kpxc_server
+#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
+
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# Add the next line to your librewolf.local to enable private-bin (Arch Linux).
+#private-bin dbus-launch,dbus-send,librewolf,sh
+# Add the next line to your librewolf.local to enable private-etc.
+# NOTE: private-etc must first be enabled in firefox-common.local.
+#private-etc librewolf
+
+dbus-user filter
+dbus-user.own org.mozilla.librewolf.*
+# Add the next line to your librewolf.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your librewolf.local to allow inhibiting screensavers.
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Add the next lines to your librewolf.local for plasma browser integration.
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
+# Add the next line to your librewolf.local to allow screensharing under Wayland.
+#dbus-user.talk org.freedesktop.portal.Desktop
+# Also add the next line to your librewolf.local if screensharing does not work with
+# the above lines (depends on the portal implementation).
+#ignore noroot
+ignore dbus-user none
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
new file mode 100644
index 000000000..747fd85fa
--- /dev/null
+++ b/etc/profile-a-l/lifeograph.profile
@@ -0,0 +1,57 @@
+# Firejail profile for lifeograph
+# Description: Lifeograph is a diary program to take personal notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lifeograph.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist /usr/share/lifeograph
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin lifeograph
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
new file mode 100644
index 000000000..f7955e352
--- /dev/null
+++ b/etc/profile-a-l/liferea.profile
@@ -0,0 +1,62 @@
+# Firejail profile for liferea
+# Description: Feed/news/podcast client with plugin support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include liferea.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/liferea
+noblacklist ${HOME}/.config/liferea
+noblacklist ${HOME}/.local/share/liferea
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/liferea
+mkdir ${HOME}/.config/liferea
+mkdir ${HOME}/.local/share/liferea
+whitelist ${HOME}/.cache/liferea
+whitelist ${HOME}/.config/liferea
+whitelist ${HOME}/.local/share/liferea
+whitelist /usr/share/liferea
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.own net.sourceforge.liferea
+dbus-user.talk ca.desrt.dconf
+# Add the next line to your liferea.local if you use the 'Popup Notifications' plugin.
+#dbus-user.talk org.freedesktop.Notifications
+# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin.
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
new file mode 100644
index 000000000..c065c44a9
--- /dev/null
+++ b/etc/profile-a-l/lightsoff.profile
@@ -0,0 +1,16 @@
+# Firejail profile for lightsoff
+# Description: GNOME Lightsoff game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lightsoff.local
+# Persistent global definitions
+include globals.local
+
+whitelist /usr/share/lightsoff
+
+private-bin lightsoff
+
+dbus-user.own org.gnome.LightsOff
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
new file mode 100644
index 000000000..073d814ec
--- /dev/null
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -0,0 +1,48 @@
+# Firejail profile for lincity-ng
+# Description: City simulation game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lincity-ng.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.lincity-ng
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.lincity-ng
+whitelist ${HOME}/.lincity-ng
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin lincity-ng
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
new file mode 100644
index 000000000..bd28f25d6
--- /dev/null
+++ b/etc/profile-a-l/links-common.profile
@@ -0,0 +1,62 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include links-common.local
+
+# common profile for links browsers
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
+# used as associated programs can be added in your links-common.local.
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+# Add 'ignore machine-id' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+machine-id
+netfilter
+# Add 'ignore no3d' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# Add 'ignore nosound' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# Add  'private-bin PROGRAM1,PROGRAM2' to your links-common.local  if you want to use user-configured programs.
+private-bin sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Add the next line to your links-common.local to allow external media players.
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
new file mode 100644
index 000000000..8ce39cc7f
--- /dev/null
+++ b/etc/profile-a-l/links.profile
@@ -0,0 +1,18 @@
+# Firejail profile for links
+# Description: Text WWW browser
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include links.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.links
+
+mkdir ${HOME}/.links
+whitelist ${HOME}/.links
+
+private-bin links
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
new file mode 100644
index 000000000..5f91dfcd2
--- /dev/null
+++ b/etc/profile-a-l/links2.profile
@@ -0,0 +1,18 @@
+# Firejail profile for links2
+# Description: Text WWW browser with a graphic version
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include links2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.links2
+
+mkdir ${HOME}/.links2
+whitelist ${HOME}/.links2
+
+private-bin links2
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
new file mode 100644
index 000000000..f821c7512
--- /dev/null
+++ b/etc/profile-a-l/linphone.profile
@@ -0,0 +1,50 @@
+# Firejail profile for linphone
+# Description: SIP softphone - graphical client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include linphone.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/linphone
+noblacklist ${HOME}/.linphone-history.db
+noblacklist ${HOME}/.linphonerc
+noblacklist ${HOME}/.local/share/linphone
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+# linphone 4.0 (released 2017-06-26) moved config and database files to respect
+# freedesktop standards. For backward compatibility we continue to whitelist
+# ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
+mkdir ${HOME}/.config/linphone
+mkdir ${HOME}/.local/share/linphone
+whitelist ${HOME}/.config/linphone
+whitelist ${HOME}/.linphone-history.db
+whitelist ${HOME}/.linphonerc
+whitelist ${HOME}/.local/share/linphone
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
new file mode 100644
index 000000000..d1a754a6e
--- /dev/null
+++ b/etc/profile-a-l/lmms.profile
@@ -0,0 +1,40 @@
+# Firejail profile for lmms
+# Description: Linux Multimedia Studio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lmms.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.lmmsrc.xml
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile
new file mode 100644
index 000000000..b248d38f7
--- /dev/null
+++ b/etc/profile-a-l/lobase.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lobase.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile
new file mode 100644
index 000000000..a467ef3db
--- /dev/null
+++ b/etc/profile-a-l/localc.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include localc.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile
new file mode 100644
index 000000000..f1db590ed
--- /dev/null
+++ b/etc/profile-a-l/lodraw.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lodraw.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile
new file mode 100644
index 000000000..aa291017a
--- /dev/null
+++ b/etc/profile-a-l/loffice.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include loffice.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
new file mode 100644
index 000000000..534dc5d14
--- /dev/null
+++ b/etc/profile-a-l/lofromtemplate.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lofromtemplate.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile
new file mode 100644
index 000000000..a9473d1a6
--- /dev/null
+++ b/etc/profile-a-l/loimpress.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include loimpress.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
new file mode 100644
index 000000000..a187ca0fc
--- /dev/null
+++ b/etc/profile-a-l/lollypop.profile
@@ -0,0 +1,42 @@
+# Firejail profile for lollypop
+# Description: Music player for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lollypop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/lollypop
+noblacklist ${MUSIC}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
+
diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile
new file mode 100644
index 000000000..8bc388be7
--- /dev/null
+++ b/etc/profile-a-l/lomath.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lomath.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile
new file mode 100644
index 000000000..34b9dcad0
--- /dev/null
+++ b/etc/profile-a-l/loweb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include loweb.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile
new file mode 100644
index 000000000..054ce3a48
--- /dev/null
+++ b/etc/profile-a-l/lowriter.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lowriter.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-a-l/lrunzip.profile b/etc/profile-a-l/lrunzip.profile
new file mode 100644
index 000000000..c010cbd96
--- /dev/null
+++ b/etc/profile-a-l/lrunzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrunzip
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrunzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrz.profile b/etc/profile-a-l/lrz.profile
new file mode 100644
index 000000000..8077be945
--- /dev/null
+++ b/etc/profile-a-l/lrz.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrz
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrzcat.profile b/etc/profile-a-l/lrzcat.profile
new file mode 100644
index 000000000..d05ee7aae
--- /dev/null
+++ b/etc/profile-a-l/lrzcat.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzcat
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrzip.profile b/etc/profile-a-l/lrzip.profile
new file mode 100644
index 000000000..3767767f6
--- /dev/null
+++ b/etc/profile-a-l/lrzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzip
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrztar.profile b/etc/profile-a-l/lrztar.profile
new file mode 100644
index 000000000..673e9f62e
--- /dev/null
+++ b/etc/profile-a-l/lrztar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrztar
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrztar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lrzuntar.profile b/etc/profile-a-l/lrzuntar.profile
new file mode 100644
index 000000000..245d1c669
--- /dev/null
+++ b/etc/profile-a-l/lrzuntar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lrzuntar
+# Description: Multi-threaded compression with rzip/lzma, lzo and zpaq
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lrzuntar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile
new file mode 100644
index 000000000..faf5bb7f9
--- /dev/null
+++ b/etc/profile-a-l/lsar.profile
@@ -0,0 +1,13 @@
+# Firejail profile for lsar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lsar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin lsar
+
+# Redirect
+include ar.profile
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
new file mode 100644
index 000000000..3d52d1266
--- /dev/null
+++ b/etc/profile-a-l/lugaru.profile
@@ -0,0 +1,52 @@
+# Firejail profile for lugaru
+# Description: Ninja rabbit fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lugaru.local
+# Persistent global definitions
+include globals.local
+
+# note: crashes after entering
+
+noblacklist ${HOME}/.config/lugaru
+noblacklist ${HOME}/.local/share/lugaru
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/lugaru
+mkdir ${HOME}/.local/share/lugaru
+whitelist ${HOME}/.config/lugaru
+whitelist ${HOME}/.local/share/lugaru
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin lugaru
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index ec2a65290..179bc37f2 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -1,25 +1,31 @@
 # Firejail profile for luminance-hdr
+# Description: Graphical user interface providing a workflow for HDR imaging
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/luminance-hdr.local
+include luminance-hdr.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/Luminance
+noblacklist ${PICTURES}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -27,8 +33,7 @@ shell none
 tracelog
 
 #private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
new file mode 100644
index 000000000..bf8ab9e64
--- /dev/null
+++ b/etc/profile-a-l/lutris.profile
@@ -0,0 +1,79 @@
+# Firejail profile for lutris
+# Description: Multi-library game handler with special support for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lutris.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${HOME}/Games
+noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.config/lutris
+noblacklist ${HOME}/.local/share/lutris
+# noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
+# Lutris won't even start.
+noblacklist /sbin
+noblacklist /usr/sbin
+
+ignore noexec ${HOME}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Games
+mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/winetricks
+mkdir ${HOME}/.config/lutris
+mkdir ${HOME}/.local/share/lutris
+# mkdir ${HOME}/.wine
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/Games
+whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/winetricks
+whitelist ${HOME}/.config/lutris
+whitelist ${HOME}/.local/share/lutris
+# whitelist ${HOME}/.wine
+whitelist /usr/share/lutris
+whitelist /usr/share/wine
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+# allow-debuggers
+# apparmor
+caps.drop all
+ipc-namespace
+# net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# Add the next line to your lutris.local if you do not need controller support.
+#private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.own net.lutris.Lutris
+dbus-user.talk com.feralinteractive.GameMode
+dbus-system none
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
new file mode 100644
index 000000000..404535f91
--- /dev/null
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -0,0 +1,38 @@
+# Firejail profile for lximage-qt
+# Description: Image viewer for LXQt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lximage-qt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/lximage-qt
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
new file mode 100644
index 000000000..0651b8329
--- /dev/null
+++ b/etc/profile-a-l/lxmusic.profile
@@ -0,0 +1,40 @@
+# Firejail profile for lxmusic
+# Description: LXDE music player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lxmusic.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/xmms2
+noblacklist ${HOME}/.config/xmms2
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
new file mode 100644
index 000000000..05a92e39d
--- /dev/null
+++ b/etc/profile-a-l/lynx.profile
@@ -0,0 +1,42 @@
+# Firejail profile for lynx
+# Description: Classic non-graphical (text-mode) web browser
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lynx.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin lynx
+private-cache
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
new file mode 100644
index 000000000..fa69463d1
--- /dev/null
+++ b/etc/profile-a-l/lyx.profile
@@ -0,0 +1,38 @@
+# Firejail profile for lyx
+# Description: Open source document processor based on LaTeX typsetting
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lyx.local
+# Persistent global definitions
+include globals.local
+
+ignore private-tmp
+
+noblacklist ${HOME}/.config/LyX
+noblacklist ${HOME}/.lyx
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+whitelist /usr/share/lyx
+whitelist /usr/share/texinfo
+whitelist /usr/share/texlive
+whitelist /usr/share/texmf-dist
+whitelist /usr/share/tlpkg
+include whitelist-usr-share-common.inc
+
+apparmor
+machine-id
+
+# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+
+# Redirect
+include latex-common.profile
diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile
new file mode 100644
index 000000000..693a1e167
--- /dev/null
+++ b/etc/profile-a-l/lzcat.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
new file mode 100644
index 000000000..f2e49fde0
--- /dev/null
+++ b/etc/profile-a-l/lzcmp.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzcmp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
new file mode 100644
index 000000000..1e2e17eee
--- /dev/null
+++ b/etc/profile-a-l/lzdiff.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
new file mode 100644
index 000000000..ca93f2a8b
--- /dev/null
+++ b/etc/profile-a-l/lzegrep.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzegrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
new file mode 100644
index 000000000..97138e9a0
--- /dev/null
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzfgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
new file mode 100644
index 000000000..fca9a39df
--- /dev/null
+++ b/etc/profile-a-l/lzgrep.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile
new file mode 100644
index 000000000..806375b05
--- /dev/null
+++ b/etc/profile-a-l/lzip.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile
new file mode 100644
index 000000000..20cae4a87
--- /dev/null
+++ b/etc/profile-a-l/lzless.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzless.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile
new file mode 100644
index 000000000..776550bf9
--- /dev/null
+++ b/etc/profile-a-l/lzma.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzma.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
new file mode 100644
index 000000000..9dac75927
--- /dev/null
+++ b/etc/profile-a-l/lzmadec.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for xzdec
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzmadec.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xzdec.profile
diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
new file mode 100644
index 000000000..25b65c48f
--- /dev/null
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzmainfo.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile
new file mode 100644
index 000000000..aa4350ad5
--- /dev/null
+++ b/etc/profile-a-l/lzmore.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzmore.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile
new file mode 100644
index 000000000..f3175c590
--- /dev/null
+++ b/etc/profile-a-l/lzop.profile
@@ -0,0 +1,12 @@
+# Firejail profile for lzop
+# Description: File compressor using lzo lib
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lzop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
new file mode 100644
index 000000000..3acb88e0e
--- /dev/null
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -0,0 +1,46 @@
+# Firejail profile for Maelstrom
+# Description: A space combat game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Maelstrom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/lib/games/Maelstrom-Scores
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /var/lib/games
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+#nonewprivs
+#noroot
+notv
+nou2f
+novideo
+#protocol unix
+#seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin Maelstrom
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile
new file mode 100644
index 000000000..493a740d7
--- /dev/null
+++ b/etc/profile-m-z/Maps.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-maps
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Maps.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-maps.profile
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
new file mode 100644
index 000000000..6286f066e
--- /dev/null
+++ b/etc/profile-m-z/Mathematica.profile
@@ -0,0 +1,29 @@
+# Firejail profile for Mathematica
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Mathematica.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Mathematica
+noblacklist ${HOME}/.Wolfram Research
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.Mathematica
+mkdir ${HOME}/.Wolfram Research
+mkdir ${HOME}/Documents/Wolfram Mathematica
+whitelist ${HOME}/.Mathematica
+whitelist ${HOME}/.Wolfram Research
+whitelist ${HOME}/Documents/Wolfram Mathematica
+include whitelist-common.inc
+
+caps.drop all
+nodvd
+nonewprivs
+noroot
+notv
+seccomp
diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile
new file mode 100644
index 000000000..061e5d83b
--- /dev/null
+++ b/etc/profile-m-z/Natron.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for natron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Natron.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include natron.profile
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
new file mode 100644
index 000000000..59150f4c4
--- /dev/null
+++ b/etc/profile-m-z/PCSX2.profile
@@ -0,0 +1,56 @@
+# Firejail profile for PCSX2
+# Description: A PlayStation 2 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PCSX2.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in your PCSX2.local.
+
+noblacklist ${HOME}/.config/PCSX2
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/PCSX2
+whitelist ${HOME}/.config/PCSX2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Add the next line to your PCSX2.local if you're not loading games from disc.
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+#seccomp - breaks loading with no logs
+shell none
+#tracelog - 32/64 bit incompatibility
+
+private-bin PCSX2
+private-cache
+# Add the next line to your PCSX2.local if you do not need controller support.
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/PPSSPPQt.profile b/etc/profile-m-z/PPSSPPQt.profile
new file mode 100644
index 000000000..c5592f99c
--- /dev/null
+++ b/etc/profile-m-z/PPSSPPQt.profile
@@ -0,0 +1,9 @@
+# Firejail profile for PPSSPPQt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PPSSPPQt.local
+# added by included profile
+#include globals.local
+
+# Redirect
+include ppsspp.profile
diff --git a/etc/profile-m-z/PPSSPPSDL.profile b/etc/profile-m-z/PPSSPPSDL.profile
new file mode 100644
index 000000000..deb00a436
--- /dev/null
+++ b/etc/profile-m-z/PPSSPPSDL.profile
@@ -0,0 +1,9 @@
+# Firejail profile for PPSSPPSDL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PPSSPPSDL.local
+# added by included profile
+#include globals.local
+
+# Redirect
+include ppsspp.profile
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
new file mode 100644
index 000000000..17ea38073
--- /dev/null
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -0,0 +1,59 @@
+# Firejail profile for QMediathekView
+# Description: Search, download or stream files from mediathek.de
+# This file is overwritten after every install/update
+# Persistent local customizations
+include QMediathekView.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/QMediathekView
+noblacklist ${HOME}/.local/share/QMediathekView
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mplayer
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/qtchooser
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
new file mode 100644
index 000000000..15cb931dd
--- /dev/null
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -0,0 +1,55 @@
+# Firejail profile for QOwnNotes
+# Description: Plain-text file notepad with markdown support and ownCloud integration
+# This file is overwritten after every install/update
+# Persistent local customizations
+include QOwnNotes.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/Nextcloud/Notes
+noblacklist ${HOME}/.config/PBE
+noblacklist ${HOME}/.local/share/PBE
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Nextcloud/Notes
+mkdir ${HOME}/.config/PBE
+mkdir ${HOME}/.local/share/PBE
+whitelist ${DOCUMENTS}
+whitelist ${HOME}/Nextcloud/Notes
+whitelist ${HOME}/.config/PBE
+whitelist ${HOME}/.local/share/PBE
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gio,QOwnNotes
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-tmp
+
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
new file mode 100644
index 000000000..cfc53c077
--- /dev/null
+++ b/etc/profile-m-z/Screenshot.profile
@@ -0,0 +1,11 @@
+# Firejail profile for gnome-screenshot
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Screenshot.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-screenshot.profile
diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile
new file mode 100644
index 000000000..6877e1578
--- /dev/null
+++ b/etc/profile-m-z/Telegram.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for telegram
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Telegram.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include telegram.profile
diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile
new file mode 100644
index 000000000..28acb414b
--- /dev/null
+++ b/etc/profile-m-z/Thunar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for Thunar
+# Description: File Manager for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Thunar.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
new file mode 100644
index 000000000..866d57e67
--- /dev/null
+++ b/etc/profile-m-z/Viber.profile
@@ -0,0 +1,37 @@
+# Firejail profile for Viber
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Viber.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ViberPC
+noblacklist ${PATH}/dig
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.ViberPC
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.ViberPC
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin awk,bash,dig,sh,Viber
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-tmp
diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
new file mode 100644
index 000000000..4f88a26c0
--- /dev/null
+++ b/etc/profile-m-z/VirtualBox.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for virtualbox
+# Description: x86 virtualization solution
+# This file is overwritten after every install/update
+# Persistent local customizations
+include VirtualBox.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include virtualbox.profile
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
new file mode 100644
index 000000000..9c797a3e5
--- /dev/null
+++ b/etc/profile-m-z/XMind.profile
@@ -0,0 +1,38 @@
+# Firejail profile for XMind
+# This file is overwritten after every install/update
+# Persistent local customizations
+include XMind.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xmind
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.xmind
+whitelist ${HOME}/.xmind
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin cp,sh,XMind
+private-tmp
+private-dev
+
diff --git a/etc/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index c0c322b67..5cf5161ce 100644
--- a/etc/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -1,42 +1,43 @@
 # Firejail profile for Xephyr
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/Xephyr.local
+quiet
+include Xephyr.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
-# To enable it, create a firejail-Xephyr  symlink in /usr/local/bin:
+# To enable it, create a firejail-Xephyr symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xephyr
 #
 # or run "sudo firecfg"
 #
 
-
-blacklist /media
-
 whitelist /var/lib/xkb
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 # Xephyr needs to be allowed access to the abstract Unix socket namespace.
 nodvd
 nogroups
+noinput
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
 # noroot
 nosound
 notv
+nou2f
 protocol unix
 seccomp
 shell none
 
+disable-mnt
 # using a private home directory
 private
-# private-bin Xephyr,sh,xkbcomp
-# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
+# private-bin sh,Xephyr,xkbcomp
+# private-bin bash,cat,ls,sh,strace,Xephyr,xkbcomp
 private-dev
-# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-private-tmp
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+#private-tmp
diff --git a/etc/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 7921e0d06..1acd43023 100644
--- a/etc/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -1,14 +1,16 @@
 # Firejail profile for Xvfb
+# Description: Virtual Framebuffer 'fake' X server
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
-include /etc/firejail/Xvfb.local
+include Xvfb.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 #
 # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
 # The target program is sandboxed with its own profile. By default the this functionality
-# is disabled. To enable it, create a firejail-Xvfb  symlink in /usr/local/bin:
+# is disabled. To enable it, create a firejail-Xvfb symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/Xvfb
 #
@@ -16,28 +18,30 @@ include /etc/firejail/globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
-blacklist /media
-
 whitelist /var/lib/xkb
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 # Xvfb needs to be allowed access to the abstract Unix socket namespace.
 nodvd
 nogroups
+noinput
 nonewprivs
 # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
 #noroot
 nosound
 notv
+nou2f
+novideo
 protocol unix
 seccomp
 shell none
 
+disable-mnt
 # using a private home directory
 private
-# private-bin Xvfb,sh,xkbcomp
-# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
+# private-bin sh,xkbcomp,Xvfb
+# private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
-private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 private-tmp
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
new file mode 100644
index 000000000..21482a161
--- /dev/null
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -0,0 +1,48 @@
+# Firejail profile for ZeGrapher
+# Description: Free and opensource math graphing software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ZeGrapher.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ZeGrapher Project
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist /usr/share/ZeGrapher
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ZeGrapher
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
new file mode 100644
index 000000000..88b68d43f
--- /dev/null
+++ b/etc/profile-m-z/macrofusion.profile
@@ -0,0 +1,45 @@
+# Firejail profile for macrofusion
+# This file is overwritten after every install/update
+# Persistent local customizations
+include macrofusion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mfusion
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin align_image_stack,enfuse,env,exiftool,macrofusion,python*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
new file mode 100644
index 000000000..fc5ae3ee9
--- /dev/null
+++ b/etc/profile-m-z/magicor.profile
@@ -0,0 +1,52 @@
+# Firejail profile for magicor
+# Description: Push ice blocks around to extinguish all fires
+# This file is overwritten after every install/update
+# Persistent local customizations
+include magicor.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.magicor
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.magicor
+whitelist ${HOME}/.magicor
+whitelist /usr/share/magicor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin magicor,python2*
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
new file mode 100644
index 000000000..3a68cce00
--- /dev/null
+++ b/etc/profile-m-z/makepkg.profile
@@ -0,0 +1,60 @@
+# Firejail profile for makepkg
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include makepkg.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
+# for potential issues and their solutions when Firejailing makepkg
+
+# This profile could be significantly strengthened by adding the following to makepkg.local
+# whitelist ${HOME}/<Your Build Folder>
+# whitelist ${HOME}/.gnupg
+
+# Enable severely restricted access to ${HOME}/.gnupg
+noblacklist ${HOME}/.gnupg
+read-only ${HOME}/.gnupg/gpg.conf
+read-only ${HOME}/.gnupg/trustdb.gpg
+read-only ${HOME}/.gnupg/pubring.kbx
+blacklist ${HOME}/.gnupg/random_seed
+blacklist ${HOME}/.gnupg/pubring.kbx~
+blacklist ${HOME}/.gnupg/private-keys-v1.d
+blacklist ${HOME}/.gnupg/crls.d
+blacklist ${HOME}/.gnupg/openpgp-revocs.d
+
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+
+caps.drop all
+machine-id
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
+#noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
new file mode 100644
index 000000000..b2f761230
--- /dev/null
+++ b/etc/profile-m-z/man.profile
@@ -0,0 +1,69 @@
+# Firejail profile for man
+# Description: manpage viewer
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include man.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.local/share/man
+noblacklist ${HOME}/.rustup
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#mkdir ${HOME}/.local/share/man
+#whitelist ${HOME}/.local/share/man
+#whitelist ${HOME}/.manpath
+whitelist /usr/share/groff
+whitelist /usr/share/info
+whitelist /usr/share/lintian
+whitelist /usr/share/locale
+whitelist /usr/share/man
+whitelist /var/cache/man
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+novideo
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
+private-cache
+private-dev
+private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+#private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-only /tmp
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
new file mode 100644
index 000000000..28dc5d914
--- /dev/null
+++ b/etc/profile-m-z/manaplus.profile
@@ -0,0 +1,51 @@
+# Firejail profile for manaplus
+# Description: 2D MMORPG client for Evol Online and The Mana World
+# This file is overwritten after every install/update
+# Persistent local customizations
+include manaplus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mana
+noblacklist ${HOME}/.local/share/mana
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mana
+mkdir ${HOME}/.config/mana/mana
+mkdir ${HOME}/.local/share/mana
+whitelist ${HOME}/.config/mana
+whitelist ${HOME}/.local/share/mana
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin manaplus
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
new file mode 100644
index 000000000..746135ae5
--- /dev/null
+++ b/etc/profile-m-z/marker.profile
@@ -0,0 +1,63 @@
+# Firejail profile for marker
+# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
+# This file is overwritten after every install/update
+# Persistent local customizations
+include marker.local
+# Persistent global definitions
+include globals.local
+
+# Add the next lines to your marker.local if you need internet access.
+#ignore net none
+#protocol unix,inet,inet6
+#private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
+
+noblacklist ${HOME}/.cache/marker
+noblacklist ${DOCUMENTS}
+
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/libexec/webkit2gtk-4.0
+whitelist /usr/share/com.github.fabiocolacio.marker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin marker,python3*
+private-cache
+private-dev
+private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.fabiocolacio.marker
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
new file mode 100644
index 000000000..e61578ffe
--- /dev/null
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -0,0 +1,41 @@
+# Firejail profile for masterpdfeditor
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include masterpdfeditor.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Code Industry
+noblacklist ${HOME}/.masterpdfeditor
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
diff --git a/etc/profile-m-z/masterpdfeditor4.profile b/etc/profile-m-z/masterpdfeditor4.profile
new file mode 100644
index 000000000..84e78171f
--- /dev/null
+++ b/etc/profile-m-z/masterpdfeditor4.profile
@@ -0,0 +1,11 @@
+# Firejail profile for masterpdfeditor4
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include masterpdfeditor4.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include masterpdfeditor.profile
diff --git a/etc/profile-m-z/masterpdfeditor5.profile b/etc/profile-m-z/masterpdfeditor5.profile
new file mode 100644
index 000000000..057d343dd
--- /dev/null
+++ b/etc/profile-m-z/masterpdfeditor5.profile
@@ -0,0 +1,11 @@
+# Firejail profile for masterpdfeditor5
+# Description: A complete solution for creating and editing PDF files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include masterpdfeditor5.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include masterpdfeditor.profile
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
new file mode 100644
index 000000000..64b184482
--- /dev/null
+++ b/etc/profile-m-z/mate-calc.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mate-calc
+# Description: MATE desktop calculator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mate-calc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mate-calc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/mate-calc
+mkdir ${HOME}/.config/caja
+mkdir ${HOME}/.config/mate-menu
+whitelist ${HOME}/.cache/mate-calc
+whitelist ${HOME}/.config/caja
+whitelist ${HOME}/.config/mate-menu
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin mate-calc,mate-calculator
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-dev
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
new file mode 100644
index 000000000..5c8200ec5
--- /dev/null
+++ b/etc/profile-m-z/mate-calculator.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for mate-calc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mate-calculator.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mate-calc.profile
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
new file mode 100644
index 000000000..a6b49315c
--- /dev/null
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mate-color-select
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mate-color-select.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin mate-color-select
+private-etc alternatives,fonts
+private-dev
+private-lib
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 3f85addaf..3f3d027b9 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -1,32 +1,35 @@
 # Firejail profile for mate-dictionary
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/mate-dictionary.local
+include mate-dictionary.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/mate/mate-dictionary
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
+mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.icons
-whitelist ${HOME}/.themes
+include whitelist-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -34,11 +37,9 @@ shell none
 
 disable-mnt
 private-bin mate-dictionary
-private-etc fonts,resolv.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
 private-opt mate-dictionary
 private-dev
 private-tmp
 
 memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile
new file mode 100644
index 000000000..cc73f9d80
--- /dev/null
+++ b/etc/profile-m-z/mathematica.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Mathematica
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mathematica.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include Mathematica.profile
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
new file mode 100644
index 000000000..b3080df88
--- /dev/null
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -0,0 +1,24 @@
+# Firejail profile for matrix-mirage
+# Description: Debian name for mirage binary/package
+# This file is overwritten after every install/update
+# Persistent local customizations
+include matrix-mirage.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/matrix-mirage
+noblacklist ${HOME}/.config/matrix-mirage
+noblacklist ${HOME}/.local/share/matrix-mirage
+
+mkdir ${HOME}/.cache/matrix-mirage
+mkdir ${HOME}/.config/matrix-mirage
+mkdir ${HOME}/.local/share/matrix-mirage
+whitelist ${HOME}/.cache/matrix-mirage
+whitelist ${HOME}/.config/matrix-mirage
+whitelist ${HOME}/.local/share/matrix-mirage
+
+private-bin matrix-mirage
+
+# Redirect
+include mirage.profile
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
new file mode 100644
index 000000000..3c2bf4fa3
--- /dev/null
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -0,0 +1,29 @@
+# Firejail profile for mattermost-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mattermost-desktop.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Mattermost
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Mattermost
+whitelist ${HOME}/.config/Mattermost
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Not tested
+#dbus-user filter
+#dbus-user.own com.mattermost.Desktop
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
+
+# Redirect
+include electron.profile
diff --git a/etc/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 2e31e09ec..7592d879c 100644
--- a/etc/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -1,25 +1,29 @@
 # Firejail profile for mcabber
+# Description: Small Jabber (XMPP) console client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/mcabber.local
+include mcabber.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.mcabber
 noblacklist ${HOME}/.mcabberrc
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 netfilter
 nodvd
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol inet,inet6
 seccomp
@@ -27,4 +31,4 @@ shell none
 
 private-bin mcabber
 private-dev
-private-etc null
+private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
new file mode 100644
index 000000000..5c965f55c
--- /dev/null
+++ b/etc/profile-m-z/mcomix.profile
@@ -0,0 +1,73 @@
+# Firejail profile for mcomix
+# Description: A comic book and manga viewer in python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcomix.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mcomix
+noblacklist ${HOME}/.local/share/mcomix
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+# mcomix <= 1.2 uses python2
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mcomix
+mkdir ${HOME}/.local/share/mcomix
+whitelist /usr/share/mcomix
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# mcomix <= 1.2 uses python2
+private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
+private-cache
+private-dev
+# mcomix <= 1.2 uses gtk-2.0
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/mcomix
+read-write ${HOME}/.local/share/mcomix
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
+# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
+read-write ${HOME}/.thumbnails
diff --git a/etc/profile-m-z/md5sum.profile b/etc/profile-m-z/md5sum.profile
new file mode 100644
index 000000000..3612c73fd
--- /dev/null
+++ b/etc/profile-m-z/md5sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for md5sum
+# Description: compute and check MD5 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include md5sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin md5sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
new file mode 100644
index 000000000..08d56ede5
--- /dev/null
+++ b/etc/profile-m-z/mdr.profile
@@ -0,0 +1,55 @@
+# Firejail profile for mdr
+# Description: A standalone Markdown renderer for the terminal
+# Persistent local customizations
+include mdr.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname mdr
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin mdr
+private-cache
+private-dev
+private-etc none
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
new file mode 100644
index 000000000..7597d4067
--- /dev/null
+++ b/etc/profile-m-z/mediainfo.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mediainfo
+# Description: Command-line utility for reading information from audio/video files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mediainfo.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin mediainfo
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
new file mode 100644
index 000000000..f73ef0935
--- /dev/null
+++ b/etc/profile-m-z/mediathekview.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mediathekview
+# Description: View streams from German public television stations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mediathekview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mediathek3
+noblacklist ${HOME}/.mplayer
+noblacklist ${VIDEOS}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
new file mode 100644
index 000000000..d55745698
--- /dev/null
+++ b/etc/profile-m-z/megaglest.profile
@@ -0,0 +1,53 @@
+# Firejail profile for megaglest
+# Description: 3D multi-player real time strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include megaglest.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.megaglest
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.megaglest
+whitelist ${HOME}/.megaglest
+whitelist /usr/share/megaglest
+whitelist /usr/share/games/megaglest    # Debian version
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin megaglest,megaglest_editor,megaglest_g3dviewer
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
new file mode 100644
index 000000000..4635573e6
--- /dev/null
+++ b/etc/profile-m-z/megaglest_editor.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for megaglest
+# This file is overwritten after every install/update
+# Persistent local customizations
+include megaglest_editor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include megaglest.profile
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
new file mode 100644
index 000000000..4aeca0f28
--- /dev/null
+++ b/etc/profile-m-z/meld.profile
@@ -0,0 +1,81 @@
+# Firejail profile for meld
+# Description: Graphical tool to diff and merge files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include meld.local
+# Persistent global definitions
+include globals.local
+
+# If you want to use meld as git mergetool (and maybe some other VCS integrations) you need
+# to bypass firejail. You can do this by removing the symlink or by calling it by its absolute path.
+# Removing the symlink:
+# $ sudo rm /usr/local/bin/meld
+# Calling it by its absolute path (example for git mergetool):
+# $ git config --global mergetool.meld.cmd /usr/bin/meld
+
+noblacklist ${HOME}/.config/meld
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.local/share/meld
+noblacklist ${HOME}/.subversion
+
+# Allow python (blacklisted by disable-interpreters.inc)
+# Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks
+# but want to keep Python 2 support for older meld versions.
+#include allow-python2.inc
+include allow-python3.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+blacklist /usr/libexec
+
+# Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# Add the next line to your meld.local if you don't need to compare files in disable-programs.inc.
+#include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-runuser-common.inc
+
+# Add the next lines to your meld.local if you don't need to compare files in /usr/share.
+#whitelist /usr/share/meld
+#include whitelist-usr-share-common.inc
+
+# Add the next line to your meld.local if you don't need to compare files in /var.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin bzr,cvs,git,hg,meld,python*,svn
+private-cache
+private-dev
+# Add the next line to your meld.local if you don't need to compare files in /etc.
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+# Add 'ignore private-tmp' to your meld.local if you want to use it as difftool (#3551).
+private-tmp
+
+read-only ${HOME}/.ssh
diff --git a/etc/profile-m-z/mencoder.profile b/etc/profile-m-z/mencoder.profile
new file mode 100644
index 000000000..3909e543e
--- /dev/null
+++ b/etc/profile-m-z/mencoder.profile
@@ -0,0 +1,34 @@
+# Firejail profile for mencoder
+# Description: Free command line video decoding, encoding and filtering tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mencoder.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# added by included profile
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-interpreters.inc
+#include disable-programs.inc
+
+ipc-namespace
+machine-id
+net none
+no3d
+nosound
+notv
+protocol unix
+tracelog
+x11 none
+
+private-bin mencoder
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+# Redirect
+include mplayer.profile
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
new file mode 100644
index 000000000..446109e9a
--- /dev/null
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -0,0 +1,50 @@
+# Firejail profile for Mendeley
+# Description: Academic software for managing and sharing research papers.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mendeleydesktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.cache/Mendeley Ltd.
+noblacklist ${HOME}/.config/Mendeley Ltd.
+noblacklist ${HOME}/.local/share/Mendeley Ltd.
+noblacklist ${HOME}/.local/share/data/Mendeley Ltd.
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-database,which
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
new file mode 100644
index 000000000..4845e9cce
--- /dev/null
+++ b/etc/profile-m-z/menulibre.profile
@@ -0,0 +1,64 @@
+# Firejail profile for menulibre
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include menulibre.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /usr/share/menulibre
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
new file mode 100644
index 000000000..bdd36949b
--- /dev/null
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -0,0 +1,54 @@
+# Firejail profile for meteo-qt
+# Description: System tray application for weather status information
+# This file is overwritten after every install/update
+# Persistent local customizations
+include meteo-qt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/meteo-qt
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/autostart
+whitelist ${HOME}/.config/meteo-qt
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin meteo-qt,python*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
new file mode 100644
index 000000000..34d9f470a
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Beta
+# Description: Web browser from Microsoft,beta channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-beta.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-beta
+noblacklist ${HOME}/.config/microsoft-edge-beta
+
+mkdir ${HOME}/.cache/microsoft-edge-beta
+mkdir ${HOME}/.config/microsoft-edge-beta
+whitelist ${HOME}/.cache/microsoft-edge-beta
+whitelist ${HOME}/.config/microsoft-edge-beta
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
new file mode 100644
index 000000000..039cd36a8
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -0,0 +1,20 @@
+# Firejail profile for Microsoft Edge Dev
+# Description: Web browser from Microsoft,dev channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-dev.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/microsoft-edge-dev
+noblacklist ${HOME}/.config/microsoft-edge-dev
+
+mkdir ${HOME}/.cache/microsoft-edge-dev
+mkdir ${HOME}/.config/microsoft-edge-dev
+whitelist ${HOME}/.cache/microsoft-edge-dev
+whitelist ${HOME}/.config/microsoft-edge-dev
+
+private-opt microsoft
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
new file mode 100644
index 000000000..f427507d1
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge
+# Description: Web browser from Microsoft
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include microsoft-edge-dev.profile
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
new file mode 100644
index 000000000..7928d124e
--- /dev/null
+++ b/etc/profile-m-z/midori.profile
@@ -0,0 +1,64 @@
+# Firejail profile for midori
+# Description: Lightweight web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include midori.local
+# Persistent global definitions
+include globals.local
+
+# noexec ${HOME} breaks DRM binaries.
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/midori
+noblacklist ${HOME}/.config/midori
+noblacklist ${HOME}/.local/share/midori
+# noblacklist ${HOME}/.local/share/webkit
+# noblacklist ${HOME}/.local/share/webkitgtk
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+noblacklist ${HOME}/.cache/gnome-mplayer
+noblacklist ${HOME}/.config/gnome-mplayer
+noblacklist ${HOME}/.lastpass
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/midori
+mkdir ${HOME}/.config/midori
+mkdir ${HOME}/.local/share/midori
+mkdir ${HOME}/.local/share/webkit
+mkdir ${HOME}/.local/share/webkitgtk
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/midori
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/midori
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/midori
+whitelist ${HOME}/.local/share/webkit
+whitelist ${HOME}/.local/share/webkitgtk
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+# noroot - problems on Ubuntu 14.04
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
+private-tmp
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
new file mode 100644
index 000000000..7f3aeab44
--- /dev/null
+++ b/etc/profile-m-z/min.profile
@@ -0,0 +1,15 @@
+# Firejail profile for min
+# Description: A faster, smarter web browser.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include min.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Min
+
+mkdir ${HOME}/.config/Min
+whitelist ${HOME}/.config/Min
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
new file mode 100644
index 000000000..ad7e40b12
--- /dev/null
+++ b/etc/profile-m-z/mindless.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mindless
+# Description: figure out the secret code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mindless.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/mindless
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin mindless
+private-cache
+private-dev
+private-etc fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
new file mode 100644
index 000000000..d4f3e344e
--- /dev/null
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -0,0 +1,59 @@
+# Firejail profile for minecraft-launcher
+# Description: Official Minecraft launcher from Mojang
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minecraft-launcher.local
+# Persistent global definitions
+include globals.local
+
+# Some distros put the executable in /opt/minecraft-launcher.
+# Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.minecraft
+
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.minecraft
+whitelist ${HOME}/.minecraft
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin java,java-config,minecraft-launcher
+private-cache
+private-dev
+# If multiplayer or realms break, add 'private-etc <your-own-java-folder-from-/etc>'
+# or 'ignore private-etc' to your minecraft-launcher.local.
+private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
+private-opt minecraft-launcher
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
new file mode 100644
index 000000000..ec5de821a
--- /dev/null
+++ b/etc/profile-m-z/minetest.profile
@@ -0,0 +1,64 @@
+# Firejail profile for minetest
+# Description: Multiplayer infinite-world block sandbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minetest.local
+# Persistent global definitions
+include globals.local
+
+# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
+#   screenshot_path = /home/<USER>/.minetest/screenshots
+
+noblacklist ${HOME}/.cache/minetest
+noblacklist ${HOME}/.minetest
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/minetest
+mkdir ${HOME}/.minetest
+whitelist ${HOME}/.cache/minetest
+whitelist ${HOME}/.minetest
+whitelist /usr/share/games/minetest
+whitelist /usr/share/minetest
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin minetest,rm
+# cache is used for storing assets when connecting to servers
+#private-cache
+private-dev
+# private-etc needs to be updated, see #1702
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
new file mode 100644
index 000000000..581af9b81
--- /dev/null
+++ b/etc/profile-m-z/minitube.profile
@@ -0,0 +1,61 @@
+# Firejail profile for minitube
+# Description: Native Youtube viewer for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minitube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
+
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Flavio Tordini
+mkdir ${HOME}/.config/Flavio Tordini
+mkdir ${HOME}/.local/share/Flavio Tordini
+whitelist ${PICTURES}
+whitelist ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
+whitelist /usr/share/minitube
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin minitube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
new file mode 100644
index 000000000..5a8544965
--- /dev/null
+++ b/etc/profile-m-z/mirage.profile
@@ -0,0 +1,61 @@
+# Firejail profile for mirage
+# Description: Desktop client for Matrix
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mirage.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mirage
+noblacklist ${HOME}/.config/mirage
+noblacklist ${HOME}/.local/share/mirage
+noblacklist /sbin
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/mirage
+mkdir ${HOME}/.config/mirage
+mkdir ${HOME}/.local/share/mirage
+whitelist ${HOME}/.cache/mirage
+whitelist ${HOME}/.config/mirage
+whitelist ${HOME}/.local/share/mirage
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ldconfig,mirage
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
new file mode 100644
index 000000000..c47a16ffd
--- /dev/null
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mirrormagic
+# Description: Puzzle game where you steer a beam of light using mirrors
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mirrormagic.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mirrormagic
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.mirrormagic
+whitelist ${HOME}/.mirrormagic
+whitelist /usr/share/mirrormagic
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin mirrormagic
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
new file mode 100644
index 000000000..dbc3c1d40
--- /dev/null
+++ b/etc/profile-m-z/mocp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mocp
+# Description: A powerful & easy to use console audio player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mocp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.moc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin mocp
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.moc
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
new file mode 100644
index 000000000..2939d9bde
--- /dev/null
+++ b/etc/profile-m-z/mousepad.profile
@@ -0,0 +1,40 @@
+# Firejail profile for mousepad
+# Description: Simple Xfce oriented text editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mousepad.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Mousepad
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin mousepad
+private-dev
+private-lib
+private-tmp
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
new file mode 100644
index 000000000..f0063d250
--- /dev/null
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -0,0 +1,44 @@
+# Firejail profile for mp3splt-gtk
+# Description: Gtk utility for mp3/ogg splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt-gtk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mp3splt-gtk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin mp3splt-gtk
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
new file mode 100644
index 000000000..400d8a6b6
--- /dev/null
+++ b/etc/profile-m-z/mp3splt.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mp3splt
+# Description: utility for mp3 splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin flacsplt,mp3splt,mp3wrap,oggsplt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mp3wrap.profile b/etc/profile-m-z/mp3wrap.profile
new file mode 100644
index 000000000..9e48f7807
--- /dev/null
+++ b/etc/profile-m-z/mp3wrap.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mp3wrap
+# This file is overwritten after every install/update
+include mp3wrap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
new file mode 100644
index 000000000..10964ef24
--- /dev/null
+++ b/etc/profile-m-z/mpDris2.profile
@@ -0,0 +1,58 @@
+# Firejail profile for mpDris2
+# Description: MPRIS2 support for MPD
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpDris2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpDris2
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${MUSIC}
+
+mkdir ${HOME}/.config/mpDris2
+whitelist ${HOME}/.config/mpDris2
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin mpDris2,notify-send,python*
+private-cache
+private-dev
+private-etc alternatives,hosts,nsswitch.conf
+private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
+
+read-only ${HOME}
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
new file mode 100644
index 000000000..761d5b041
--- /dev/null
+++ b/etc/profile-m-z/mpd.profile
@@ -0,0 +1,44 @@
+# Firejail profile for mpd
+# Description: Music Player Daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpd.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mpd
+noblacklist ${HOME}/.mpd
+noblacklist ${HOME}/.mpdconf
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# blacklisting of ioprio_set system calls breaks auto-updating of
+# MPD's database when files in music_directory are changed
+seccomp !ioprio_set
+shell none
+
+#private-bin bash,mpd
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/mpg123-alsa.profile b/etc/profile-m-z/mpg123-alsa.profile
new file mode 100644
index 000000000..378435af1
--- /dev/null
+++ b/etc/profile-m-z/mpg123-alsa.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-alsa
+# Persistent local customizations
+include mpg123-alsa.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-id3dump.profile b/etc/profile-m-z/mpg123-id3dump.profile
new file mode 100644
index 000000000..370a57b3c
--- /dev/null
+++ b/etc/profile-m-z/mpg123-id3dump.profile
@@ -0,0 +1,12 @@
+# Firejail profile for mpg123-id3dump
+# Persistent local customizations
+include mpg123-id3dump.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+machine-id
+nosound
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-jack.profile b/etc/profile-m-z/mpg123-jack.profile
new file mode 100644
index 000000000..e36a2e5b3
--- /dev/null
+++ b/etc/profile-m-z/mpg123-jack.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-jack
+# Persistent local customizations
+include mpg123-jack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-nas.profile b/etc/profile-m-z/mpg123-nas.profile
new file mode 100644
index 000000000..cdbf0b1d2
--- /dev/null
+++ b/etc/profile-m-z/mpg123-nas.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-nas
+# Persistent local customizations
+include mpg123-nas.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-openal.profile b/etc/profile-m-z/mpg123-openal.profile
new file mode 100644
index 000000000..e5585feaa
--- /dev/null
+++ b/etc/profile-m-z/mpg123-openal.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-openal
+# Persistent local customizations
+include mpg123-openal.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-oss.profile b/etc/profile-m-z/mpg123-oss.profile
new file mode 100644
index 000000000..dcb92ecd6
--- /dev/null
+++ b/etc/profile-m-z/mpg123-oss.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-oss
+# Persistent local customizations
+include mpg123-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-portaudio.profile b/etc/profile-m-z/mpg123-portaudio.profile
new file mode 100644
index 000000000..319843504
--- /dev/null
+++ b/etc/profile-m-z/mpg123-portaudio.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-portaudio
+# Persistent local customizations
+include mpg123-portaudio.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-pulse.profile b/etc/profile-m-z/mpg123-pulse.profile
new file mode 100644
index 000000000..31063a96b
--- /dev/null
+++ b/etc/profile-m-z/mpg123-pulse.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-pulse
+# Persistent local customizations
+include mpg123-pulse.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123-strip.profile b/etc/profile-m-z/mpg123-strip.profile
new file mode 100644
index 000000000..62de57c22
--- /dev/null
+++ b/etc/profile-m-z/mpg123-strip.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-strip
+# Persistent local customizations
+include mpg123-strip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123.bin.profile b/etc/profile-m-z/mpg123.bin.profile
new file mode 100644
index 000000000..0a01d0829
--- /dev/null
+++ b/etc/profile-m-z/mpg123.bin.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123.bin
+# Persistent local customizations
+include mpg123.bin.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
new file mode 100644
index 000000000..c3bff23bc
--- /dev/null
+++ b/etc/profile-m-z/mpg123.profile
@@ -0,0 +1,45 @@
+# Firejail profile for mpg123
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mpg123.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+#private-bin mpg123*
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
new file mode 100644
index 000000000..2d51d9884
--- /dev/null
+++ b/etc/profile-m-z/mplayer.profile
@@ -0,0 +1,40 @@
+# Firejail profile for mplayer
+# Description: Movie player for Unix-like systems
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mplayer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+read-only ${DESKTOP}
+mkdir ${HOME}/.mplayer
+whitelist ${HOME}/.mplayer
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# net none - mplayer can be used for streaming.
+netfilter
+# nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin mplayer
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
new file mode 100644
index 000000000..cadfd9b7f
--- /dev/null
+++ b/etc/profile-m-z/mpsyt.profile
@@ -0,0 +1,72 @@
+# Firejail profile for mpsyt
+# Description: Terminal based YouTube player and downloader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpsyt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mps-youtube
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.mplayer
+noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/mps
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mps-youtube
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkdir ${HOME}/.mplayer
+mkdir ${HOME}/mps
+whitelist ${HOME}/.config/mps-youtube
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.mplayer
+whitelist ${HOME}/.netrc
+whitelist ${HOME}/mps
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+# Seems to cause issues with Nvidia drivers sometimes
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
+#private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
new file mode 100644
index 000000000..74402a8de
--- /dev/null
+++ b/etc/profile-m-z/mpv.profile
@@ -0,0 +1,83 @@
+# Firejail profile for mpv
+# Description: Video player based on MPlayer/mplayer2
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mpv.local
+# Persistent global definitions
+include globals.local
+
+# In order to save screenshots to a persistent location,
+# edit ~/.config/mpv/foobar.conf:
+#    screenshot-directory=~/Pictures
+
+# Mpv has a powerful lua-API, some off these lua-scripts interact
+# with external resources which are blocked by firejail. In such cases
+# you need to allow these resources by
+#  - adding additional binaries to private-bin
+#  - whitelisting additional paths
+#  - noblacklisting paths
+#  - weaking the dbus-policy
+#  - ...
+#
+# Often these scripts require a shell:
+#include allow-bin-sh.inc
+#private-bin sh
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.netrc
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
+mkfile ${HOME}/.netrc
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
+whitelist ${HOME}/.netrc
+include whitelist-common.inc
+include whitelist-player-common.inc
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
+whitelist /usr/share/vulkan
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+# nogroups seems to cause issues with Nvidia drivers sometimes
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin env,mpv,python*,waf,youtube-dl
+# private-cache causes slow OSD, see #2838
+#private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
new file mode 100644
index 000000000..530e779fc
--- /dev/null
+++ b/etc/profile-m-z/mrrescue.profile
@@ -0,0 +1,60 @@
+# Firejail profile for mrrescue
+# Description: Arcade-style fire fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mrrescue.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/love
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/love
+whitelist ${HOME}/.local/share/love
+whitelist /usr/share/mrrescue
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin love,mrrescue,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
new file mode 100644
index 000000000..db24e8f9b
--- /dev/null
+++ b/etc/profile-m-z/ms-excel.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Excel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-excel.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-excel-online
+private-bin ms-excel
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
new file mode 100644
index 000000000..ad12f53a4
--- /dev/null
+++ b/etc/profile-m-z/ms-office.profile
@@ -0,0 +1,43 @@
+# Firejail profile for Microsoft Office Online
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-office.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/ms-office-online
+noblacklist ${HOME}/.jak
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,env,fonts,jak,ms-office,python*,sh
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
new file mode 100644
index 000000000..9ea0637bd
--- /dev/null
+++ b/etc/profile-m-z/ms-onenote.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Onenote
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-onenote.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-onenote-online
+private-bin ms-onenote
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
new file mode 100644
index 000000000..fc3e7c009
--- /dev/null
+++ b/etc/profile-m-z/ms-outlook.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Outlook
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-outlook.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-outlook-online
+private-bin ms-outlook
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
new file mode 100644
index 000000000..dadcd5b1e
--- /dev/null
+++ b/etc/profile-m-z/ms-powerpoint.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Powerpoint
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-powerpoint.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-powerpoint-online
+private-bin ms-powerpoint
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
new file mode 100644
index 000000000..df1618361
--- /dev/null
+++ b/etc/profile-m-z/ms-skype.profile
@@ -0,0 +1,16 @@
+# Firejail profile for Microsoft Office Online - Skype
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-skype.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore novideo
+
+noblacklist ${HOME}/.cache/ms-skype-online
+
+private-bin ms-skype
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/ms-word.profile b/etc/profile-m-z/ms-word.profile
new file mode 100644
index 000000000..5a617a893
--- /dev/null
+++ b/etc/profile-m-z/ms-word.profile
@@ -0,0 +1,13 @@
+# Firejail profile for Microsoft Office Online - Word
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ms-word.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ms-word-online
+private-bin ms-word
+
+# Redirect
+include ms-office.profile
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
new file mode 100644
index 000000000..126336cb3
--- /dev/null
+++ b/etc/profile-m-z/mtpaint.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mtpaint
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mtpaint.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mtpaint
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile
new file mode 100644
index 000000000..2c8b95a26
--- /dev/null
+++ b/etc/profile-m-z/multimc.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for multimc5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include multimc.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include multimc5.profile
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
new file mode 100644
index 000000000..a61f9001d
--- /dev/null
+++ b/etc/profile-m-z/multimc5.profile
@@ -0,0 +1,52 @@
+# Firejail profile for multimc5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include multimc5.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/multimc
+noblacklist ${HOME}/.local/share/multimc5
+noblacklist ${HOME}/.multimc5
+
+# Ignore noexec on ${HOME} as MultiMC installs LWJGL native
+# libraries in ${HOME}/.local/share/multimc
+ignore noexec ${HOME}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.local/share/multimc
+mkdir ${HOME}/.local/share/multimc5
+mkdir ${HOME}/.multimc5
+whitelist ${HOME}/.local/share/multimc
+whitelist ${HOME}/.local/share/multimc5
+whitelist ${HOME}/.multimc5
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp
+shell none
+
+disable-mnt
+# private-bin works, but causes weirdness
+# private-bin apt-file,awk,bash,chmod,dirname,dnf,grep,java,kdialog,ldd,mkdir,multimc5,pfl,pkgfile,readlink,sort,valgrind,which,yum,zenity,zypper
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
new file mode 100644
index 000000000..ad0920979
--- /dev/null
+++ b/etc/profile-m-z/mumble.profile
@@ -0,0 +1,45 @@
+# Firejail profile for mumble
+# Description: Low latency encrypted VoIP client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mumble.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Mumble
+noblacklist ${HOME}/.local/share/data/Mumble
+noblacklist ${HOME}/.local/share/Mumble
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Mumble
+mkdir ${HOME}/.local/share/data/Mumble
+mkdir ${HOME}/.local/share/Mumble
+whitelist ${HOME}/.config/Mumble
+whitelist ${HOME}/.local/share/data/Mumble
+whitelist ${HOME}/.local/share/Mumble
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mumble
+private-tmp
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
new file mode 100644
index 000000000..be94a9083
--- /dev/null
+++ b/etc/profile-m-z/mupdf-gl.profile
@@ -0,0 +1,13 @@
+# Firejail profile for mupdf-gl
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf-gl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.mupdf.history
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
new file mode 100644
index 000000000..a04d386a2
--- /dev/null
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -0,0 +1,18 @@
+# Firejail profile for mupdf-x11-curl
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf-x11-curl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore net none
+
+netfilter
+protocol unix,inet,inet6
+
+private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mupdf-x11.profile b/etc/profile-m-z/mupdf-x11.profile
new file mode 100644
index 000000000..256201d0c
--- /dev/null
+++ b/etc/profile-m-z/mupdf-x11.profile
@@ -0,0 +1,14 @@
+# Firejail profile for mupdf-x11
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf-x11.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+memory-deny-write-execute
+read-only ${HOME}
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
new file mode 100644
index 000000000..857b9e7df
--- /dev/null
+++ b/etc/profile-m-z/mupdf.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mupdf
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mupdf.local
+# Persistent global definitions
+#include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index 4937df51f..093767c27 100644
--- a/etc/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -1,24 +1,24 @@
 # Firejail profile for mupen64plus
+# Description: Nintendo64 Emulator
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/mupen64plus.local
+include mupen64plus.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/mupen64plus
 noblacklist ${HOME}/.local/share/mupen64plus
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-programs.inc
 
 # you'll need to manually whitelist ROM files
 mkdir ${HOME}/.config/mupen64plus
 mkdir ${HOME}/.local/share/mupen64plus
-whitelist ${HOME}/.config/mupen64plus/
-whitelist ${HOME}/.local/share/mupen64plus/
-include /etc/firejail/whitelist-common.inc
+whitelist ${HOME}/.config/mupen64plus
+whitelist ${HOME}/.local/share/mupen64plus
+include whitelist-common.inc
 
 caps.drop all
 net none
@@ -28,3 +28,6 @@ noroot
 notv
 novideo
 seccomp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/muraster.profile b/etc/profile-m-z/muraster.profile
new file mode 100644
index 000000000..90e3f2050
--- /dev/null
+++ b/etc/profile-m-z/muraster.profile
@@ -0,0 +1,11 @@
+# Firejail profile for muraster
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include muraster.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
new file mode 100644
index 000000000..12bb653a8
--- /dev/null
+++ b/etc/profile-m-z/musescore.profile
@@ -0,0 +1,42 @@
+# Firejail profile for musescore
+# Description: Free music composition and notation software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musescore.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/MusE
+noblacklist ${HOME}/.config/MuseScore
+noblacklist ${HOME}/.local/share/data/MusE
+noblacklist ${HOME}/.local/share/data/MuseScore
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+tracelog
+
+# private-bin musescore,mscore
+private-tmp
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
new file mode 100644
index 000000000..226fb4810
--- /dev/null
+++ b/etc/profile-m-z/musictube.profile
@@ -0,0 +1,57 @@
+# Firejail profile for musictube
+# Description: Stream music
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musictube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Flavio Tordini
+mkdir ${HOME}/.config/Flavio Tordini
+mkdir ${HOME}/.local/share/Flavio Tordini
+whitelist ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
+whitelist /usr/share/musictube
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin musictube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
new file mode 100644
index 000000000..07661cac8
--- /dev/null
+++ b/etc/profile-m-z/musixmatch.profile
@@ -0,0 +1,37 @@
+# Firejail profile for Musixmatch
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musixmatch.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nogroups
+noinput
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+
+disable-mnt
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+
diff --git a/etc/profile-m-z/mutool.profile b/etc/profile-m-z/mutool.profile
new file mode 100644
index 000000000..e61f4665d
--- /dev/null
+++ b/etc/profile-m-z/mutool.profile
@@ -0,0 +1,11 @@
+# Firejail profile for mutool
+# Description: Lightweight PDF viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mutool.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mupdf.profile
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
new file mode 100644
index 000000000..c4d96711c
--- /dev/null
+++ b/etc/profile-m-z/mutt.profile
@@ -0,0 +1,149 @@
+# Firejail profile for mutt
+# Description: Text-based mailreader supporting MIME, GPG, PGP and threading
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mutt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.Mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.cache/mutt
+noblacklist ${HOME}/.config/mutt
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.elinks
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mail
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.msmtprc
+noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.muttrc
+noblacklist ${HOME}/.nanorc
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.w3m
+noblacklist ${HOME}/Mail
+noblacklist ${HOME}/mail
+noblacklist ${HOME}/postponed
+noblacklist ${HOME}/sent
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Add the next lines to your mutt.local for oauth.py,S/MIME support.
+#include allow-perl.inc
+#include allow-python2.inc
+#include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.Mail
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.cache/mutt
+mkdir ${HOME}/.config/mutt
+mkdir ${HOME}/.config/nano
+mkdir ${HOME}/.elinks
+mkdir ${HOME}/.emacs.d
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.mail
+mkdir ${HOME}/.mutt
+mkdir ${HOME}/.vim
+mkdir ${HOME}/.w3m
+mkdir ${HOME}/Mail
+mkdir ${HOME}/mail
+mkdir ${HOME}/postponed
+mkdir ${HOME}/sent
+mkfile ${HOME}/.emacs
+mkfile ${HOME}/.mailcap
+mkfile ${HOME}/.msmtprc
+mkfile ${HOME}/.muttrc
+mkfile ${HOME}/.nanorc
+mkfile ${HOME}/.signature
+mkfile ${HOME}/.viminfo
+mkfile ${HOME}/.vimrc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.Mail
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.cache/mutt
+whitelist ${HOME}/.config/mutt
+whitelist ${HOME}/.config/nano
+whitelist ${HOME}/.elinks
+whitelist ${HOME}/.emacs
+whitelist ${HOME}/.emacs.d
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mail
+whitelist ${HOME}/.mailcap
+whitelist ${HOME}/.msmtprc
+whitelist ${HOME}/.mutt
+whitelist ${HOME}/.muttrc
+whitelist ${HOME}/.nanorc
+whitelist ${HOME}/.signature
+whitelist ${HOME}/.vim
+whitelist ${HOME}/.viminfo
+whitelist ${HOME}/.vimrc
+whitelist ${HOME}/.w3m
+whitelist ${HOME}/Mail
+whitelist ${HOME}/mail
+whitelist ${HOME}/postponed
+whitelist ${HOME}/sent
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/mutt
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.elinks
+read-only ${HOME}/.nanorc
+read-only ${HOME}/.signature
+read-only ${HOME}/.w3m
diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
new file mode 100644
index 000000000..4b4745918
--- /dev/null
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for mypaint-ora-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mypaint-ora-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mypaint.profile
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
new file mode 100644
index 000000000..1b4fc4346
--- /dev/null
+++ b/etc/profile-m-z/mypaint.profile
@@ -0,0 +1,50 @@
+# Firejail profile for mypaint
+# Description: A fast and easy graphics application for digital painters
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mypaint.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mypaint
+noblacklist ${HOME}/.config/mypaint
+noblacklist ${HOME}/.local/share/mypaint
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
new file mode 100644
index 000000000..996a1722a
--- /dev/null
+++ b/etc/profile-m-z/nano.profile
@@ -0,0 +1,59 @@
+# Firejail profile for nano
+# Description: nano is an easy text editor for the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nano.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.nanorc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/share/nano
+include whitelist-usr-share-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+# disable-mnt
+private-bin nano,rnano
+private-cache
+private-dev
+# Add the next lines to your nano.local if you want to edit files in /etc directly.
+#ignore private-etc
+#writable-etc
+private-etc alternatives,nanorc
+# Add the next line to your nano.local if you want to edit files in /var directly.
+#writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/natron.profile b/etc/profile-m-z/natron.profile
index b76649605..2464844c4 100644
--- a/etc/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -1,34 +1,37 @@
 # Firejail profile for natron
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/natron.local
+include natron.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 noblacklist ${HOME}/.Natron
 noblacklist ${HOME}/.cache/INRIA/Natron
 noblacklist ${HOME}/.config/INRIA
-noblacklist /opt/natron
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+nou2f
+protocol unix
 seccomp
 shell none
-net none
 
 private-bin natron,Natron,NatronRenderer
 
-noexec ${HOME}
-noexec /tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile
new file mode 100644
index 000000000..e54bea228
--- /dev/null
+++ b/etc/profile-m-z/nautilus.profile
@@ -0,0 +1,15 @@
+# Firejail profile for nautilus
+# Description: File manager and graphical shell for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nautilus.local
+# Persistent global definitions
+include globals.local
+
+# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a nautilus process running on gnome desktops firejail will have no effect.
+
+# Put 'ignore noroot' in your nautilus.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
new file mode 100644
index 000000000..063e30366
--- /dev/null
+++ b/etc/profile-m-z/ncdu.profile
@@ -0,0 +1,37 @@
+# Firejail profile for ncdu
+# Description: Ncurses disk usage viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ncdu.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-exec.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+x11 none
+
+private-dev
+# private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/ncdu2.profile b/etc/profile-m-z/ncdu2.profile
new file mode 100644
index 000000000..5b6364c5d
--- /dev/null
+++ b/etc/profile-m-z/ncdu2.profile
@@ -0,0 +1,11 @@
+# Firejail profile for ncdu2
+# Description: Ncurses disk usage viewer (zig rewrite)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ncdu2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ncdu.profile
diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile
new file mode 100644
index 000000000..1b3333e8c
--- /dev/null
+++ b/etc/profile-m-z/nemo.profile
@@ -0,0 +1,12 @@
+# Firejail profile for nemo
+# Description: File manager and graphical shell for Cinnamon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nemo.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your nemo.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
new file mode 100644
index 000000000..58cc716d9
--- /dev/null
+++ b/etc/profile-m-z/neochat.profile
@@ -0,0 +1,65 @@
+# Firejail profile for neochat
+# Description: Matrix Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neochat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/KDE/neochat
+noblacklist ${HOME}/.config/KDE
+noblacklist ${HOME}/.config/KDE/neochat
+noblacklist ${HOME}/.config/neochatrc
+noblacklist ${HOME}/.config/neochat.notifyrc
+noblacklist ${HOME}/.local/share/KDE/neochat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/KDE/neochat
+mkdir ${HOME}/.local/share/KDE/neochat
+whitelist ${HOME}/.cache/KDE/neochat
+whitelist ${HOME}/.local/share/KDE/neochat
+whitelist ${DOWNLOADS}
+include whitelist-1793-workaround.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin neochat
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.kde.neochat
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.kde.kwalletd5
+dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
new file mode 100644
index 000000000..7e627a52e
--- /dev/null
+++ b/etc/profile-m-z/neomutt.profile
@@ -0,0 +1,152 @@
+# Firejail profile for neomutt
+# Description: Mutt fork with advanced features and better documentation
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include neomutt.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.Mail
+noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.config/mutt
+noblacklist ${HOME}/.config/nano
+noblacklist ${HOME}/.config/neomutt
+noblacklist ${HOME}/.elinks
+noblacklist ${HOME}/.emacs
+noblacklist ${HOME}/.emacs.d
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mail
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.msmtprc
+noblacklist ${HOME}/.mutt
+noblacklist ${HOME}/.muttrc
+noblacklist ${HOME}/.nanorc
+noblacklist ${HOME}/.neomutt
+noblacklist ${HOME}/.neomuttrc
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+noblacklist ${HOME}/.w3m
+noblacklist ${HOME}/Mail
+noblacklist ${HOME}/mail
+noblacklist ${HOME}/postponed
+noblacklist ${HOME}/sent
+noblacklist /var/mail
+noblacklist /var/spool/mail
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.Mail
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.config/mutt
+mkdir ${HOME}/.config/nano
+mkdir ${HOME}/.config/neomutt
+mkdir ${HOME}/.elinks
+mkdir ${HOME}/.emacs.d
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.mail
+mkdir ${HOME}/.mutt
+mkdir ${HOME}/.neomutt
+mkdir ${HOME}/.vim
+mkdir ${HOME}/.w3m
+mkdir ${HOME}/Mail
+mkdir ${HOME}/mail
+mkdir ${HOME}/postponed
+mkdir ${HOME}/sent
+mkfile ${HOME}/.emacs
+mkfile ${HOME}/.mailcap
+mkfile ${HOME}/.msmtprc
+mkfile ${HOME}/.muttrc
+mkfile ${HOME}/.nanorc
+mkfile ${HOME}/.neomuttrc
+mkfile ${HOME}/.signature
+mkfile ${HOME}/.viminfo
+mkfile ${HOME}/.vimrc
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.Mail
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.config/mutt
+whitelist ${HOME}/.config/nano
+whitelist ${HOME}/.config/neomutt
+whitelist ${HOME}/.elinks
+whitelist ${HOME}/.emacs
+whitelist ${HOME}/.emacs.d
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mail
+whitelist ${HOME}/.mailcap
+whitelist ${HOME}/.msmtprc
+whitelist ${HOME}/.mutt
+whitelist ${HOME}/.muttrc
+whitelist ${HOME}/.nanorc
+whitelist ${HOME}/.neomutt
+whitelist ${HOME}/.neomuttrc
+whitelist ${HOME}/.signature
+whitelist ${HOME}/.vim
+whitelist ${HOME}/.viminfo
+whitelist ${HOME}/.vimrc
+whitelist ${HOME}/.w3m
+whitelist ${HOME}/Mail
+whitelist ${HOME}/mail
+whitelist ${HOME}/postponed
+whitelist ${HOME}/sent
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/neomutt
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.elinks
+read-only ${HOME}/.nanorc
+read-only ${HOME}/.signature
+read-only ${HOME}/.w3m
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
new file mode 100644
index 000000000..1bcc6a962
--- /dev/null
+++ b/etc/profile-m-z/netactview.profile
@@ -0,0 +1,55 @@
+# Firejail profile for netactview
+# Description: A graphical network connections viewer similar in functionality to netstat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include netactview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.netactview
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.netactview
+whitelist ${HOME}/.netactview
+whitelist /usr/share/netactview
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+
+disable-mnt
+private-bin netactview,netactview_polkit
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
new file mode 100644
index 000000000..4da43a2d0
--- /dev/null
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -0,0 +1,45 @@
+# Firejail profile for nethack-vultures
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nethack.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vultures
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.vultures
+whitelist ${HOME}/.vultures
+whitelist /var/log/vultures
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+#nonewprivs
+#noroot
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
new file mode 100644
index 000000000..5037133f2
--- /dev/null
+++ b/etc/profile-m-z/nethack.profile
@@ -0,0 +1,47 @@
+# Firejail profile for nethack
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nethack.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/games/nethack
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /var/games/nethack
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+#nonewprivs
+#noroot
+nosound
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile
new file mode 100644
index 000000000..0ddb7bbbe
--- /dev/null
+++ b/etc/profile-m-z/netsurf.profile
@@ -0,0 +1,34 @@
+# Firejail profile for netsurf
+# Description: Lightweight and fast web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include netsurf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/netsurf
+noblacklist ${HOME}/.config/netsurf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/netsurf
+mkdir ${HOME}/.config/netsurf
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/netsurf
+whitelist ${HOME}/.config/netsurf
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile
new file mode 100644
index 000000000..534e41dd1
--- /dev/null
+++ b/etc/profile-m-z/neverball-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for neverball-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverball-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin neverball-wrapper
+
+# Redirect
+include neverball.profile
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
new file mode 100644
index 000000000..9b7826fd0
--- /dev/null
+++ b/etc/profile-m-z/neverball.profile
@@ -0,0 +1,51 @@
+# Firejail profile for neverball
+# Description: 3D floor-tilting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverball.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.neverball
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.neverball
+whitelist ${HOME}/.neverball
+whitelist /usr/share/neverball
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin neverball
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile
new file mode 100644
index 000000000..dacd113cc
--- /dev/null
+++ b/etc/profile-m-z/neverputt-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for neverputt-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverputt-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin neverputt-wrapper
+
+# Redirect
+include neverputt.profile
diff --git a/etc/profile-m-z/neverputt.profile b/etc/profile-m-z/neverputt.profile
new file mode 100644
index 000000000..d370d1218
--- /dev/null
+++ b/etc/profile-m-z/neverputt.profile
@@ -0,0 +1,11 @@
+# Firejail profile for neverputt
+# This file is overwritten after every install/update
+# Persistent local customizations
+include neverputt.local
+# added by included profile
+#include globals.local
+
+private-bin neverputt
+
+# Redirect
+include neverball.profile
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
new file mode 100644
index 000000000..6efb19502
--- /dev/null
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -0,0 +1,31 @@
+# Firejail profile for Newsbeuter
+# Description: Text based Atom/RSS feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsbeuter.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore include newsboat.local
+ignore mkdir ${HOME}/.config/newsboat
+ignore mkdir ${HOME}/.local/share/newsboat
+ignore mkdir ${HOME}/.newsboat
+blacklist ${PATH}/newsboat
+
+blacklist ${HOME}/.config/newsboat
+blacklist ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.newsboat
+
+nowhitelist ${HOME}/.config/newsboat
+nowhitelist ${HOME}/.local/share/newsboat
+nowhitelist ${HOME}/.newsboat
+
+mkdir ${HOME}/.config/newsbeuter
+mkdir ${HOME}/.local/share/newsbeuter
+mkdir ${HOME}/.newsbeuter
+
+private-bin newsbeuter
+
+# Redirect
+include newsboat.profile
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
new file mode 100644
index 000000000..fa4ccea7c
--- /dev/null
+++ b/etc/profile-m-z/newsboat.profile
@@ -0,0 +1,62 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.config/newsboat
+noblacklist ${HOME}/.local/share/newsbeuter
+noblacklist ${HOME}/.local/share/newsboat
+noblacklist ${HOME}/.newsbeuter
+noblacklist ${HOME}/.newsboat
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/newsboat
+mkdir ${HOME}/.local/share/newsboat
+mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.config/newsboat
+whitelist ${HOME}/.local/share/newsbeuter
+whitelist ${HOME}/.local/share/newsboat
+whitelist ${HOME}/.newsbeuter
+whitelist ${HOME}/.newsboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin gzip,lynx,newsboat,sh,w3m
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
new file mode 100644
index 000000000..56cedec03
--- /dev/null
+++ b/etc/profile-m-z/newsflash.profile
@@ -0,0 +1,60 @@
+# Firejail profile for newsflash
+# Description: Modern feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsflash.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/NewsFlashGTK
+noblacklist ${HOME}/.config/news-flash
+noblacklist ${HOME}/.local/share/news-flash
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/NewsFlashGTK
+mkdir ${HOME}/.config/news-flash
+mkdir ${HOME}/.local/share/news-flash
+whitelist ${HOME}/.cache/NewsFlashGTK
+whitelist ${HOME}/.config/news-flash
+whitelist ${HOME}/.local/share/news-flash
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.gitlab.newsflash,newsflash
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-tmp
+
+dbus-user none
+#dbus-user.own com.gitlab.newsflash
+#dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/profile-m-z/nextcloud-desktop.profile b/etc/profile-m-z/nextcloud-desktop.profile
new file mode 100644
index 000000000..e74f9c03f
--- /dev/null
+++ b/etc/profile-m-z/nextcloud-desktop.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for nextcloud
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nextcloud-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nextcloud.profile
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
new file mode 100644
index 000000000..cb499ba34
--- /dev/null
+++ b/etc/profile-m-z/nextcloud.profile
@@ -0,0 +1,72 @@
+# Firejail profile for nextcloud
+# Description: Nextcloud desktop synchronization client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nextcloud.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/Nextcloud
+noblacklist ${HOME}/.config/Nextcloud
+noblacklist ${HOME}/.local/share/Nextcloud
+# Add the next lines to your nextcloud.local to allow sync in more directories.
+#noblacklist ${DOCUMENTS}
+#noblacklist ${MUSIC}
+#noblacklist ${PICTURES}
+#noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/Nextcloud
+mkdir ${HOME}/.config/Nextcloud
+mkdir ${HOME}/.local/share/Nextcloud
+whitelist ${HOME}/Nextcloud
+whitelist ${HOME}/.config/Nextcloud
+whitelist ${HOME}/.local/share/Nextcloud
+# Add the next lines to your nextcloud.local to allow sync in more directories.
+#whitelist ${DOCUMENTS}
+#whitelist ${MUSIC}
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin nextcloud,nextcloud-desktop
+private-cache
+private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+# Add the next line to your nextcloud.local for tray icon support
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
new file mode 100644
index 000000000..035ad086a
--- /dev/null
+++ b/etc/profile-m-z/nheko.profile
@@ -0,0 +1,61 @@
+# Firejail profile for nheko
+# Description: Desktop IM client for the Matrix protocol
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nheko.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/nheko
+noblacklist ${HOME}/.config/nheko
+noblacklist ${HOME}/.local/share/nheko
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/nheko
+mkdir ${HOME}/.config/nheko
+mkdir ${HOME}/.local/share/nheko
+whitelist ${HOME}/.cache/nheko
+whitelist ${HOME}/.config/nheko
+whitelist ${HOME}/.local/share/nheko
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin nheko
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+
+# Add the next lines to your nheko.local to enable notification support.
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
new file mode 100644
index 000000000..0b55a0d3a
--- /dev/null
+++ b/etc/profile-m-z/nicotine.profile
@@ -0,0 +1,57 @@
+# Firejail profile for Nicotine Plus
+# Description: Soulseek music-sharing client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nicotine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.nicotine
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.nicotine
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.nicotine
+whitelist /usr/share/GeoIP
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin nicotine,python2*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
new file mode 100644
index 000000000..13c6b59ae
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-cli.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
new file mode 100644
index 000000000..513d26703
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-nmh.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-nmh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
new file mode 100644
index 000000000..6edff3cce
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-send.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-send.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
new file mode 100644
index 000000000..ba5f8edf5
--- /dev/null
+++ b/etc/profile-m-z/nitroshare-ui.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare-ui.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nitroshare.profile
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
new file mode 100644
index 000000000..d5dd4ca95
--- /dev/null
+++ b/etc/profile-m-z/nitroshare.profile
@@ -0,0 +1,52 @@
+# Firejail profile for nitroshare
+# Description: Network File Transfer Application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nitroshare.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Nathan Osman
+noblacklist ${HOME}/.config/NitroShare
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+# private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
+private-tmp
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile
new file mode 100644
index 000000000..cd48ed3c7
--- /dev/null
+++ b/etc/profile-m-z/node.profile
@@ -0,0 +1,11 @@
+# Firejail profile for node
+# Description: Evented I/O for V8 javascript
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include node.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
new file mode 100644
index 000000000..ab69136f6
--- /dev/null
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -0,0 +1,95 @@
+# Firejail profile for Node.js
+# Description: Asynchronous event-driven JavaScript runtime
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nodejs-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+ignore read-only ${HOME}/.nvm
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
+ignore noexec ${HOME}
+
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
+# and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkdir ${HOME}/.npm-packages
+#mkfile ${HOME}/.npmrc
+#mkdir ${HOME}/.nvm
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npm-packages
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/.nvm
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/doc/node
+whitelist /usr/share/nvm
+whitelist /usr/share/systemtap/tapset/node.stp
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+#private-tmp
+
+dbus-user none
+dbus-system none
+
+# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
+#env GATSBY_TELEMETRY_DISABLED=1
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
new file mode 100644
index 000000000..b044fb879
--- /dev/null
+++ b/etc/profile-m-z/nomacs.profile
@@ -0,0 +1,45 @@
+# Firejail profile for nomacs
+# Description: a fast and small image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nomacs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/nomacs
+noblacklist ${HOME}/.local/share/nomacs
+noblacklist ${HOME}/.local/share/data/nomacs
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+#private-bin nomacs
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
+private-tmp
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
new file mode 100644
index 000000000..5caf3374d
--- /dev/null
+++ b/etc/profile-m-z/notify-send.profile
@@ -0,0 +1,60 @@
+# Firejail profile for notify-send
+# Description: a program to send desktop notifications
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include notify-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin notify-send
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
new file mode 100644
index 000000000..4d8beea5a
--- /dev/null
+++ b/etc/profile-m-z/npm.profile
@@ -0,0 +1,11 @@
+# Firejail profile for npm
+# Description: The Node.js Package Manager
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npm.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
new file mode 100644
index 000000000..baa8ddfeb
--- /dev/null
+++ b/etc/profile-m-z/nslookup.profile
@@ -0,0 +1,55 @@
+# Firejail profile for nslookup
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nslookup.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${PATH}/nslookup
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.nslookuprc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,nslookup,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
new file mode 100644
index 000000000..886403b9e
--- /dev/null
+++ b/etc/profile-m-z/nuclear.profile
@@ -0,0 +1,25 @@
+# Firejail profile for nuclear
+# Description: Stream music from Youtube,Soundcloud,Jamendo
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nuclear.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user
+
+noblacklist ${HOME}/.config/nuclear
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/nuclear
+whitelist ${HOME}/.config/nuclear
+
+no3d
+
+# private-bin nuclear
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt nuclear
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile
new file mode 100644
index 000000000..80da22834
--- /dev/null
+++ b/etc/profile-m-z/nvm.profile
@@ -0,0 +1,13 @@
+# Firejail profile for nvm
+# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nvm.local
+# Persistent global definitions
+include globals.local
+
+ignore noroot
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
new file mode 100644
index 000000000..3474a075f
--- /dev/null
+++ b/etc/profile-m-z/nylas.profile
@@ -0,0 +1,38 @@
+# Firejail profile for nylas
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nylas.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Nylas Mail
+noblacklist ${HOME}/.nylas-mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Nylas Mail
+mkdir ${HOME}/.nylas-mail
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Nylas Mail
+whitelist ${HOME}/.nylas-mail
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
new file mode 100644
index 000000000..460a580b3
--- /dev/null
+++ b/etc/profile-m-z/nyx.profile
@@ -0,0 +1,54 @@
+# Firejail profile for nyx
+# Description: Command-line status monitor for tor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nyx.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${HOME}/.nyx
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.nyx
+whitelist ${HOME}/.nyx
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin nyx,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,passwd,tor
+private-opt none
+private-srv none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
new file mode 100644
index 000000000..1ff9ad48a
--- /dev/null
+++ b/etc/profile-m-z/obs.profile
@@ -0,0 +1,43 @@
+# Firejail profile for obs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include obs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/obs-studio
+noblacklist ${MUSIC}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bash,obs,obs-ffmpeg-mux,python*,sh
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
new file mode 100644
index 000000000..8e87f1d5d
--- /dev/null
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -0,0 +1,55 @@
+# Firejail profile for ocenaudio
+# Description: Cross-platform, easy to use, fast and functional audio editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ocenaudio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/ocenaudio
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - breaks update functionality and AppArmor on Ubuntu systems
+# Add 'net none' to your ocenaudio.local when you want that functionality.
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin ocenaudio
+private-cache
+private-dev
+private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
+private-tmp
+
+# breaks preferences
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
new file mode 100644
index 000000000..22cec475b
--- /dev/null
+++ b/etc/profile-m-z/odt2txt.profile
@@ -0,0 +1,47 @@
+# Firejail profile for odt2txt
+# Description: Simple converter from OpenDocument Text to plain text
+# This file is overwritten after every install/update
+# Persistent local customizations
+include odt2txt.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin odt2txt
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-m-z/oggsplt.profile b/etc/profile-m-z/oggsplt.profile
new file mode 100644
index 000000000..5aedadde9
--- /dev/null
+++ b/etc/profile-m-z/oggsplt.profile
@@ -0,0 +1,9 @@
+# Firejail profile for oggsplt
+# This file is overwritten after every install/update
+include oggsplt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mp3splt.profile
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
new file mode 100644
index 000000000..84edc65ef
--- /dev/null
+++ b/etc/profile-m-z/okular.profile
@@ -0,0 +1,72 @@
+# Firejail profile for okular
+# Description: Universal document viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include okular.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/okular
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/config.kcfg/gssettings.kcfg
+whitelist /usr/share/config.kcfg/pdfsettings.kcfg
+whitelist /usr/share/config.kcfg/okular.kcfg
+whitelist /usr/share/config.kcfg/okular_core.kcfg
+whitelist /usr/share/ghostscript
+whitelist /usr/share/kconf_update/okular.upd
+whitelist /usr/share/kxmlgui5/okular
+whitelist /usr/share/okular
+whitelist /usr/share/poppler
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
+private-dev
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
+# private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
+
+# dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
+
+join-or-start okular
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
new file mode 100644
index 000000000..b0ffba19c
--- /dev/null
+++ b/etc/profile-m-z/onboard.profile
@@ -0,0 +1,56 @@
+# Firejail profile for onboard
+# Description: On-screen keyboard
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onboard.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/onboard
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/onboard
+whitelist ${HOME}/.config/onboard
+whitelist /usr/share/onboard
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-bin onboard,python*,tput
+private-dev
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
new file mode 100644
index 000000000..cf4d7db30
--- /dev/null
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -0,0 +1,41 @@
+# Firejail profile for onionshare-gui
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onionshare-gui.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/onionshare
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile
new file mode 100644
index 000000000..8df7b502b
--- /dev/null
+++ b/etc/profile-m-z/ooffice.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ooffice.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
new file mode 100644
index 000000000..c55d58ba7
--- /dev/null
+++ b/etc/profile-m-z/ooviewdoc.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ooviewdoc.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
new file mode 100644
index 000000000..12c7ea3d0
--- /dev/null
+++ b/etc/profile-m-z/open-invaders.profile
@@ -0,0 +1,43 @@
+# Firejail profile for open-invaders
+# Description: Space Invaders clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include open-invaders.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openinvaders
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.openinvaders
+whitelist ${HOME}/.openinvaders
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin open-invaders
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
new file mode 100644
index 000000000..076a655a1
--- /dev/null
+++ b/etc/profile-m-z/openarena.profile
@@ -0,0 +1,50 @@
+# Firejail profile for OpenArena
+# Description: deathmatch FPS game based on GPL idTech3 technology
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openarena.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openarena
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.openarena
+whitelist ${HOME}/.openarena
+whitelist /usr/share/openarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
+private-cache
+private-dev
+private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
new file mode 100644
index 000000000..d70fbc101
--- /dev/null
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for openarena
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openarena_ded.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include openarena.profile
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
new file mode 100644
index 000000000..b49fd9932
--- /dev/null
+++ b/etc/profile-m-z/openbox.profile
@@ -0,0 +1,20 @@
+# Firejail profile for openbox
+# Description: Standards-compliant, fast, light-weight and extensible window manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openbox.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in openbox will run in this profile
+noblacklist ${HOME}/.config/openbox
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
+
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
new file mode 100644
index 000000000..560bc6cbc
--- /dev/null
+++ b/etc/profile-m-z/opencity.profile
@@ -0,0 +1,48 @@
+# Firejail profile for opencity
+# Description: Full 3D city simulator game project
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opencity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.opencity
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.opencity
+whitelist ${HOME}/.opencity
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin opencity
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
new file mode 100644
index 000000000..253465991
--- /dev/null
+++ b/etc/profile-m-z/openclonk.profile
@@ -0,0 +1,49 @@
+# Firejail profile for openclonk
+# Description: Multiplayer action, tactics and skill game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openclonk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.clonk
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.clonk
+whitelist ${HOME}/.clonk
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+# net none - networked game
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin c4group,openclonk
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openmw-launcher.profile b/etc/profile-m-z/openmw-launcher.profile
new file mode 100644
index 000000000..c9cc144e4
--- /dev/null
+++ b/etc/profile-m-z/openmw-launcher.profile
@@ -0,0 +1,7 @@
+# Firejail profile for openmw-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openmw-launcher.local
+
+# Redirect
+include openmw.profile
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
new file mode 100644
index 000000000..ce3399ad6
--- /dev/null
+++ b/etc/profile-m-z/openmw.profile
@@ -0,0 +1,61 @@
+# Firejail profile for openmw
+# Description: Open source engine re-implementation for Morrowind
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openmw.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/openmw
+noblacklist ${HOME}/.local/share/openmw
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/openmw
+mkdir ${HOME}/.local/share/openmw
+whitelist ${HOME}/.config/openmw
+# Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt.
+# Alternatively you can whitelist custom paths in your openmw.local.
+whitelist ${HOME}/.local/share/openmw
+whitelist /usr/share/openmw
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Add 'ignore nodvd' to your openmw.local when installing from disc.
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
new file mode 100644
index 000000000..4221db409
--- /dev/null
+++ b/etc/profile-m-z/openoffice.org.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openoffice.org.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
new file mode 100644
index 000000000..c1a030556
--- /dev/null
+++ b/etc/profile-m-z/openshot-qt.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for openshot
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openshot-qt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include openshot.profile
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
new file mode 100644
index 000000000..e2af2e714
--- /dev/null
+++ b/etc/profile-m-z/openshot.profile
@@ -0,0 +1,49 @@
+# Firejail profile for openshot
+# Description: Create and edit videos and movies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/share/blender
+whitelist /usr/share/inkscape
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin blender,inkscape,openshot,openshot-qt,python3*
+private-cache
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-system none
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
new file mode 100644
index 000000000..6c31ebf65
--- /dev/null
+++ b/etc/profile-m-z/openttd.profile
@@ -0,0 +1,48 @@
+# Firejail profile for openttd
+# Description: Transport system simulation game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openttd.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.openttd
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.openttd
+whitelist ${HOME}/.openttd
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin openttd
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
new file mode 100644
index 000000000..551f1aba4
--- /dev/null
+++ b/etc/profile-m-z/opera-beta.profile
@@ -0,0 +1,22 @@
+# Firejail profile for opera-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera-beta.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/opera
+noblacklist ${HOME}/.config/opera-beta
+
+mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.config/opera-beta
+whitelist ${HOME}/.cache/opera
+whitelist ${HOME}/.config/opera-beta
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
new file mode 100644
index 000000000..2c7c5fc35
--- /dev/null
+++ b/etc/profile-m-z/opera.profile
@@ -0,0 +1,26 @@
+# Firejail profile for opera
+# Description: A fast and secure web browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include opera.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/opera
+noblacklist ${HOME}/.config/opera
+noblacklist ${HOME}/.opera
+
+mkdir ${HOME}/.cache/opera
+mkdir ${HOME}/.config/opera
+mkdir ${HOME}/.opera
+whitelist ${HOME}/.cache/opera
+whitelist ${HOME}/.config/opera
+whitelist ${HOME}/.opera
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/orage.profile b/etc/profile-m-z/orage.profile
index 209c7e9db..a3ec6a386 100644
--- a/etc/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -1,35 +1,39 @@
 # Firejail profile for orage
+# Description: Calendar for Xfce Desktop Environment
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/orage.local
+include orage.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/orage
 noblacklist ${HOME}/.local/share/orage
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
-nosound
+# nosound - calendar application, It must be able to play sound to wake you up.
 notv
+nou2f
 novideo
 protocol unix
 seccomp
 shell none
 
 disable-mnt
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/org.gnome.NautilusPreviewer.profile b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile
new file mode 100644
index 000000000..eb75add58
--- /dev/null
+++ b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for sushi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include org.gnome.NautilusPreviewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include sushi.profile
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
new file mode 100644
index 000000000..de6a6d3f5
--- /dev/null
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -0,0 +1,50 @@
+# Firejail profile for ostrichriders
+# Description: Knights flying on ostriches compete against other riders
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ostrichriders.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ostrichriders
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.ostrichriders
+whitelist ${HOME}/.ostrichriders
+whitelist /usr/share/ostrichriders
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+# Add 'ignore noinput' to your ostrichriders.local if you need controller support.
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ostrichriders
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
new file mode 100644
index 000000000..78f92a860
--- /dev/null
+++ b/etc/profile-m-z/otter-browser.profile
@@ -0,0 +1,59 @@
+# Firejail profile for otter-browser
+# Description: Lightweight web browser based on Qt5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include otter-browser.local
+# Persistent global definitions
+include globals.local
+
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/Otter
+noblacklist ${HOME}/.config/otter
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Otter
+mkdir ${HOME}/.config/otter
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Otter
+whitelist ${HOME}/.config/otter
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/otter-browser
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin bash,otter-browser,sh,which
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-m-z/out123.profile b/etc/profile-m-z/out123.profile
new file mode 100644
index 000000000..4754c05ba
--- /dev/null
+++ b/etc/profile-m-z/out123.profile
@@ -0,0 +1,9 @@
+# Firejail profile for out123
+# Persistent local customizations
+include out123.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include mpg123.profile
diff --git a/etc/profile-m-z/p7zip.profile b/etc/profile-m-z/p7zip.profile
new file mode 100644
index 000000000..652fac7bd
--- /dev/null
+++ b/etc/profile-m-z/p7zip.profile
@@ -0,0 +1,12 @@
+# Firejail profile for p7zip
+# Description: File archiver with high compression ratio
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include p7zip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include 7z.profile
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
new file mode 100644
index 000000000..acb2ce176
--- /dev/null
+++ b/etc/profile-m-z/palemoon.profile
@@ -0,0 +1,26 @@
+# Firejail profile for palemoon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include palemoon.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/moonchild productions/pale moon
+noblacklist ${HOME}/.moonchild productions/pale moon
+
+mkdir ${HOME}/.cache/moonchild productions/pale moon
+mkdir ${HOME}/.moonchild productions
+whitelist ${HOME}/.cache/moonchild productions/pale moon
+whitelist ${HOME}/.moonchild productions
+
+# Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
+seccomp
+ignore seccomp
+
+#private-bin palemoon
+# private-etc must first be enabled in firefox-common.profile
+#private-etc palemoon
+#private-opt palemoon
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
new file mode 100644
index 000000000..2595d8a8f
--- /dev/null
+++ b/etc/profile-m-z/pandoc.profile
@@ -0,0 +1,56 @@
+# Firejail profile for pandoc
+# Description: general markup converter
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pandoc.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# breaks pdf output
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
+private-cache
+private-dev
+private-etc alternatives,texlive,texmf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
new file mode 100644
index 000000000..33d75f0d2
--- /dev/null
+++ b/etc/profile-m-z/parole.profile
@@ -0,0 +1,30 @@
+# Firejail profile for parole
+# Description: Media player based on GStreamer framework
+# This file is overwritten after every install/update
+# Persistent local customizations
+include parole.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin dbus-launch,parole
+private-cache
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
new file mode 100644
index 000000000..3973c1b4a
--- /dev/null
+++ b/etc/profile-m-z/patch.profile
@@ -0,0 +1,51 @@
+# Firejail profile for patch
+# Description: Apply a diff file to an original
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include patch.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+private-bin patch,red
+private-dev
+private-lib libdl.so.*,libfakeroot
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
new file mode 100644
index 000000000..f96ba14d2
--- /dev/null
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -0,0 +1,19 @@
+# Firejail profile for pavucontrol-qt
+# Description: PulseAudio Volume Control [Qt]
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pavucontrol-qt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/pavucontrol-qt
+
+mkdir ${HOME}/.config/pavucontrol-qt
+whitelist ${HOME}/.config/pavucontrol-qt
+
+private-bin pavucontrol-qt
+ignore private-lib
+
+# Redirect
+include pavucontrol.profile
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
new file mode 100644
index 000000000..0bd14e88e
--- /dev/null
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -0,0 +1,56 @@
+# Firejail profile for pavucontrol
+# Description: PulseAudio Volume Control [GTK]
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pavucontrol.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pavucontrol.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# whitelisting in ${HOME} is broken, see #3112
+#mkfile ${HOME}/.config/pavucontrol.ini
+#whitelist ${HOME}/.config/pavucontrol.ini
+whitelist /usr/share/pavucontrol
+whitelist /usr/share/pavucontrol-qt
+#include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin pavucontrol
+private-cache
+private-dev
+private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# mdwe is broken under Wayland, but works under Xorg.
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile
new file mode 100644
index 000000000..5718ab164
--- /dev/null
+++ b/etc/profile-m-z/pcmanfm.profile
@@ -0,0 +1,12 @@
+# Firejail profile for pcmanfm
+# Description: Extremely fast and lightweight file manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcmanfm.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
new file mode 100644
index 000000000..e52a1c4a9
--- /dev/null
+++ b/etc/profile-m-z/pcsxr.profile
@@ -0,0 +1,56 @@
+# Firejail profile for pcsxr
+# Description: A PlayStation emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcsxr.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in your pcsxr.local
+
+noblacklist ${HOME}/.pcsxr
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pcsxr
+whitelist ${HOME}/.pcsxr
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Add the next line to your pcsxr.local when not loading games from disc.
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+private-bin pcsxr
+private-cache
+# Add the next line to your pcsxr.local if you do not need controller support.
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
new file mode 100644
index 000000000..bebd4ba44
--- /dev/null
+++ b/etc/profile-m-z/pdfchain.profile
@@ -0,0 +1,43 @@
+# Firejail profile for pdfchain
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdfchain.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin pdfchain,pdftk,sh
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/pdflatex.profile b/etc/profile-m-z/pdflatex.profile
new file mode 100644
index 000000000..caf980d4d
--- /dev/null
+++ b/etc/profile-m-z/pdflatex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for pdflatex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdflatex.local
+# Persistent global definitions
+include globals.local
+
+private-bin pdflatex
+
+# Redirect
+include latex-common.profile
+
diff --git a/etc/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index 8489e79a6..c8397a31e 100644
--- a/etc/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -1,31 +1,37 @@
 # Firejail profile for pdfmod
+# Description: Simple tool for modifying PDF documents
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/pdfmod.local
+include pdfmod.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 noblacklist ${HOME}/.cache/pdfmod
 noblacklist ${HOME}/.config/pdfmod
+noblacklist ${DOCUMENTS}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
-include /etc/firejail/whitelist-var-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
+machine-id
 net none
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -34,5 +40,5 @@ shell none
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
new file mode 100644
index 000000000..0c2ce0588
--- /dev/null
+++ b/etc/profile-m-z/pdfsam.profile
@@ -0,0 +1,44 @@
+# Firejail profile for pdfsam
+# Description: PDF Split and Merge
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdfsam.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin archlinux-java,awk,bash,dirname,expr,find,grep,java,java-config,ls,pdfsam,readlink,sh,sort,uname,which
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
new file mode 100644
index 000000000..0cb08aa74
--- /dev/null
+++ b/etc/profile-m-z/pdftotext.profile
@@ -0,0 +1,55 @@
+# Firejail profile for pdftotext
+# Description: Portable Document Format (PDF) to text converter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pdftotext.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+private-bin pdftotext
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
new file mode 100644
index 000000000..a8f925313
--- /dev/null
+++ b/etc/profile-m-z/peek.profile
@@ -0,0 +1,62 @@
+# Firejail profile for peek
+# This file is overwritten after every install/update
+# Persistent local customizations
+include peek.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/peek
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#mkdir ${HOME}/.cache/peek
+#whitelist ${HOME}/.cache/peek
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
+private-dev
+private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own com.uploadedlobster.peek
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.FileManager1
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.Shell.Screencast
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
new file mode 100644
index 000000000..13e89616e
--- /dev/null
+++ b/etc/profile-m-z/penguin-command.profile
@@ -0,0 +1,42 @@
+# Firejail profile for open-invaders
+# Description: Space Invaders clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include penguin-command.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.penguin-command
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist ${HOME}/.penguin-command
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin penguin-command
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
new file mode 100644
index 000000000..c012504c4
--- /dev/null
+++ b/etc/profile-m-z/photoflare.profile
@@ -0,0 +1,50 @@
+# Firejail profile for photoflare
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include photoflare.local
+# Persistent global definitions
+include photoflare.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin photoflare
+private-cache
+private-dev
+private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
new file mode 100644
index 000000000..dbbfc5275
--- /dev/null
+++ b/etc/profile-m-z/picard.profile
@@ -0,0 +1,43 @@
+# Firejail profile for picard
+# Description: Next-Generation MusicBrainz audio files tagger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include picard.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/MusicBrainz
+noblacklist ${HOME}/.config/MusicBrainz
+noblacklist ${MUSIC}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
new file mode 100644
index 000000000..904c17e09
--- /dev/null
+++ b/etc/profile-m-z/pidgin.profile
@@ -0,0 +1,47 @@
+# Firejail profile for pidgin
+# Description: Graphical multi-protocol instant messaging client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pidgin.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${RUNUSER}
+ignore noexec /dev/shm
+
+noblacklist ${HOME}/.purple
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.purple
+whitelist ${HOME}/.purple
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+# shell none
+tracelog
+
+# private-bin pidgin
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile
new file mode 100644
index 000000000..2b5ed6e27
--- /dev/null
+++ b/etc/profile-m-z/pinball-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for pinball-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pinball-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin pinball-wrapper
+
+# Redirect
+include pinball.profile
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
new file mode 100644
index 000000000..3c76ad99c
--- /dev/null
+++ b/etc/profile-m-z/pinball.profile
@@ -0,0 +1,55 @@
+# Firejail profile for pinball
+# Description: Emilia 3D Pinball Game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pinball.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/emilia
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/emilia
+whitelist ${HOME}/.config/emilia
+
+whitelist /usr/share/pinball
+# on debian games are stored under /usr/share/games
+whitelist /usr/share/games/pinball
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin pinball
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
new file mode 100644
index 000000000..b4923c38a
--- /dev/null
+++ b/etc/profile-m-z/ping.profile
@@ -0,0 +1,58 @@
+# Firejail profile for ping
+# Description: send ICMP ECHO_REQUEST to network hosts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ping.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.keep net_raw
+ipc-namespace
+#net tun0
+#netfilter /etc/firejail/ping.net
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+# ping needs to rise privileges, noroot and nonewprivs will kill it
+#nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+# protocol command is built using seccomp; nonewprivs will kill it
+#protocol unix,inet,inet6,netlink,packet
+# killed by no-new-privs
+#seccomp
+
+disable-mnt
+private
+#private-bin has mammoth problems with execvp: "No such file or directory"
+private-dev
+# /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem!
+#private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-tmp
+
+# memory-deny-write-execute is built using seccomp; nonewprivs will kill it
+#memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
new file mode 100644
index 000000000..5b2d7a5a4
--- /dev/null
+++ b/etc/profile-m-z/pingus.profile
@@ -0,0 +1,57 @@
+# Firejail profile for pingus
+# Description: Free Lemmings(TM) clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pingus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.pingus
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pingus
+whitelist ${HOME}/.pingus
+whitelist /usr/share/pingus
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin pingus,pingus.bin,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
new file mode 100644
index 000000000..f52803d50
--- /dev/null
+++ b/etc/profile-m-z/pinta.profile
@@ -0,0 +1,41 @@
+# Firejail profile for pinta
+# Description: Simple drawing/painting program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pinta.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Pinta
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-cache
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
new file mode 100644
index 000000000..7c9bb352b
--- /dev/null
+++ b/etc/profile-m-z/pioneer.profile
@@ -0,0 +1,47 @@
+# Firejail profile for pioneer
+# Description: A game of lonely space adventure
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pioneer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.pioneer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pioneer
+whitelist ${HOME}/.pioneer
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin modelcompiler,pioneer,savegamedump
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
new file mode 100644
index 000000000..3de064311
--- /dev/null
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for pipe-viewer
+# Description: Fork of youtube-viewer, scrapes youtube directly and with invidious
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pipe-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/pipe-viewer
+noblacklist ${HOME}/.config/pipe-viewer
+
+mkdir ${HOME}/.config/pipe-viewer
+mkdir ${HOME}/.cache/pipe-viewer
+whitelist ${HOME}/.cache/pipe-viewer
+whitelist ${HOME}/.config/pipe-viewer
+
+private-bin gtk-pipe-viewer,pipe-viewer
+
+# Redirect
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile
new file mode 100644
index 000000000..91814d8bb
--- /dev/null
+++ b/etc/profile-m-z/pithos.profile
@@ -0,0 +1,43 @@
+# Firejail profile for pithos
+# Description: Pandora Radio client for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pithos.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin env,pithos,python*
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
new file mode 100644
index 000000000..245ffae22
--- /dev/null
+++ b/etc/profile-m-z/pitivi.profile
@@ -0,0 +1,42 @@
+# Firejail profile for pitivi
+# Description: Non-linear audio/video editor using GStreamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pitivi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pitivi
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
diff --git a/etc/pix.profile b/etc/profile-m-z/pix.profile
index 5440e4634..6bd1ad02e 100644
--- a/etc/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -1,27 +1,30 @@
 # Firejail profile for pix
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/pix.local
+include pix.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/pix
 noblacklist ${HOME}/.local/share/pix
-noblacklist ~/.Steam
-noblacklist ~/.steam
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -29,5 +32,6 @@ shell none
 tracelog
 
 private-bin pix
+private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
new file mode 100644
index 000000000..c2707dac4
--- /dev/null
+++ b/etc/profile-m-z/pkglog.profile
@@ -0,0 +1,59 @@
+# Firejail profile for pklog
+# Description: Reports log of package updates
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pkglog.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /var/log/apt/history.log
+whitelist /var/log/dnf.rpm.log
+whitelist /var/log/pacman.log
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin pkglog,python*
+private-cache
+private-dev
+private-etc alternatives
+private-opt none
+private-tmp
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-only /var/log/apt/history.log
+read-only /var/log/dnf.rpm.log
+read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/planmaker18.profile b/etc/profile-m-z/planmaker18.profile
new file mode 100644
index 000000000..4cf1efb7f
--- /dev/null
+++ b/etc/profile-m-z/planmaker18.profile
@@ -0,0 +1,10 @@
+# Firejail profile for planmaker18
+# Description: SoftMaker Office - spreadsheet program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include planmaker18.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
diff --git a/etc/profile-m-z/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile
new file mode 100644
index 000000000..bb85f1fc7
--- /dev/null
+++ b/etc/profile-m-z/planmaker18free.profile
@@ -0,0 +1,10 @@
+# Firejail profile for planmaker18free
+# Description: SoftMaker FreeOffice - spreadsheet program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include planmaker18free.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
new file mode 100644
index 000000000..8e98905b5
--- /dev/null
+++ b/etc/profile-m-z/playonlinux.profile
@@ -0,0 +1,23 @@
+# Firejail profile for playonlinux
+# Description: Front-end for Wine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include playonlinux.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.PlayOnLinux
+
+# nc is needed to run playonlinux
+noblacklist ${PATH}/nc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# Redirect
+include wine.profile
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
new file mode 100644
index 000000000..567725be4
--- /dev/null
+++ b/etc/profile-m-z/pluma.profile
@@ -0,0 +1,52 @@
+# Firejail profile for pluma
+# Description: Official text editor of the MATE desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pluma.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/pluma
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+machine-id
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin pluma
+private-dev
+private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
new file mode 100644
index 000000000..80f768170
--- /dev/null
+++ b/etc/profile-m-z/plv.profile
@@ -0,0 +1,60 @@
+# Firejail profile for plv
+# Description: Inspect pacman log files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include plv.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/PacmanLogViewer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/PacmanLogViewer
+whitelist ${HOME}/.config/PacmanLogViewer
+whitelist /var/log/pacman.log
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin plv
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks opening file-chooser
+read-only ${HOME}
+read-write ${HOME}/.config/PacmanLogViewer
+read-only /var/log/pacman.log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
new file mode 100644
index 000000000..0b3d2b44c
--- /dev/null
+++ b/etc/profile-m-z/pngquant.profile
@@ -0,0 +1,56 @@
+# Firejail profile for pngquant
+# Description: PNG converter and lossy image compressor
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pngquant.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# block the socket syscall to simulate an be empty protocol line, see #639
+seccomp socket
+shell none
+tracelog
+x11 none
+
+private-bin pngquant
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/polari.profile b/etc/profile-m-z/polari.profile
index a990194c9..a3d4f9851 100644
--- a/etc/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -1,14 +1,19 @@
 # Firejail profile for polari
+# Description: Internet Relay Chat (IRC) client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/polari.local
+include polari.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.cache/telepathy
 mkdir ${HOME}/.config/telepathy-account-widgets
@@ -22,17 +27,20 @@ whitelist ${HOME}/.local/share/Empathy
 whitelist ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.purple
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -42,5 +50,3 @@ disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
new file mode 100644
index 000000000..3e06cf300
--- /dev/null
+++ b/etc/profile-m-z/ppsspp.profile
@@ -0,0 +1,51 @@
+# Firejail profile for ppsspp
+# Description: A PSP emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ppsspp.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in your ppsspp.local.
+
+noblacklist ${HOME}/.config/ppsspp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/ppsspp
+whitelist ${HOME}/.config/ppsspp
+whitelist /usr/share/ppsspp
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
+# Add the next line to your ppsspp.local if you do not need controller support.
+#private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-opt ppsspp
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
new file mode 100644
index 000000000..bc0ff0e85
--- /dev/null
+++ b/etc/profile-m-z/pragha.profile
@@ -0,0 +1,38 @@
+# Firejail profile for pragha
+# Description: A lightweight GTK music player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pragha.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/pragha
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
+
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile
new file mode 100644
index 000000000..65d684c40
--- /dev/null
+++ b/etc/profile-m-z/presentations18.profile
@@ -0,0 +1,11 @@
+# Firejail profile for presentations18
+# Description: SoftMaker Office - presentations software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include presentations18.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
+
diff --git a/etc/profile-m-z/presentations18free.profile b/etc/profile-m-z/presentations18free.profile
new file mode 100644
index 000000000..218747224
--- /dev/null
+++ b/etc/profile-m-z/presentations18free.profile
@@ -0,0 +1,10 @@
+# Firejail profile for presentations18free
+# Description: SoftMaker FreeOffice - presentations software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include presentations18free.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
new file mode 100644
index 000000000..705af370b
--- /dev/null
+++ b/etc/profile-m-z/profanity.profile
@@ -0,0 +1,53 @@
+# Firejail profile for profanity
+# Description: profanity is an XMPP chat client for the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include profanity.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/profanity
+noblacklist ${HOME}/.local/share/profanity
+
+# Allow Python
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin profanity
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
new file mode 100644
index 000000000..5f598cec5
--- /dev/null
+++ b/etc/profile-m-z/psi-plus.profile
@@ -0,0 +1,45 @@
+# Firejail profile for psi-plus
+# Description: Qt-based XMPP/Jabber client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include psi-plus.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/psi+
+mkdir ${HOME}/.config/psi+
+mkdir ${HOME}/.local/share/psi+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/psi+
+whitelist ${HOME}/.config/psi+
+whitelist ${HOME}/.local/share/psi+
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
new file mode 100644
index 000000000..450bb10c7
--- /dev/null
+++ b/etc/profile-m-z/psi.profile
@@ -0,0 +1,78 @@
+# Firejail profile for psi
+# Description: Native XMPP client with GPG support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include psi.local
+# Persistent global definitions
+include globals.local
+
+# Add the next line to your psi.local to enable GPG support.
+#noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.cache/psi
+noblacklist ${HOME}/.cache/Psi
+noblacklist ${HOME}/.config/psi
+noblacklist ${HOME}/.local/share/psi
+noblacklist ${HOME}/.local/share/Psi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# Add the next line to your psi.local to enable GPG support.
+#mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/psi
+mkdir ${HOME}/.cache/Psi
+mkdir ${HOME}/.config/psi
+mkdir ${HOME}/.local/share/psi
+mkdir ${HOME}/.local/share/Psi
+# Add the next line to your psi.local to enable GPG support.
+#whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.cache/psi
+whitelist ${HOME}/.cache/Psi
+whitelist ${HOME}/.config/psi
+whitelist ${HOME}/.local/share/psi
+whitelist ${HOME}/.local/share/Psi
+whitelist ${DOWNLOADS}
+# Add the next lines to your psi.local to enable GPG support.
+#whitelist /usr/share/gnupg
+#whitelist /usr/share/gnupg2
+whitelist /usr/share/psi
+# Add the next lines to your psi.local to enable GPG support.
+#whitelist ${RUNUSER}/gnupg
+#whitelist ${RUNUSER}/keyring
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+novideo
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+#tracelog - breaks on Arch
+
+disable-mnt
+# Add the next line to your psi.local to enable GPG support.
+#private-bin gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet
+private-bin getopt,psi
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
new file mode 100644
index 000000000..8d8729d4a
--- /dev/null
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -0,0 +1,46 @@
+# Firejail profile for pybitmessage
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pybitmessage.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/local/sbin
+noblacklist /usr/sbin
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-interpreters.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-bin bash,env,ldconfig,pybitmessage,python*,sh,stat
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg
+private-tmp
+
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
new file mode 100644
index 000000000..f3d40e7f3
--- /dev/null
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -0,0 +1,38 @@
+# Firejail profile for pycharm-community
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pycharm-community.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.PyCharmCE*
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-programs.inc
+
+caps.drop all
+machine-id
+nodvd
+nogroups
+noinput
+nosound
+notv
+nou2f
+novideo
+shell none
+tracelog
+
+# private-etc alternatives,fonts,passwd - minimal required to run but will probably break
+# program!
+private-cache
+private-dev
+private-tmp
+
+noexec /tmp
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
new file mode 100644
index 000000000..b754a18c9
--- /dev/null
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -0,0 +1,12 @@
+# Firejail profilen alias for pycharm-professional
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pyucharm-professional.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.PyCharm*
+
+# Redirect
+include pycharm-community.profile
diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile
new file mode 100644
index 000000000..b0a4c6be8
--- /dev/null
+++ b/etc/profile-m-z/pzstd.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pzstd.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
new file mode 100644
index 000000000..8778ec5fb
--- /dev/null
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -0,0 +1,63 @@
+# Firejail profile for qbittorrent
+# Description: BitTorrent client based on libtorrent-rasterbar with a Qt5 GUI
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qbittorrent.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/qBittorrent
+noblacklist ${HOME}/.config/qBittorrent
+noblacklist ${HOME}/.config/qBittorrentrc
+noblacklist ${HOME}/.local/share/data/qBittorrent
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/qBittorrent
+mkdir ${HOME}/.config/qBittorrent
+mkfile ${HOME}/.config/qBittorrentrc
+mkdir ${HOME}/.local/share/data/qBittorrent
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/qBittorrent
+whitelist ${HOME}/.config/qBittorrent
+whitelist ${HOME}/.config/qBittorrentrc
+whitelist ${HOME}/.local/share/data/qBittorrent
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin python*,qbittorrent
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# See https://github.com/netblue30/firejail/issues/3707 for tray-icon
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
new file mode 100644
index 000000000..4d4d3694b
--- /dev/null
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -0,0 +1,67 @@
+# Firejail profile for qcomicbook
+# Description: A comic book and manga viewer in QT
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qcomicbook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/PawelStolowski
+noblacklist ${HOME}/.config/PawelStolowski
+noblacklist ${HOME}/.local/share/PawelStolowski
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/PawelStolowski
+mkdir ${HOME}/.config/PawelStolowski
+mkdir ${HOME}/.local/share/PawelStolowski
+whitelist /usr/share/qcomicbook
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/PawelStolowski
+read-write ${HOME}/.config/PawelStolowski
+read-write ${HOME}/.local/share/PawelStolowski
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
diff --git a/etc/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index 2738e04bb..2aea715dc 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -1,15 +1,14 @@
 # Firejail profile for qemu-launcher
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/qemu-launcher.local
+include qemu-launcher.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
-noblacklist ~/.qemu-launcher
+noblacklist ${HOME}/.qemu-launcher
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
@@ -23,6 +22,7 @@ seccomp
 shell none
 tracelog
 
+private-cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
index 7a60007fe..2333e07d9 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -1,14 +1,13 @@
 # Firejail profile for qemu-system-x86_64
+# Description: QEMU system emulator for x86_64
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/qemu-system-x86_64.local
+include qemu-system-x86_64.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
@@ -22,6 +21,7 @@ seccomp
 shell none
 tracelog
 
+private-cache
 private-tmp
 
 noexec /tmp
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
new file mode 100644
index 000000000..3dc232b55
--- /dev/null
+++ b/etc/profile-m-z/qgis.profile
@@ -0,0 +1,59 @@
+# Firejail profile for qgis
+# Description: GIS application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qgis.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/QGIS
+noblacklist ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.qgis2
+noblacklist ${DOCUMENTS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/QGIS
+mkdir ${HOME}/.qgis2
+mkdir ${HOME}/.config/QGIS
+whitelist ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.qgis2
+whitelist ${HOME}/.config/QGIS
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+machine-id
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# blacklisting of mbind system calls breaks old version
+seccomp !mbind
+protocol unix,inet,inet6,netlink
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/qlipper.profile b/etc/profile-m-z/qlipper.profile
index 796015654..7176d8a39 100644
--- a/etc/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -1,34 +1,38 @@
 # Firejail profile for qlipper
+# Description: Lightweight and cross-platform clipboard history applet
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/qlipper.local
+include qlipper.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/Qlipper
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
 shell none
 
 disable-mnt
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
new file mode 100644
index 000000000..af85c95e7
--- /dev/null
+++ b/etc/profile-m-z/qmmp.profile
@@ -0,0 +1,39 @@
+# Firejail profile for qmmp
+# Description: Feature-rich audio player with support of many formats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qmmp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.qmmp
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+# no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bzip2,gzip,qmmp,tar,unzip
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
new file mode 100644
index 000000000..4eee0df5f
--- /dev/null
+++ b/etc/profile-m-z/qnapi.profile
@@ -0,0 +1,55 @@
+# Firejail profile for qnapi
+# Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qnapi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/qnapi.ini
+
+ignore noexec /tmp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/qnapi.ini
+whitelist ${HOME}/.config/qnapi.ini
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin 7z,qnapi
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
new file mode 100644
index 000000000..3ad8a19c8
--- /dev/null
+++ b/etc/profile-m-z/qpdfview.profile
@@ -0,0 +1,46 @@
+# Firejail profile for qpdfview
+# Description: Tabbed document viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qpdfview.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin qpdfview
+private-dev
+private-tmp
+
+# needs D-Bus when started from a file manager
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
new file mode 100644
index 000000000..7ef676068
--- /dev/null
+++ b/etc/profile-m-z/qrencode.profile
@@ -0,0 +1,57 @@
+# Firejail profile for qrencode
+# Description: Encode input data in a QR Code and save as a PNG or EPS image.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qrencode.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin qrencode
+private-cache
+private-dev
+private-etc none
+private-lib libpcre*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/qt-faststart.profile b/etc/profile-m-z/qt-faststart.profile
new file mode 100644
index 000000000..2cdff33a6
--- /dev/null
+++ b/etc/profile-m-z/qt-faststart.profile
@@ -0,0 +1,14 @@
+# Firejail profile for qt-faststart
+# Description: FFmpeg-based media utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qt-faststart.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin qt-faststart
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
new file mode 100644
index 000000000..bae802cc6
--- /dev/null
+++ b/etc/profile-m-z/qtox.profile
@@ -0,0 +1,52 @@
+# Firejail profile for qtox
+# Description: Powerful Tox client written in C++/Qt that follows the Tox design guidelines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qtox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Tox
+noblacklist ${HOME}/.config/tox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tox
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/tox
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin qtox
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
new file mode 100644
index 000000000..91e0d9d0d
--- /dev/null
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -0,0 +1,20 @@
+# Firejail profile for quadrapassel
+# Description: Tetris-like game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quadrapassel.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/quadrapassel
+
+mkdir ${HOME}/.local/share/quadrapassel
+whitelist ${HOME}/.local/share/quadrapassel
+whitelist /usr/share/quadrapassel
+
+private-bin quadrapassel
+
+dbus-user.own org.gnome.Quadrapassel
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
new file mode 100644
index 000000000..c65089e20
--- /dev/null
+++ b/etc/profile-m-z/quassel.profile
@@ -0,0 +1,26 @@
+# Firejail profile for quassel
+# Description: Distributed IRC client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quassel.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
+
+private-cache
+private-tmp
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
new file mode 100644
index 000000000..dfb46ddae
--- /dev/null
+++ b/etc/profile-m-z/quaternion.profile
@@ -0,0 +1,54 @@
+# Firejail profile for quaternion
+# Description: Desktop client for Matrix
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quaternion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Quotient/quaternion
+noblacklist ${HOME}/.config/Quotient
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Quotient/quaternion
+mkdir ${HOME}/.config/Quotient
+whitelist ${HOME}/.cache/Quotient/quaternion
+whitelist ${HOME}/.config/Quotient
+whitelist ${DOWNLOADS}
+whitelist /usr/share/Quotient/quaternion
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin quaternion
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/quiterss.profile b/etc/profile-m-z/quiterss.profile
index f820b590e..8f89931c7 100644
--- a/etc/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -1,40 +1,47 @@
 # Firejail profile for quiterss
+# Description: RSS/Atom news feeds reader
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/quiterss.local
+include quiterss.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.cache/QuiteRss
 noblacklist ${HOME}/.config/QuiteRss
 noblacklist ${HOME}/.config/QuiteRssrc
 noblacklist ${HOME}/.local/share/QuiteRss
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
-mkdir ~/.cache/QuiteRss
-mkdir ~/.config/QuiteRss
-mkdir ~/.local/share/data
-mkdir ~/.local/share/data/QuiteRss
+mkdir ${HOME}/.cache/QuiteRss
+mkdir ${HOME}/.config/QuiteRss
+mkdir ${HOME}/.local/share/data
+mkdir ${HOME}/.local/share/data/QuiteRss
+mkdir ${HOME}/.local/share/QuiteRss
+mkfile ${HOME}/quiterssfeeds.opml
 whitelist ${HOME}/.cache/QuiteRss
-whitelist ${HOME}/.config/QuiteRss/
+whitelist ${HOME}/.config/QuiteRss
 whitelist ${HOME}/.config/QuiteRssrc
 whitelist ${HOME}/.local/share/data/QuiteRss
 whitelist ${HOME}/.local/share/QuiteRss
 whitelist ${HOME}/quiterssfeeds.opml
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 netfilter
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -44,7 +51,5 @@ tracelog
 disable-mnt
 private-bin quiterss
 private-dev
-# private-etc X11,ssl
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
new file mode 100644
index 000000000..bc435653d
--- /dev/null
+++ b/etc/profile-m-z/quodlibet.profile
@@ -0,0 +1,66 @@
+# Firejail profile for quodlibet
+# Description: Music player and music library manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quodlibet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/quodlibet
+noblacklist ${HOME}/.config/quodlibet
+noblacklist ${HOME}/.quodlibet
+noblacklist ${MUSIC}
+
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/quodlibet
+mkdir ${HOME}/.config/quodlibet
+mkdir ${HOME}/.quodlibet
+
+whitelist ${HOME}/.cache/quodlibet
+whitelist ${HOME}/.config/quodlibet
+whitelist ${HOME}/.quodlibet
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin exfalso,operon,python*,quodlibet,sh
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
new file mode 100644
index 000000000..c29d87a73
--- /dev/null
+++ b/etc/profile-m-z/qupzilla.profile
@@ -0,0 +1,24 @@
+# Firejail profile for qupzilla
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qupzilla.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/qupzilla
+noblacklist ${HOME}/.config/qupzilla
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/qupzilla
+mkdir ${HOME}/.config/qupzilla
+whitelist ${HOME}/.cache/qupzilla
+whitelist ${HOME}/.config/qupzilla
+
+# Redirect
+include falkon.profile
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
new file mode 100644
index 000000000..fc910b589
--- /dev/null
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -0,0 +1,40 @@
+# Firejail profile for qutebrowser
+# Description: Keyboard-driven, vim-like browser based on PyQt5
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qutebrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/qutebrowser
+noblacklist ${HOME}/.config/qutebrowser
+noblacklist ${HOME}/.local/share/qutebrowser
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/qutebrowser
+mkdir ${HOME}/.config/qutebrowser
+mkdir ${HOME}/.local/share/qutebrowser
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/qutebrowser
+whitelist ${HOME}/.config/qutebrowser
+whitelist ${HOME}/.local/share/qutebrowser
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+# blacklisting of chroot system calls breaks qt webengine
+seccomp !chroot,!name_to_handle_at
+# tracelog
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
new file mode 100644
index 000000000..ffa2022ee
--- /dev/null
+++ b/etc/profile-m-z/rambox.profile
@@ -0,0 +1,38 @@
+# Firejail profile for rambox
+# Description: Free and Open Source messaging and emailing app that combines common web applications into one (Electron-based)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rambox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Rambox
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Rambox
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Rambox
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+# electron-based application, needing chroot
+#seccomp
+seccomp !chroot
+# tracelog
diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile
new file mode 100644
index 000000000..8b3fe97d8
--- /dev/null
+++ b/etc/profile-m-z/ranger.profile
@@ -0,0 +1,12 @@
+# Firejail profile for ranger
+# Description: File manager with an ncurses frontend written in Python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ranger.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your ranger.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
new file mode 100644
index 000000000..436b98f29
--- /dev/null
+++ b/etc/profile-m-z/redeclipse.profile
@@ -0,0 +1,48 @@
+# Firejail profile for redeclipse
+# Description: Free, casual arena shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include redeclipse.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.redeclipse
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.redeclipse
+whitelist ${HOME}/.redeclipse
+whitelist /usr/share/redeclipse
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private-bin redeclipse,sh,man
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
new file mode 100644
index 000000000..d1dd365ab
--- /dev/null
+++ b/etc/profile-m-z/rednotebook.profile
@@ -0,0 +1,66 @@
+# Firejail profile for rednotebook
+# Description: Daily journal with calendar, templates and keyword searching
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rednotebook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/rednotebook
+noblacklist ${HOME}/.rednotebook
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/rednotebook
+mkdir ${HOME}/.rednotebook
+whitelist ${HOME}/.cache/rednotebook
+whitelist ${HOME}/.rednotebook
+whitelist ${DESKTOP}
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+whitelist /usr/libexec/webkit2gtk-4.0
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python3*,rednotebook
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
new file mode 100644
index 000000000..06ae67ae1
--- /dev/null
+++ b/etc/profile-m-z/redshift.profile
@@ -0,0 +1,53 @@
+# Firejail profile for redshift
+# Description: Adjusts the color temperature of your screen according to your surroundings
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include redshift.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/redshift
+noblacklist ${HOME}/.config/redshift.conf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift
+whitelist ${HOME}/.config/redshift.conf
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
new file mode 100644
index 000000000..1de59bc7c
--- /dev/null
+++ b/etc/profile-m-z/regextester.profile
@@ -0,0 +1,55 @@
+# Firejail profile for regextester
+# Description: A simple regex tester built for Pantheon Shell
+# This file is overwritten after every install/update
+# Persistent local customizations
+include regextester.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/com.github.artemanufrij.regextester
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin regextester
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib libgranite.so.*
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+# never write anything
+read-only ${HOME}
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
new file mode 100644
index 000000000..16da40daf
--- /dev/null
+++ b/etc/profile-m-z/remmina.profile
@@ -0,0 +1,42 @@
+# Firejail profile for remmina
+# Description: GTK+ Remote Desktop Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include remmina.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.remmina
+noblacklist ${HOME}/.config/remmina
+noblacklist ${HOME}/.local/share/remmina
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/rhythmbox-client.profile b/etc/profile-m-z/rhythmbox-client.profile
new file mode 100644
index 000000000..29e65d716
--- /dev/null
+++ b/etc/profile-m-z/rhythmbox-client.profile
@@ -0,0 +1,11 @@
+# Firejail profile for rhythmbox-client
+# Description: controls a running instance of rhythmbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rhythmbox-client.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include rhythmbox.profile
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
new file mode 100644
index 000000000..26b62e456
--- /dev/null
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -0,0 +1,66 @@
+# Firejail profile for rhythmbox
+# Description: Music player and organizer for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rhythmbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${MUSIC}
+noblacklist ${HOME}/.cache/rhythmbox
+noblacklist ${HOME}/.local/share/rhythmbox
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/rhythmbox
+whitelist /usr/share/lua
+whitelist /usr/share/libquvi-scripts
+whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin rhythmbox,rhythmbox-client
+private-cache
+private-dev
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Rhythmbox3
+dbus-user.own org.mpris.MediaPlayer2.rhythmbox
+dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.*
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-system filter
+dbus-system.talk org.freedesktop.Avahi
diff --git a/etc/ricochet.profile b/etc/profile-m-z/ricochet.profile
index 6da0e21d5..705ca0045 100644
--- a/etc/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -1,21 +1,23 @@
 # Firejail profile for ricochet
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/ricochet.local
+include ricochet.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 noblacklist ${HOME}/.local/share/Ricochet
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
+mkdir ${HOME}/.local/share/Ricochet
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/Ricochet
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 ipc-namespace
@@ -23,9 +25,11 @@ netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -34,7 +38,5 @@ shell none
 disable-mnt
 private-bin ricochet,tor
 private-dev
-#private-etc fonts,tor,X11,alternatives
+#private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
new file mode 100644
index 000000000..e91d25196
--- /dev/null
+++ b/etc/profile-m-z/riot-desktop.profile
@@ -0,0 +1,11 @@
+# Firejail profile for riot-desktop
+# Description: A glossy Matrix collaboration client for the desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include riot-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include riot-web.profile
diff --git a/etc/riot-web.profile b/etc/profile-m-z/riot-web.profile
index 06dbbe9d9..687c943b0 100644
--- a/etc/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -1,14 +1,18 @@
 # Firejail profile for riot-web
+# Description: A glossy Matrix collaboration client for the web
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/riot-web.local
+include riot-web.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
+
+ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Riot
 
+mkdir ${HOME}/.config/Riot
 whitelist ${HOME}/.config/Riot
-include /etc/firejail/whitelist-common.inc
+whitelist /usr/share/webapps/element
 
 # Redirect
-include /etc/firejail/electron.profile
+include electron.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
new file mode 100644
index 000000000..81aef5a65
--- /dev/null
+++ b/etc/profile-m-z/ripperx.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ripperx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ripperXrc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
new file mode 100644
index 000000000..79f090d95
--- /dev/null
+++ b/etc/profile-m-z/ristretto.profile
@@ -0,0 +1,42 @@
+# Firejail profile for ristretto
+# Description: Lightweight picture-viewer for the Xfce desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ristretto.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ristretto
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/rnano.profile b/etc/profile-m-z/rnano.profile
new file mode 100644
index 000000000..d9048982a
--- /dev/null
+++ b/etc/profile-m-z/rnano.profile
@@ -0,0 +1,12 @@
+# Firejail profile for rnano
+# Description: A restricted nano
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include rnano.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include nano.profile
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
new file mode 100644
index 000000000..8d3607c75
--- /dev/null
+++ b/etc/profile-m-z/rocketchat.profile
@@ -0,0 +1,30 @@
+# Firejail profile for rocketchat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rocketchat.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-devel.inc
+ignore include disable-exec.inc
+ignore include disable-interpreters.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore shell none
+ignore disable-mnt
+ignore private-cache
+ignore private-dev
+ignore private-tmp
+
+noblacklist ${HOME}/.config/Rocket.Chat
+
+mkdir ${HOME}/.config/Rocket.Chat
+whitelist ${HOME}/.config/Rocket.Chat
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
new file mode 100644
index 000000000..23a65f54a
--- /dev/null
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -0,0 +1,58 @@
+# Firejail profile for rsync
+# Description: a fast, versatile, remote (and local) file-copying tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include rsync.local
+# Persistent global definitions
+include globals.local
+
+# WARNING: this profile is designed to use rsync as a client for downloading,
+# not as a daemon (rsync --daemon) nor to create backups.
+# Usage: firejail --profile=rsync-download_only rsync
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# Add the next line to your rsync-download_only.local to enable extra hardening.
+#whitelist ${DOWNLOADS}
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin rsync
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+
+include tin.profile
diff --git a/etc/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
index c18a1b06c..757624938 100644
--- a/etc/rtorrent.profile
+++ b/etc/profile-m-z/rtorrent.profile
@@ -1,28 +1,34 @@
 # Firejail profile for rtorrent
+# Description: Ncurses BitTorrent client based on LibTorrent from rakshasa
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/rtorrent.local
+include rtorrent.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
+machine-id
 netfilter
 nodvd
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
 private-bin rtorrent
+private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
new file mode 100644
index 000000000..cc6db5043
--- /dev/null
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -0,0 +1,28 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include rtv-addons.local
+# You can configure rtv to open different type of links
+# in external applications. Configuration here:
+# https://github.com/michael-lazar/rtv#viewing-media-links
+# This include is meant to facilitate that configuration
+# with the use of a .local file.
+
+ignore nosound
+ignore private-bin
+ignore dbus-user none
+
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/.w3m
+
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.mailcap
+whitelist ${HOME}/.netrc
+whitelist ${HOME}/.w3m
+
+#private-bin w3m,mpv,youtube-dl
+
+# tells rtv, which browser to use
+#env RTV_BROWSER=w3m
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
new file mode 100644
index 000000000..03d812270
--- /dev/null
+++ b/etc/profile-m-z/rtv.profile
@@ -0,0 +1,65 @@
+# Firejail profile for rtv
+# Description: Browse Reddit from your terminal
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtv.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.config/rtv
+noblacklist ${HOME}/.local/share/rtv
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+# You can configure rtv to open different type of links in external applications.
+# Configuration: https://github.com/michael-lazar/rtv#viewing-media-links.
+# Add the next line to your rtv.local to enable external application support.
+#include rtv-addons.profile
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/rtv
+mkdir ${HOME}/.local/share/rtv
+whitelist ${HOME}/.config/rtv
+whitelist ${HOME}/.local/share/rtv
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin less,python*,rtv,sh,xdg-settings
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
new file mode 100644
index 000000000..304bda87b
--- /dev/null
+++ b/etc/profile-m-z/runenpass.sh.profile
@@ -0,0 +1,10 @@
+# Firejail alias profile for enpass
+# This file is overwritten after every install/update
+# Persistent local customizations
+include runenpass.sh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include enpass.profile
diff --git a/etc/profile-m-z/rview.profile b/etc/profile-m-z/rview.profile
new file mode 100644
index 000000000..fb72a00de
--- /dev/null
+++ b/etc/profile-m-z/rview.profile
@@ -0,0 +1,10 @@
+# Firejail profile for rview
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rview.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/rvim.profile b/etc/profile-m-z/rvim.profile
new file mode 100644
index 000000000..7c6465d3c
--- /dev/null
+++ b/etc/profile-m-z/rvim.profile
@@ -0,0 +1,10 @@
+# Firejail profile for rvim
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rvim.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
new file mode 100644
index 000000000..d447be443
--- /dev/null
+++ b/etc/profile-m-z/sayonara.profile
@@ -0,0 +1,36 @@
+# Firejail profile for sayonara player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sayonara.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Sayonara
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin sayonara
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
new file mode 100644
index 000000000..1fa45a747
--- /dev/null
+++ b/etc/profile-m-z/scallion.profile
@@ -0,0 +1,44 @@
+# Firejail profile for scallion
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include scallion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/llvm*
+noblacklist ${PATH}/openssl
+noblacklist ${PATH}/openssl-1.0
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
new file mode 100644
index 000000000..e76caec1d
--- /dev/null
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -0,0 +1,11 @@
+# Firejail profile for scorched3d-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d-wrapper.local
+
+include allow-opengl-game.inc
+
+private-bin scorched3d-wrapper
+
+# Redirect
+include scorched3d.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
new file mode 100644
index 000000000..77b3d8923
--- /dev/null
+++ b/etc/profile-m-z/scorched3d.profile
@@ -0,0 +1,50 @@
+# Firejail profile for scorched3d
+# Description: Game based loosely on the classic DOS game Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.scorched3d
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.scorched3d
+whitelist ${HOME}/.scorched3d
+whitelist /usr/share/scorched3d
+whitelist /usr/share/games/scorched3d
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin scorched3d,scorched3dc,scorched3ds
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
new file mode 100644
index 000000000..1069c34ea
--- /dev/null
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -0,0 +1,50 @@
+# Firejail profile for scorchwentbonkers
+# Description: Realtime remake of Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorchwentbonkers.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.swb.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.swb.ini
+whitelist ${HOME}/.swb.ini
+whitelist /usr/share/scorchwentbonkers
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin scorchwentbonkers
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scp.profile b/etc/profile-m-z/scp.profile
new file mode 100644
index 000000000..287b8029a
--- /dev/null
+++ b/etc/profile-m-z/scp.profile
@@ -0,0 +1,12 @@
+# Firejail profile for scp
+# Description: Secure shell copy
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include scp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ssh.profile
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
new file mode 100644
index 000000000..5cf60baea
--- /dev/null
+++ b/etc/profile-m-z/scribus.profile
@@ -0,0 +1,64 @@
+# Firejail profile for scribus
+# Description: Open Source Desktop Page Layout
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scribus.local
+# Persistent global definitions
+include globals.local
+
+# Support for PDF readers comes with Scribus 1.5 and higher
+noblacklist ${HOME}/.cache/okular
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/scribus
+noblacklist ${HOME}/.config/scribusrc
+noblacklist ${HOME}/.gimp*
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/scribus
+noblacklist ${HOME}/.scribus
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin gimp*,gs,scribus
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
new file mode 100644
index 000000000..81a7dc929
--- /dev/null
+++ b/etc/profile-m-z/sdat2img.profile
@@ -0,0 +1,44 @@
+# Firejail profile for sdat2img
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sdat2img.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-bin env,python*,sdat2img
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
new file mode 100644
index 000000000..af7d5eeac
--- /dev/null
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -0,0 +1,55 @@
+# Firejail profile for seahorse-adventures
+# Description: Help barbie the seahorse float on bubbles to the moon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-adventures.local
+# Persistent global definitions
+include globals.local
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/seahorse-adventures
+whitelist /usr/share/games/seahorse-adventures
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,dash,python*,seahorse-adventures,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile
new file mode 100644
index 000000000..6410da4d8
--- /dev/null
+++ b/etc/profile-m-z/seahorse-daemon.profile
@@ -0,0 +1,14 @@
+# Firejail profile for seahorse-daemon
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include seahorse-daemon.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include seahorse.profile
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
new file mode 100644
index 000000000..96ff74edf
--- /dev/null
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -0,0 +1,15 @@
+# Firejail profile for seahorse-tool
+# Description: PGP encryption and signing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-tool.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# private-etc workaround for: #2877
+private-etc firejail,login.defs,passwd
+private-tmp
+
+# Redirect
+include seahorse.profile
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
new file mode 100644
index 000000000..94a27da87
--- /dev/null
+++ b/etc/profile-m-z/seahorse.profile
@@ -0,0 +1,70 @@
+# Firejail profile for seahorse
+# Description: GNOME application for managing PGP keys
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+
+noblacklist ${HOME}/.gnupg
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# whitelisting in ${HOME} breaks file encryption feature of nautilus.
+# Once #2882 is fixed this can be activated here and nowhitelisted in seahorse-tool.profile.
+#mkdir ${HOME}/.gnupg
+#mkdir ${HOME}/.ssh
+#whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.ssh
+whitelist /tmp/ssh-*
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/seahorse
+whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+writable-run-user
+
+dbus-user filter
+dbus-user.own org.gnome.seahorse
+dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
new file mode 100644
index 000000000..f9cb08432
--- /dev/null
+++ b/etc/profile-m-z/seamonkey-bin.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for seamonkey
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seamonkey-bin.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include seamonkey.profile
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
new file mode 100644
index 000000000..807effbeb
--- /dev/null
+++ b/etc/profile-m-z/seamonkey.profile
@@ -0,0 +1,55 @@
+# Firejail profile for seamonkey
+# Description: SeaMonkey internet suite
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seamonkey.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/mozilla
+mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mozilla
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+disable-mnt
+# private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile
new file mode 100644
index 000000000..99ba11d30
--- /dev/null
+++ b/etc/profile-m-z/secret-tool.profile
@@ -0,0 +1,12 @@
+# Firejail profile for secret-tool
+# Description: Library for storing and retrieving passwords and other secrets
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include secret-tool.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gnome-keyring.profile
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
new file mode 100644
index 000000000..3c9ef3a86
--- /dev/null
+++ b/etc/profile-m-z/server.profile
@@ -0,0 +1,90 @@
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include server.local
+# Persistent global definitions
+include globals.local
+
+# generic server profile
+# it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+
+noblacklist /sbin
+noblacklist /usr/sbin
+# noblacklist /var/opt
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+# include disable-devel.inc
+# include disable-exec.inc
+# include disable-interpreters.inc
+include disable-programs.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+
+apparmor
+caps
+# ipc-namespace
+machine-id
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+# nogroups
+noinput
+# nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+# protocol unix,inet,inet6,netlink
+seccomp
+# shell none
+
+disable-mnt
+private
+# private-bin program
+# private-cache
+private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives
+# private-lib
+# private-opt none
+private-tmp
+
+dbus-user none
+# dbus-system none
+
+# memory-deny-write-execute
+# read-only ${HOME}
+# writable-run-user
+# writable-var
+# writable-var-log
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
new file mode 100644
index 000000000..7788974ce
--- /dev/null
+++ b/etc/profile-m-z/servo.profile
@@ -0,0 +1,49 @@
+# Firejail profile for servo
+# Description: The Servo Browser Engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include servo.local
+# Persistent global definitions
+include globals.local
+
+# Servo is usually installed inside $HOME
+ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Add the next lines to your servo.local to turn this into a whitelisting profile.
+# You will need to add a whitelist for the directory where servo is installed.
+#whitelist ${DOWNLOADS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin servo,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sftp.profile b/etc/profile-m-z/sftp.profile
new file mode 100644
index 000000000..66dc2a57b
--- /dev/null
+++ b/etc/profile-m-z/sftp.profile
@@ -0,0 +1,12 @@
+# Firejail profile for sftp
+# Description: Secure file transport protocol
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sftp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include ssh.profile
diff --git a/etc/profile-m-z/sha1sum.profile b/etc/profile-m-z/sha1sum.profile
new file mode 100644
index 000000000..b2064b95d
--- /dev/null
+++ b/etc/profile-m-z/sha1sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha1sum
+# Description: compute and check SHA1 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha1sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin sha1sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha224sum.profile b/etc/profile-m-z/sha224sum.profile
new file mode 100644
index 000000000..cb26cc5ff
--- /dev/null
+++ b/etc/profile-m-z/sha224sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha224sum
+# Description: compute and check SHA224 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha224sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin sha224sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile
new file mode 100644
index 000000000..48944ebea
--- /dev/null
+++ b/etc/profile-m-z/sha256sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha256sum
+# Description: compute and check SHA256 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha256sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin sha256sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha384sum.profile b/etc/profile-m-z/sha384sum.profile
new file mode 100644
index 000000000..6d876daed
--- /dev/null
+++ b/etc/profile-m-z/sha384sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha384sum
+# Description: compute and check SHA384 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha384sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin sha384sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/sha512sum.profile b/etc/profile-m-z/sha512sum.profile
new file mode 100644
index 000000000..7ebaf3540
--- /dev/null
+++ b/etc/profile-m-z/sha512sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sha512sum
+# Description: compute and check SHA512 message digest
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sha512sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin sha512sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
new file mode 100644
index 000000000..f2469048f
--- /dev/null
+++ b/etc/profile-m-z/shellcheck.profile
@@ -0,0 +1,54 @@
+# Firejail profile for shellcheck
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include shellcheck.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/shellcheck
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
new file mode 100644
index 000000000..0bcf5f693
--- /dev/null
+++ b/etc/profile-m-z/shortwave.profile
@@ -0,0 +1,50 @@
+# Firejail profile for shortwave
+# Description: Listen to internet radio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shortwave.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Shortwave
+mkdir ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
+whitelist /usr/share/shortwave
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin shortwave
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
new file mode 100644
index 000000000..e5dbf5c5f
--- /dev/null
+++ b/etc/profile-m-z/shotcut.profile
@@ -0,0 +1,38 @@
+# Firejail profile for shotcut
+# Description: A free, open source, cross-platform video editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotcut.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/Meltytech
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+
+#private-bin melt,nice,qmelt,shotcut
+private-cache
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
new file mode 100644
index 000000000..b6a828636
--- /dev/null
+++ b/etc/profile-m-z/shotwell.profile
@@ -0,0 +1,60 @@
+# Firejail profile for shotwell
+# Description: A digital photo organizer designed for the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotwell.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/shotwell
+noblacklist ${HOME}/.local/share/shotwell
+
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/shotwell
+mkdir ${HOME}/.local/share/shotwell
+whitelist ${HOME}/.cache/shotwell
+whitelist ${HOME}/.local/share/shotwell
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin shotwell
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-opt none
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Shotwell
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-system none
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
new file mode 100644
index 000000000..24f1464f9
--- /dev/null
+++ b/etc/profile-m-z/signal-cli.profile
@@ -0,0 +1,51 @@
+# Firejail profile for signal-cli
+# Description: signal-cli provides a commandline and dbus interface for signalapp/libsignal-service-java
+# This file is overwritten after every install/update
+# Persistent local customizations
+include signal-cli.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${HOME}/.local/share/signal-cli
+
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/signal-cli
+whitelist ${HOME}/.local/share/signal-cli
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin java,sh,signal-cli
+private-cache
+private-dev
+# Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
+#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
new file mode 100644
index 000000000..77a7f5b38
--- /dev/null
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -0,0 +1,30 @@
+# Firejail profile for signal-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include signal-desktop.local
+# Persistent global definitions
+include globals.local
+
+ignore novideo
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Signal
+
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+mkdir ${HOME}/.config/Signal
+whitelist ${HOME}/.config/Signal
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# allow D-Bus notifications
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
new file mode 100644
index 000000000..4351a4d43
--- /dev/null
+++ b/etc/profile-m-z/silentarmy.profile
@@ -0,0 +1,40 @@
+# Firejail profile for silentarmy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include silentarmy.local
+# Persistent global definitions
+include globals.local
+
+
+include disable-common.inc
+# include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin python*,sa-solver,silentarmy
+private-dev
+private-opt none
+private-tmp
+
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
new file mode 100644
index 000000000..b0ab0d039
--- /dev/null
+++ b/etc/profile-m-z/simple-scan.profile
@@ -0,0 +1,41 @@
+# Firejail profile for simple-scan
+# Description: Simple Scanning Utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include simple-scan.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/simple-scan
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/hplip
+whitelist /usr/share/simple-scan
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioperm system calls breaks simple-scan
+seccomp !ioperm
+shell none
+tracelog
+
+# private-bin simple-scan
+# private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+# private-tmp
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
new file mode 100644
index 000000000..03a350327
--- /dev/null
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -0,0 +1,39 @@
+# Firejail profile for simplescreenrecorder
+# Description: A feature-rich screen recorder that supports X11 and OpenGL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include simplescreenrecorder.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${VIDEOS}
+noblacklist ${HOME}/.ssr
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/simplescreenrecorder
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
new file mode 100644
index 000000000..55e472dbe
--- /dev/null
+++ b/etc/profile-m-z/simutrans.profile
@@ -0,0 +1,42 @@
+# Firejail profile for simutrans
+# Description: Transportation simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include simutrans.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.simutrans
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.simutrans
+whitelist ${HOME}/.simutrans
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+# private-bin simutrans
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
new file mode 100644
index 000000000..4965d3882
--- /dev/null
+++ b/etc/profile-m-z/skanlite.profile
@@ -0,0 +1,36 @@
+# Firejail profile for skanlite
+# Description: Image scanner based on the KSane backend
+# This file is overwritten after every install/update
+# Persistent local customizations
+include skanlite.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioperm system calls breaks skanlite
+seccomp !ioperm
+shell none
+
+# private-bin kbuildsycoca4,kdeinit4,skanlite
+# private-dev
+# private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
new file mode 100644
index 000000000..ed04eda8e
--- /dev/null
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -0,0 +1,29 @@
+# Firejail profile for skypeforlinux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include skypeforlinux.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore whitelist ${DOWNLOADS}
+ignore include whitelist-common.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore nou2f
+ignore novideo
+ignore private-dev
+ignore dbus-user none
+ignore dbus-system none
+
+# breaks Skype
+ignore apparmor
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/skypeforlinux
+
+# private-dev - needs /dev/disk
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
new file mode 100644
index 000000000..51f6c8b00
--- /dev/null
+++ b/etc/profile-m-z/slack.profile
@@ -0,0 +1,32 @@
+# Firejail profile for slack
+# This file is overwritten after every install/update
+# Persistent local customizations
+include slack.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore apparmor
+ignore novideo
+ignore private-tmp
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Slack
+
+include allow-bin-sh.inc
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
+
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
new file mode 100644
index 000000000..bebf77ccc
--- /dev/null
+++ b/etc/profile-m-z/slashem.profile
@@ -0,0 +1,47 @@
+# Firejail profile for slashem
+# Description: A rogue-like single player dungeon exploration game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include slashem.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /var/games/slashem
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /var/games/slashem
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+noinput
+#nonewprivs
+#noroot
+nosound
+notv
+novideo
+#protocol unix,netlink
+#seccomp
+shell none
+
+disable-mnt
+#private
+private-cache
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
new file mode 100644
index 000000000..7c1e18ac3
--- /dev/null
+++ b/etc/profile-m-z/smplayer.profile
@@ -0,0 +1,55 @@
+# Firejail profile for smplayer
+# Description: Complete front-end for MPlayer and mpv
+# This file is overwritten after every install/update
+# Persistent local customizations
+include smplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.mplayer
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/lua*
+whitelist /usr/share/smplayer
+whitelist /usr/share/vulkan
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+# nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl
+private-dev
+private-tmp
+
+# problems with KDE
+# dbus-user none
+# dbus-system none
diff --git a/etc/smtube.profile b/etc/profile-m-z/smtube.profile
index 2694dd5b0..65e6d38e4 100644
--- a/etc/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -1,9 +1,10 @@
 # Firejail profile for smtube
+# Description: YouTube videos browser
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/smtube.local
+include smtube.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/smtube
@@ -11,18 +12,30 @@ noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.config/vlc
 noblacklist ${HOME}/.local/share/vlc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
+whitelist /usr/share/smplayer
+whitelist /usr/share/smtube
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 nodvd
 notv
+nou2f
 novideo
 nogroups
+noinput
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
@@ -33,5 +46,3 @@ shell none
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
new file mode 100644
index 000000000..31d14924c
--- /dev/null
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -0,0 +1,55 @@
+# Firejail profile for smuxi-frontend-gnome
+# Description: Multi protocol chat client with Twitter support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include smuxi-frontend-gnome.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/smuxi
+noblacklist ${HOME}/.config/smuxi
+noblacklist ${HOME}/.local/share/smuxi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/smuxi
+mkdir ${HOME}/.config/smuxi
+mkdir ${HOME}/.local/share/smuxi
+whitelist ${HOME}/.cache/smuxi
+whitelist ${HOME}/.config/smuxi
+whitelist ${HOME}/.local/share/smuxi
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
new file mode 100644
index 000000000..83493652c
--- /dev/null
+++ b/etc/profile-m-z/snox.profile
@@ -0,0 +1,24 @@
+# Firejail profile for snox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include snox.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/snox
+noblacklist ${HOME}/.config/snox
+
+#mkdir ${HOME}/.cache/dnox
+#mkdir ${HOME}/.config/dnox
+mkdir ${HOME}/.cache/snox
+mkdir ${HOME}/.config/snox
+whitelist ${HOME}/.cache/snox
+whitelist ${HOME}/.config/snox
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile
new file mode 100644
index 000000000..f7f86c33c
--- /dev/null
+++ b/etc/profile-m-z/soffice.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include soffice.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include libreoffice.profile
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
new file mode 100644
index 000000000..47468a531
--- /dev/null
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -0,0 +1,50 @@
+# Firejail profile for softmaker-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include softmaker-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# The official packages install the desktop file under /usr/local/share/applications
+# with an absolute Exec line. These files are NOT handled by firecfg,
+# therefore you must manually copy them in you home and remove '/usr/bin/'.
+
+noblacklist ${HOME}/SoftMaker
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+whitelist /usr/share/office2018
+whitelist /usr/share/freeoffice2018
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
new file mode 100644
index 000000000..0af88e048
--- /dev/null
+++ b/etc/profile-m-z/sol.profile
@@ -0,0 +1,47 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sol.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# all necessary files in $HOME are in whitelist-common.inc
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+# no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin sol
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
new file mode 100644
index 000000000..4c37ece8a
--- /dev/null
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sound-juicer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sound-juicer
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
new file mode 100644
index 000000000..e5ff26327
--- /dev/null
+++ b/etc/profile-m-z/soundconverter.profile
@@ -0,0 +1,50 @@
+# Firejail profile for soundconverter
+# Description: GNOME application to convert audio files into other formats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include soundconverter.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist /usr/share/soundconverter
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
new file mode 100644
index 000000000..d803fa5ce
--- /dev/null
+++ b/etc/profile-m-z/spectacle.profile
@@ -0,0 +1,68 @@
+# Firejail profile for spectacle
+# Description: Spectacle is a simple application for capturing desktop screenshots.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spectacle.local
+# Persistent global definitions
+include globals.local
+
+# Add the next lines to your spectacle.local to use sharing services.
+#netfilter
+#ignore net none
+#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#protocol unix,inet,inet6
+
+noblacklist ${HOME}/.config/spectaclerc
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile  ${HOME}/.config/spectaclerc
+whitelist ${HOME}/.config/spectaclerc
+whitelist ${PICTURES}
+whitelist /usr/share/kconf_update/spectacle_newConfig.upd
+whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin spectacle
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d
+private-tmp
+
+dbus-user filter
+dbus-user.own org.kde.spectacle
+dbus-user.own org.kde.Spectacle
+dbus-user.talk org.freedesktop.FileManager1
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kglobalaccel
+dbus-system none
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
new file mode 100644
index 000000000..5f17b73dc
--- /dev/null
+++ b/etc/profile-m-z/spectral.profile
@@ -0,0 +1,58 @@
+# Firejail profile for spectral
+# Description: Desktop client for Matrix
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spectral.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/ENCOM/Spectral
+noblacklist ${HOME}/.config/ENCOM
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/ENCOM/Spectral
+mkdir ${HOME}/.config/ENCOM
+whitelist ${HOME}/.cache/ENCOM/Spectral
+whitelist ${HOME}/.config/ENCOM
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-bin spectral
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+# Add the next lines to your spectral.local to enable notification support.
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
new file mode 100644
index 000000000..19d7f8ae3
--- /dev/null
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -0,0 +1,52 @@
+# Firejail profile for spectre-meltdown-checker
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include spectre-meltdown-checker.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+noblacklist ${PATH}/mount
+noblacklist ${PATH}/umount
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+allow-debuggers
+caps.keep sys_rawio
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+nosound
+notv
+novideo
+protocol unix
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@reboot,@resources,@swap
+shell none
+x11 none
+
+disable-mnt
+private
+private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
+private-cache
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
new file mode 100644
index 000000000..ffee76d23
--- /dev/null
+++ b/etc/profile-m-z/spotify.profile
@@ -0,0 +1,54 @@
+# Firejail profile for spotify
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spotify.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/spotify
+noblacklist ${HOME}/.config/spotify
+noblacklist ${HOME}/.local/share/spotify
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/spotify
+mkdir ${HOME}/.config/spotify
+mkdir ${HOME}/.local/share/spotify
+whitelist ${HOME}/.cache/spotify
+whitelist ${HOME}/.config/spotify
+whitelist ${HOME}/.local/share/spotify
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
+private-dev
+# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-opt spotify
+private-srv none
+private-tmp
+
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
new file mode 100644
index 000000000..e35f74404
--- /dev/null
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -0,0 +1,52 @@
+# Firejail profile for sqlitebrowser
+# Description: GUI editor for SQLite databases
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sqlitebrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sqlitebrowser
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+private-bin sqlitebrowser
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
+private-tmp
+
+# breaks proxy creation
+# dbus-user none
+# dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index fa5728d9b..11723664f 100644
--- a/etc/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -2,21 +2,21 @@
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
-include /etc/firejail/ssh-agent.local
+include ssh-agent.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 
-noblacklist /etc/ssh
-noblacklist /tmp/ssh-*
-noblacklist ~/.ssh
+include disable-common.inc
+include disable-programs.inc
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include whitelist-usr-share-common.inc
 
-shell none
 caps.drop all
 netfilter
 no3d
@@ -24,6 +24,13 @@ nodvd
 nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
+
 writable-run-user
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
new file mode 100644
index 000000000..9295013e7
--- /dev/null
+++ b/etc/profile-m-z/ssh.profile
@@ -0,0 +1,53 @@
+# Firejail profile for ssh
+# Description: Secure shell client and server
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ssh.local
+# Persistent global definitions
+include globals.local
+
+# nc can be used as ProxyCommand, e.g. when using tor
+noblacklist ${PATH}/nc
+noblacklist ${PATH}/ncat
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
+whitelist ${RUNUSER}/keyring/ssh
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+# noroot - see issue #1543
+nosound
+notv
+# nou2f - OpenSSH >= 8.2 supports U2F
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+# private-tmp # Breaks when exiting
+writable-run-user
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
new file mode 100644
index 000000000..d54ddacdd
--- /dev/null
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -0,0 +1,44 @@
+# Firejail profile for standardnotes-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include standardnotes-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/Standard Notes Backups
+noblacklist ${HOME}/.config/Standard Notes
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/Standard Notes Backups
+mkdir ${HOME}/.config/Standard Notes
+whitelist ${HOME}/Standard Notes Backups
+whitelist ${HOME}/.config/Standard Notes
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+
+disable-mnt
+private-dev
+private-tmp
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
new file mode 100644
index 000000000..2f73c9fee
--- /dev/null
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -0,0 +1,76 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include start-tor-browser.desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser*
+
+whitelist ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-tw
+
+whitelist ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en_US
+whitelist ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-TW
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile
new file mode 100644
index 000000000..17ceedee7
--- /dev/null
+++ b/etc/profile-m-z/start-tor-browser.profile
@@ -0,0 +1,10 @@
+# Firejail profile for start-tor-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include start-tor-browser.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include start-tor-browser.desktop.profile
diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile
new file mode 100644
index 000000000..6b4281c5c
--- /dev/null
+++ b/etc/profile-m-z/steam-native.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for steam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include steam-native.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include steam.profile
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile
new file mode 100644
index 000000000..a7e128d40
--- /dev/null
+++ b/etc/profile-m-z/steam-runtime.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for steam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include steam-runtime.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include steam.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
new file mode 100644
index 000000000..dfefd7c2c
--- /dev/null
+++ b/etc/profile-m-z/steam.profile
@@ -0,0 +1,165 @@
+# Firejail profile for steam
+# Description: Valve's Steam digital software delivery system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include steam.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Epic
+noblacklist ${HOME}/.config/Loop_Hero
+noblacklist ${HOME}/.config/ModTheSpire
+noblacklist ${HOME}/.config/RogueLegacy
+noblacklist ${HOME}/.config/RogueLegacyStorageContainer
+noblacklist ${HOME}/.killingfloor
+noblacklist ${HOME}/.klei
+noblacklist ${HOME}/.local/share/3909/PapersPlease
+noblacklist ${HOME}/.local/share/aspyr-media
+noblacklist ${HOME}/.local/share/bohemiainteractive
+noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/Dredmor
+noblacklist ${HOME}/.local/share/FasterThanLight
+noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/IntoTheBreach
+noblacklist ${HOME}/.local/share/Paradox Interactive
+noblacklist ${HOME}/.local/share/PillarsOfEternity
+noblacklist ${HOME}/.local/share/RogueLegacy
+noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
+noblacklist ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/SteamWorldDig
+noblacklist ${HOME}/.local/share/SteamWorld Dig 2
+noblacklist ${HOME}/.local/share/SuperHexagon
+noblacklist ${HOME}/.local/share/Terraria
+noblacklist ${HOME}/.local/share/vpltd
+noblacklist ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.mbwarband
+noblacklist ${HOME}/.paradoxinteractive
+noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.steampath
+noblacklist ${HOME}/.steampid
+# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
+noblacklist /sbin
+noblacklist /usr/sbin
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/Epic
+mkdir ${HOME}/.config/Loop_Hero
+mkdir ${HOME}/.config/ModTheSpire
+mkdir ${HOME}/.config/RogueLegacy
+mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.killingfloor
+mkdir ${HOME}/.klei
+mkdir ${HOME}/.local/share/3909/PapersPlease
+mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/bohemiainteractive
+mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/Dredmor
+mkdir ${HOME}/.local/share/FasterThanLight
+mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/IntoTheBreach
+mkdir ${HOME}/.local/share/Paradox Interactive
+mkdir ${HOME}/.local/share/PillarsOfEternity
+mkdir ${HOME}/.local/share/RogueLegacy
+mkdir ${HOME}/.local/share/Steam
+mkdir ${HOME}/.local/share/SteamWorldDig
+mkdir ${HOME}/.local/share/SteamWorld Dig 2
+mkdir ${HOME}/.local/share/SuperHexagon
+mkdir ${HOME}/.local/share/Terraria
+mkdir ${HOME}/.local/share/vpltd
+mkdir ${HOME}/.local/share/vulkan
+mkdir ${HOME}/.mbwarband
+mkdir ${HOME}/.paradoxinteractive
+mkdir ${HOME}/.steam
+mkfile ${HOME}/.steampath
+mkfile ${HOME}/.steampid
+whitelist ${HOME}/.config/Epic
+whitelist ${HOME}/.config/Loop_Hero
+whitelist ${HOME}/.config/ModTheSpire
+whitelist ${HOME}/.config/RogueLegacy
+whitelist ${HOME}/.config/RogueLegacyStorageContainer
+whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.killingfloor
+whitelist ${HOME}/.klei
+whitelist ${HOME}/.local/share/3909/PapersPlease
+whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/bohemiainteractive
+whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/Dredmor
+whitelist ${HOME}/.local/share/FasterThanLight
+whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/IntoTheBreach
+whitelist ${HOME}/.local/share/Paradox Interactive
+whitelist ${HOME}/.local/share/PillarsOfEternity
+whitelist ${HOME}/.local/share/RogueLegacy
+whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
+whitelist ${HOME}/.local/share/Steam
+whitelist ${HOME}/.local/share/SteamWorldDig
+whitelist ${HOME}/.local/share/SteamWorld Dig 2
+whitelist ${HOME}/.local/share/SuperHexagon
+whitelist ${HOME}/.local/share/Terraria
+whitelist ${HOME}/.local/share/vpltd
+whitelist ${HOME}/.local/share/vulkan
+whitelist ${HOME}/.mbwarband
+whitelist ${HOME}/.paradoxinteractive
+whitelist ${HOME}/.steam
+whitelist ${HOME}/.steampath
+whitelist ${HOME}/.steampid
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+# NOTE: The following were intentionally left out as they are alternative
+# (i.e.: unnecessary and/or legacy) paths whose existence may potentially
+# clobber other paths (see #4225).  If you use any, either add the entry to
+# steam.local or move the contents to a path listed above (or open an issue if
+# it's missing above).
+#mkdir ${HOME}/.config/RogueLegacyStorageContainer
+#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer
+
+caps.drop all
+#ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+# If you use nVidia you might need to add 'ignore noroot' to your steam.local.
+noroot
+notv
+nou2f
+# For VR support add 'ignore novideo' to your steam.local.
+novideo
+protocol unix,inet,inet6,netlink
+# seccomp sometimes causes issues (see #2951, #3267).
+# Add 'ignore seccomp' to your steam.local if you experience this.
+seccomp !ptrace
+shell none
+# tracelog breaks integrated browser
+#tracelog
+
+# private-bin is disabled while in testing, but is known to work with multiple games.
+# Add the next line to your steam.local to enable private-bin.
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+# Extra programs are available which might be needed for select games.
+# Add the next line to your steam.local to enable support for these programs.
+#private-bin java,java-config,mono
+# To view screenshots add the next line to your steam.local.
+#private-bin eog,eom,gthumb,pix,viewnior,xviewer
+
+private-dev
+# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
+# to your steam.local to support those.
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
new file mode 100644
index 000000000..d2ebce45f
--- /dev/null
+++ b/etc/profile-m-z/stellarium.profile
@@ -0,0 +1,46 @@
+# Firejail profile for stellarium
+# Description: Real-time photo-realistic sky generator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include stellarium.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/stellarium
+noblacklist ${HOME}/.stellarium
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.config/stellarium
+mkdir ${HOME}/.stellarium
+whitelist ${HOME}/.config/stellarium
+whitelist ${HOME}/.stellarium
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin stellarium
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
new file mode 100644
index 000000000..d73927f2a
--- /dev/null
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for straw-viewer
+# Description: Fork of youtube-viewer acts like an invidious frontend
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include straw-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
+
+mkdir ${HOME}/.config/straw-viewer
+mkdir ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
+
+private-bin gtk-straw-viewer,straw-viewer
+
+# Redirect
+include youtube-viewers-common.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
new file mode 100644
index 000000000..dfb0a3e3b
--- /dev/null
+++ b/etc/profile-m-z/strawberry.profile
@@ -0,0 +1,49 @@
+# Firejail profile for strawberry
+# Description: A music player and music collection organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include strawberry.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/strawberry
+noblacklist ${HOME}/.config/strawberry
+noblacklist ${HOME}/.local/share/strawberry
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioprio_set system calls breaks strawberry
+seccomp !ioprio_set
+shell none
+tracelog
+
+disable-mnt
+private-bin strawberry,strawberry-tagreader
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
new file mode 100644
index 000000000..9298e6614
--- /dev/null
+++ b/etc/profile-m-z/strings.profile
@@ -0,0 +1,57 @@
+# Firejail profile for strings
+# Description: print the strings of printable characters in files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include strings.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+#include disable-programs.inc
+include disable-shell.inc
+#include disable-xdg.inc
+
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+x11 none
+
+#private
+#private-bin strings
+private-cache
+private-dev
+#private-etc alternatives
+#private-lib libfakeroot
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
new file mode 100644
index 000000000..8df11eef2
--- /dev/null
+++ b/etc/profile-m-z/studio.sh.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Android Studio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include studio.sh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include android-studio.profile
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
new file mode 100644
index 000000000..100ac9d14
--- /dev/null
+++ b/etc/profile-m-z/subdownloader.profile
@@ -0,0 +1,53 @@
+# Firejail profile for subdownloader
+# Description: Automatic download/upload of subtitles using fast hashing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include subdownloader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/SubDownloader
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/sum.profile b/etc/profile-m-z/sum.profile
new file mode 100644
index 000000000..cd73af919
--- /dev/null
+++ b/etc/profile-m-z/sum.profile
@@ -0,0 +1,13 @@
+# Firejail profile for sum
+# Description: checksum and count the blocks in a file
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include sum.local
+# Persistent global definitions
+include globals.local
+
+private-bin sum
+
+# Redirect
+include hasher-common.profile
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
new file mode 100644
index 000000000..0e9113821
--- /dev/null
+++ b/etc/profile-m-z/supertux2.profile
@@ -0,0 +1,53 @@
+# Firejail profile for supertux2
+# Description: Jump'n run like game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include supertux2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/supertux2
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/supertux2
+whitelist ${HOME}/.local/share/supertux2
+whitelist /usr/share/supertux2
+whitelist /usr/share/games/supertux2    # Debian version
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+# private-bin supertux2
+private-cache
+private-etc machine-id
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile
new file mode 100644
index 000000000..af8d73deb
--- /dev/null
+++ b/etc/profile-m-z/supertuxkart-wrapper.profile
@@ -0,0 +1,14 @@
+# Firejail profile for supertuxkart-wrapper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include supertuxkart-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-opengl-game.inc
+
+private-bin supertuxkart-wrapper
+
+# Redirect
+include supertuxkart.profile
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
new file mode 100644
index 000000000..7ba7e7023
--- /dev/null
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -0,0 +1,63 @@
+# Firejail profile for supertuxkart
+# Description: Free kart racing game.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include supertuxkart.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/supertuxkart
+noblacklist ${HOME}/.cache/supertuxkart
+noblacklist ${HOME}/.local/share/supertuxkart
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/supertuxkart
+mkdir ${HOME}/.cache/supertuxkart
+mkdir ${HOME}/.local/share/supertuxkart
+whitelist ${HOME}/.config/supertuxkart
+whitelist ${HOME}/.cache/supertuxkart
+whitelist ${HOME}/.local/share/supertuxkart
+whitelist /usr/share/supertuxkart
+whitelist /usr/share/games/supertuxkart # Debian version
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,bluetooth
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin supertuxkart
+private-cache
+# Add the next line to your supertuxkart.local if you do not need controller support.
+#private-dev
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
+private-tmp
+private-opt none
+private-srv none
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
new file mode 100644
index 000000000..7c092fccc
--- /dev/null
+++ b/etc/profile-m-z/surf.profile
@@ -0,0 +1,39 @@
+# Firejail profile for surf
+# Description: Simple web browser by suckless community
+# This file is overwritten after every install/update
+# Persistent local customizations
+include surf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.surf
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.surf
+whitelist ${HOME}/.surf
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+private-tmp
+
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
new file mode 100644
index 000000000..621622043
--- /dev/null
+++ b/etc/profile-m-z/sushi.profile
@@ -0,0 +1,48 @@
+# Firejail profile for sushi
+# Description: A quick previewer for Nautilus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sushi.local
+# Persistent global definitions
+include globals.local
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin gjs,sushi
+private-dev
+private-tmp
+
+dbus-system none
+
+read-only /
+read-only /mnt
+read-only /media
+read-only /run/mount
+read-only /run/media
+read-only ${HOME}
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
new file mode 100644
index 000000000..4637419bf
--- /dev/null
+++ b/etc/profile-m-z/sway.profile
@@ -0,0 +1,19 @@
+# Firejail profile for Sway
+# Description: i3-compatible Wayland compositor 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sway.local
+# Persistent global definitions
+include globals.local
+
+# all applications started in sway will run in this profile
+noblacklist ${HOME}/.config/sway
+# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
+noblacklist ${HOME}/.config/i3
+include disable-common.inc
+
+caps.drop all
+netfilter
+noroot
+protocol unix,inet,inet6
+seccomp
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
new file mode 100644
index 000000000..9efae815d
--- /dev/null
+++ b/etc/profile-m-z/swell-foop.profile
@@ -0,0 +1,21 @@
+# Firejail profile for swell-foop
+# Description: GNOME colored tiles puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include swell-foop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/swell-foop
+
+mkdir ${HOME}/.local/share/swell-foop
+whitelist ${HOME}/.local/share/swell-foop
+
+whitelist /usr/share/swell-foop
+
+private-bin swell-foop
+
+dbus-user.own org.gnome.SwellFoop
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
new file mode 100644
index 000000000..328812b04
--- /dev/null
+++ b/etc/profile-m-z/sylpheed.profile
@@ -0,0 +1,26 @@
+# Firejail profile for sylpheed
+# Description: Light weight e-mail client with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sylpheed.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.sylpheed-2.0
+
+mkdir ${HOME}/.sylpheed-2.0
+whitelist ${HOME}/.sylpheed-2.0
+
+whitelist /usr/share/sylpheed
+
+# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# Add the next line to your sylpheed.local to enable notifications.
+# dbus-user.talk org.freedesktop.Notifications
+
+# Redirect
+include email-common.profile
diff --git a/etc/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index 2617c0e51..7f23992a8 100644
--- a/etc/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -1,34 +1,39 @@
 # Firejail profile for synfigstudio
+# Description: Vector-based 2D animation package
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/synfigstudio.local
+include synfigstudio.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/synfig
 noblacklist ${HOME}/.synfig
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
 shell none
 
-#private-bin synfigstudio,synfig,ffmpeg
+#private-bin ffmpeg,synfig,synfigstudio
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sysprof-cli.profile b/etc/profile-m-z/sysprof-cli.profile
new file mode 100644
index 000000000..8f4de130b
--- /dev/null
+++ b/etc/profile-m-z/sysprof-cli.profile
@@ -0,0 +1,20 @@
+# Firejail profile for sysprof-cli
+# Description: Kernel based performance profiler (CLI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sysprof-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# There is no GUI help menu to break in the CLI version
+private-bin sysprof-cli
+private-lib
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+
+# Redirect
+include sysprof.profile
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
new file mode 100644
index 000000000..ac4a380bb
--- /dev/null
+++ b/etc/profile-m-z/sysprof.profile
@@ -0,0 +1,77 @@
+# Firejail profile for sysprof
+# Description: Kernel based performance profiler (GUI)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sysprof.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality.
+#ignore noblacklist ${HOME}/.config/yelp
+#ignore mkdir ${HOME}/.config/yelp
+#nowhitelist ${HOME}/.config/yelp
+#nowhitelist /usr/share/help/C/sysprof
+#nowhitelist /usr/share/yelp
+#nowhitelist /usr/share/yelp-tools
+#nowhitelist /usr/share/yelp-xsl
+
+noblacklist ${HOME}/.config/yelp
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+whitelist /usr/share/help/C/sysprof
+whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
+whitelist /usr/share/yelp-xsl
+
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+# Some older Debian/Ubuntu sysprof versions need root privileges.
+# Add 'ignore noroot' to your sysprof.local if you run one of these.
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private-bin sysprof - breaks help menu
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
+# private-lib - breaks help menu
+#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Shell
+dbus-user.own org.gnome.Yelp
+dbus-user.own org.gnome.Sysprof3
+dbus-user.talk ca.desrt.dconf
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
new file mode 100644
index 000000000..0d3a900e9
--- /dev/null
+++ b/etc/profile-m-z/tar.profile
@@ -0,0 +1,23 @@
+# Firejail profile for tar
+# Description: GNU version of the tar archiving utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tar.local
+# Persistent global definitions
+include globals.local
+
+# Included in archiver-common.profile
+ignore include disable-shell.inc
+
+# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
+# all capabilities this is automatically read-only.
+noblacklist /var/lib/pacman
+
+private-etc alternatives,group,localtime,login.defs,passwd
+#private-lib libfakeroot,liblzma.so.*,libreadline.so.*
+# Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
+writable-var
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-m-z/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
new file mode 100644
index 000000000..ffe9605b6
--- /dev/null
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
@@ -0,0 +1,19 @@
+# Firejail profile for tb-starter-wrapper
+# Description: wrapper-script used by whonix to start the tor browser
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tb-starter-wrapper.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tb
+
+mkdir ${HOME}/.tb
+whitelist ${HOME}/.tb
+
+private-bin tb-starter-wrapper
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
new file mode 100644
index 000000000..57301a54d
--- /dev/null
+++ b/etc/profile-m-z/tcpdump.profile
@@ -0,0 +1,46 @@
+# Firejail profile for tcpdump
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tcpdump.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+noblacklist ${PATH}/tcpdump
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+
+apparmor
+caps.keep net_raw
+ipc-namespace
+#net tun0
+netfilter
+no3d
+nodvd
+#nogroups
+noinput
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink,packet,bluetooth
+seccomp
+
+disable-mnt
+#private
+#private-bin tcpdump
+private-dev
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
new file mode 100644
index 000000000..c97921d92
--- /dev/null
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -0,0 +1,26 @@
+# Firejail profile for teams-for-linux
+# Description: Unofficial Microsoft Teams client for Linux using Electron.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teams-for-linux.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/teams-for-linux
+
+mkdir ${HOME}/.config/teams-for-linux
+whitelist ${HOME}/.config/teams-for-linux
+
+private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
new file mode 100644
index 000000000..c8d98cbaa
--- /dev/null
+++ b/etc/profile-m-z/teams.profile
@@ -0,0 +1,30 @@
+# Firejail profile for teams
+# Description: Official Microsoft Teams client for Linux using Electron.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teams.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore novideo
+ignore private-tmp
+
+# see #3404
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/teams
+noblacklist ${HOME}/.config/Microsoft
+
+mkdir ${HOME}/.config/teams
+mkdir ${HOME}/.config/Microsoft
+whitelist ${HOME}/.config/teams
+whitelist ${HOME}/.config/Microsoft
+
+# Redirect
+include electron.profile
diff --git a/etc/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 86f96ba50..c149473f6 100644
--- a/etc/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -1,21 +1,24 @@
 # Firejail profile for teamspeak3
+# Description: TeamSpeak is software for quality voice communication via the Internet
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/teamspeak3.local
+include teamspeak3.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.ts3client
+noblacklist ${PATH}/openssl
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.ts3client
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.ts3client
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 ipc-namespace
@@ -23,17 +26,17 @@ netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
-protocol unix,inet,inet6
-seccomp
+protocol unix,inet,inet6,netlink
+seccomp !chroot
 shell none
 
 disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
new file mode 100644
index 000000000..df54fb9ba
--- /dev/null
+++ b/etc/profile-m-z/teeworlds.profile
@@ -0,0 +1,47 @@
+# Firejail profile for teeworlds
+# Description: Online multi-player platform 2D shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include teeworlds.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.teeworlds
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.teeworlds
+whitelist ${HOME}/.teeworlds
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin teeworlds
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
new file mode 100644
index 000000000..7463b761f
--- /dev/null
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for telegram
+# Description: Official Telegram Desktop client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include telegram-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include telegram.profile
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
new file mode 100644
index 000000000..115be54eb
--- /dev/null
+++ b/etc/profile-m-z/telegram.profile
@@ -0,0 +1,56 @@
+# Firejail profile for telegram
+# This file is overwritten after every install/update
+# Persistent local customizations
+include telegram.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.TelegramDesktop
+noblacklist ${HOME}/.local/share/TelegramDesktop
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.TelegramDesktop
+mkdir ${HOME}/.local/share/TelegramDesktop
+whitelist ${HOME}/.TelegramDesktop
+whitelist ${HOME}/.local/share/TelegramDesktop
+whitelist ${DOWNLOADS}
+whitelist /usr/share/TelegramDesktop
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+noinput
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+#private-bin telegram,Telegram,telegram-desktop
+private-cache
+private-dev
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.telegram.desktop.*
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-system none
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
new file mode 100644
index 000000000..0f6691b49
--- /dev/null
+++ b/etc/profile-m-z/terasology.profile
@@ -0,0 +1,48 @@
+# Firejail profile for terasology
+# This file is overwritten after every install/update
+# Persistent local customizations
+include terasology.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.local/share/terasology
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.local/share/terasology
+whitelist ${HOME}/.java
+whitelist ${HOME}/.local/share/terasology
+include whitelist-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/tex.profile b/etc/profile-m-z/tex.profile
new file mode 100644
index 000000000..f56c3038e
--- /dev/null
+++ b/etc/profile-m-z/tex.profile
@@ -0,0 +1,12 @@
+# Firejail profile for tex
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tex.local
+# Persistent global definitions
+include globals.local
+
+private-bin tex
+
+# Redirect
+include latex-common.profile
+
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile
new file mode 100644
index 000000000..e5a4b6454
--- /dev/null
+++ b/etc/profile-m-z/textmaker18.profile
@@ -0,0 +1,11 @@
+# Firejail profile for textmaker18
+# Description: SoftMaker Office - word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include textmaker18.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
+
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile
new file mode 100644
index 000000000..0e918bf0a
--- /dev/null
+++ b/etc/profile-m-z/textmaker18free.profile
@@ -0,0 +1,11 @@
+# Firejail profile for textmaker18free
+# Description: SoftMaker Office - word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include textmaker18free.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include softmaker-common.profile
+
diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile
new file mode 100644
index 000000000..984c5579f
--- /dev/null
+++ b/etc/profile-m-z/thunar.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for Thunar
+# Description: Modern file manager for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include thunar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include Thunar.profile
diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
new file mode 100644
index 000000000..46a1e57c8
--- /dev/null
+++ b/etc/profile-m-z/thunderbird-beta.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for thunderbird-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird-beta.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-opt thunderbird-beta
+
+# Redirect
+include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird-wayland.profile b/etc/profile-m-z/thunderbird-wayland.profile
new file mode 100644
index 000000000..9fbb80d29
--- /dev/null
+++ b/etc/profile-m-z/thunderbird-wayland.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for thunderbird-wayland
+# This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird-wayland.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include thunderbird.profile
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
new file mode 100644
index 000000000..b66b81fdf
--- /dev/null
+++ b/etc/profile-m-z/thunderbird.profile
@@ -0,0 +1,63 @@
+# Firejail profile for thunderbird
+# Description: Email, RSS and newsgroup client with integrated spam filter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include thunderbird.local
+# Persistent global definitions
+include globals.local
+
+ignore include whitelist-runuser-common.inc
+
+# writable-run-user and dbus are needed by enigmail
+ignore dbus-user none
+ignore dbus-system none
+writable-run-user
+
+# If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly
+# and add the following to thunderbird.local:
+#noblacklist /var/mail
+#noblacklist /var/spool/mail
+#whitelist /var/mail
+#whitelist /var/spool/mail
+#writable-var
+
+# These lines are needed to allow Firefox to load your profile when clicking a link in an email
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+noblacklist ${HOME}/.cache/thunderbird
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.icedove
+noblacklist ${HOME}/.thunderbird
+
+include disable-xdg.inc
+
+# If you have setup Thunderbird to archive emails to a local folder,
+# make sure you add the path to that folder to the mkdir and whitelist
+# rules below. Otherwise they will be deleted when you close Thunderbird.
+# See https://github.com/netblue30/firejail/issues/2357
+mkdir ${HOME}/.cache/thunderbird
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.icedove
+mkdir ${HOME}/.thunderbird
+whitelist ${HOME}/.cache/thunderbird
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.icedove
+whitelist ${HOME}/.thunderbird
+
+whitelist /usr/share/gnupg
+whitelist /usr/share/mozilla
+whitelist /usr/share/thunderbird
+whitelist /usr/share/webext
+include whitelist-usr-share-common.inc
+
+# machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
+#machine-id
+novideo
+
+# We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
+ignore private-tmp
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
new file mode 100644
index 000000000..7c18aab50
--- /dev/null
+++ b/etc/profile-m-z/tilp.profile
@@ -0,0 +1,35 @@
+# Firejail profile for tilp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tilp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.tilp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin tilp
+private-cache
+private-etc alternatives,fonts
+private-tmp
+
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..039063c1e
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,68 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
new file mode 100644
index 000000000..1e783d2b9
--- /dev/null
+++ b/etc/profile-m-z/tmux.profile
@@ -0,0 +1,45 @@
+# Firejail profile for tmux
+# Description: terminal multiplexer
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tmux.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist /tmp/tmux-*
+
+# include disable-common.inc
+# include disable-devel.inc
+# include disable-exec.inc
+# include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# private-cache
+private-dev
+# private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
new file mode 100644
index 000000000..59f1bc3b1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ar
+
+mkdir ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ar
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
new file mode 100644
index 000000000..68577e352
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ca.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ca
+
+mkdir ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
new file mode 100644
index 000000000..33e51fcd0
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-cs.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-cs
+
+mkdir ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
new file mode 100644
index 000000000..440bb7fc3
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-da.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-da
+
+mkdir ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
new file mode 100644
index 000000000..b2b98cf82
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-de.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-de
+
+mkdir ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
new file mode 100644
index 000000000..626757dd5
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-el.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-el
+
+mkdir ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
new file mode 100644
index 000000000..15e690748
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-en-us.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-en-us
+
+mkdir ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-en-us
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
new file mode 100644
index 000000000..ef8c1eb8b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-en.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-en
+
+mkdir ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
new file mode 100644
index 000000000..ad734662e
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-es-es.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-es-es
+
+mkdir ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-es-es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
new file mode 100644
index 000000000..97d8d8577
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-es.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-es
+
+mkdir ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
new file mode 100644
index 000000000..095be69e4
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-fa.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-fa
+
+mkdir ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fa
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
new file mode 100644
index 000000000..37f61fc3a
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-fr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-fr
+
+mkdir ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-fr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
new file mode 100644
index 000000000..ab7141fc4
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ga-ie.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ga-ie
+
+mkdir ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-ga-ie
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
new file mode 100644
index 000000000..ae56f3b7f
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-he.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-he
+
+mkdir ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
new file mode 100644
index 000000000..65cd18ac8
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-hu.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-hu
+
+mkdir ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
new file mode 100644
index 000000000..57fe09f47
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-id.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-id
+
+mkdir ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
new file mode 100644
index 000000000..54f1df42d
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-is.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-is
+
+mkdir ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
new file mode 100644
index 000000000..a7d46e875
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-it.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-it
+
+mkdir ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-it
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
new file mode 100644
index 000000000..b89016141
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ja.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ja
+
+mkdir ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ja
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
new file mode 100644
index 000000000..b57cf10de
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ka.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ka
+
+mkdir ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
new file mode 100644
index 000000000..a9bedb6fd
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ko.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ko
+
+mkdir ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-ko
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
new file mode 100644
index 000000000..fbe9f92bd
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-nb.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-nb
+
+mkdir ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
new file mode 100644
index 000000000..678ac1713
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-nl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-nl
+
+mkdir ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
new file mode 100644
index 000000000..25d473b1a
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-pl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-pl
+
+mkdir ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
new file mode 100644
index 000000000..55adbd5ea
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-pt-br.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-pt-br
+
+mkdir ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-pt-br
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
new file mode 100644
index 000000000..aea13be9d
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-ru.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-ru
+
+mkdir ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-ru
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
new file mode 100644
index 000000000..b7882bd04
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-sv-se.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-sv-se
+
+mkdir ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-sv-se
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
new file mode 100644
index 000000000..c52e8c4c4
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-tr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-tr
+
+mkdir ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
new file mode 100644
index 000000000..d5bf76655
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-vi.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-vi
+
+mkdir ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-vi
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
new file mode 100644
index 000000000..6c8925a4a
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-zh-cn.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-zh-cn
+
+mkdir ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-cn
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
new file mode 100644
index 000000000..141a6701e
--- /dev/null
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser-zh-tw.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser-zh-tw
+
+mkdir ${HOME}/.tor-browser-zh-tw
+whitelist ${HOME}/.tor-browser-zh-tw
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
new file mode 100644
index 000000000..76a0e1fa5
--- /dev/null
+++ b/etc/profile-m-z/tor-browser.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser
+
+mkdir ${HOME}/.tor-browser
+whitelist ${HOME}/.tor-browser
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
new file mode 100644
index 000000000..d811b7549
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ar
+
+mkdir ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ar
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
new file mode 100644
index 000000000..8bf1f7cd4
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ca.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ca
+
+mkdir ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
new file mode 100644
index 000000000..b41107bf1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_cs.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_cs
+
+mkdir ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
new file mode 100644
index 000000000..cbec4ee2e
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_da.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_da
+
+mkdir ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
new file mode 100644
index 000000000..ea26765d3
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_de.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_de
+
+mkdir ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
new file mode 100644
index 000000000..ff57a8722
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_el.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_el
+
+mkdir ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
new file mode 100644
index 000000000..18c92b638
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_en-US.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_en-US
+
+mkdir ${HOME}/.tor-browser_en-US
+whitelist ${HOME}/.tor-browser_en-US
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
new file mode 100644
index 000000000..ebba83cc4
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_en.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_en
+
+mkdir ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
new file mode 100644
index 000000000..aecab38d5
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_es-ES.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_es-ES
+
+mkdir ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_es-ES
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
new file mode 100644
index 000000000..e19e9b5e6
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_es.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_es
+
+mkdir ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
new file mode 100644
index 000000000..68414c277
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_fa.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_fa
+
+mkdir ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fa
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
new file mode 100644
index 000000000..0a8bb30b7
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_fr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_fr
+
+mkdir ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_fr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
new file mode 100644
index 000000000..12354b900
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ga-IE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ga-IE
+
+mkdir ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_ga-IE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
new file mode 100644
index 000000000..19cbb0809
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_he.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_he
+
+mkdir ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
new file mode 100644
index 000000000..62b55e170
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_hu.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_hu
+
+mkdir ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
new file mode 100644
index 000000000..2970a7747
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_id.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_id
+
+mkdir ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
new file mode 100644
index 000000000..f922c7644
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_is.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_is
+
+mkdir ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
new file mode 100644
index 000000000..406901759
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_it.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_it
+
+mkdir ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_it
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
new file mode 100644
index 000000000..8f9d8d751
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ja.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ja
+
+mkdir ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ja
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
new file mode 100644
index 000000000..4de4135e1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ka.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ka
+
+mkdir ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
new file mode 100644
index 000000000..125c733ce
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ko.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ko
+
+mkdir ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_ko
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
new file mode 100644
index 000000000..dc6ac876b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_nb.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_nb
+
+mkdir ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
new file mode 100644
index 000000000..2a3a5b519
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_nl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_nl
+
+mkdir ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
new file mode 100644
index 000000000..b7dec32db
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_pl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_pl
+
+mkdir ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
new file mode 100644
index 000000000..7a7d4726c
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_pt-BR.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_pt-BR
+
+mkdir ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_pt-BR
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
new file mode 100644
index 000000000..7d2e6bc97
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_ru.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_ru
+
+mkdir ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_ru
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
new file mode 100644
index 000000000..585925e81
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_sv-SE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_sv-SE
+
+mkdir ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_sv-SE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
new file mode 100644
index 000000000..4b0cc3821
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_tr.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_tr
+
+mkdir ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
new file mode 100644
index 000000000..4dcfbf56d
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_vi.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_vi
+
+mkdir ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_vi
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
new file mode 100644
index 000000000..1e03b8d6b
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_zh-CN.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_zh-CN
+
+mkdir ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-CN
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
new file mode 100644
index 000000000..a2dcf5cf1
--- /dev/null
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -0,0 +1,15 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tor-browser_zh-TW.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.tor-browser_zh-TW
+
+mkdir ${HOME}/.tor-browser_zh-TW
+whitelist ${HOME}/.tor-browser_zh-TW
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor.profile b/etc/profile-m-z/tor.profile
index fcb123eef..08e949309 100644
--- a/etc/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -1,9 +1,10 @@
 # Firejail profile for tor
+# Description: Anonymizing overlay network for TCP
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/tor.local
+include tor.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 # How to use:
 # Create a script called anything (e.g. mytor)
@@ -16,32 +17,35 @@ include /etc/firejail/globals.local
 # You'll also likely want to disable the system service (if it exists)
 # Run mytor (or whatever you called the script above) whenever you want to start tor
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
-caps.keep setuid,setgid,net_bind_service,dac_read_search
+caps.keep dac_read_search,net_bind_service,setgid,setuid
 ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-writable-var
 
 disable-mnt
 private
-private-bin tor,bash
+private-bin bash,tor
+private-cache
 private-dev
-private-etc tor,passwd
+private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
 private-tmp
-
-noexec ${HOME}
-noexec /tmp
+writable-var
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
new file mode 100644
index 000000000..e7b8ecd3f
--- /dev/null
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -0,0 +1,65 @@
+# Firejail profile for torbrowser-launcher
+# Description: Helps download and run the Tor Browser Bundle
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torbrowser-launcher.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.config/torbrowser
+noblacklist ${HOME}/.local/share/torbrowser
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /opt
+blacklist /srv
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/torbrowser
+mkdir ${HOME}/.local/share/torbrowser
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/torbrowser
+whitelist ${HOME}/.local/share/torbrowser
+whitelist /usr/share/torbrowser-launcher
+include whitelist-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+
+# Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support.
+# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
+# to be uncommented too for this to work as expected.
+#apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp !chroot
+shell none
+#tracelog - may cause issues, see #1930
+
+disable-mnt
+private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
new file mode 100644
index 000000000..a7ebaf2af
--- /dev/null
+++ b/etc/profile-m-z/torcs.profile
@@ -0,0 +1,49 @@
+# Firejail profile for torcs
+# Description: The Open Racing Car Simulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torcs.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.torcs
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.torcs
+whitelist ${HOME}/.torcs
+whitelist /usr/share/games/torcs
+whitelist /var/games/torcs
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,chmod,cp,mkdir,rm,torcs
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
new file mode 100644
index 000000000..dac753fd1
--- /dev/null
+++ b/etc/profile-m-z/totem.profile
@@ -0,0 +1,60 @@
+# Firejail profile for totem
+# Description: Simple media player for the GNOME desktop based on GStreamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include totem.local
+# Persistent global definitions
+include globals.local
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+# required for youtube video
+include allow-lua.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.local/share/totem
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/totem
+mkdir ${HOME}/.local/share/totem
+whitelist ${HOME}/.config/totem
+whitelist ${HOME}/.local/share/totem
+whitelist /usr/share/totem
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin totem
+# totem needs access to ~/.cache/tracker or it exits
+#private-cache
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+dbus-system none
diff --git a/etc/tracker.profile b/etc/profile-m-z/tracker.profile
index f3dfb2d4e..ba44224f9 100644
--- a/etc/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -1,18 +1,23 @@
 # Firejail profile for tracker
+# Description: Metadata database, indexer and search tool
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/tracker.local
+include tracker.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-runuser-common.inc
 
 caps.drop all
 netfilter
@@ -31,5 +36,4 @@ tracelog
 
 # private-bin tracker
 # private-dev
-# private-etc fonts
 # private-tmp
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
new file mode 100644
index 000000000..2b63f6448
--- /dev/null
+++ b/etc/profile-m-z/transgui.profile
@@ -0,0 +1,55 @@
+# Firejail profile for transgui
+# Description: Cross-platform Transmission BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transgui.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/transgui
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/transgui
+whitelist ${HOME}/.config/transgui
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin geoiplookup,geoiplookup6,transgui
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
new file mode 100644
index 000000000..486be5fe6
--- /dev/null
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -0,0 +1,14 @@
+# Firejail profile for transmission-cli
+# Description: Fast, easy and free BitTorrent client (CLI tools and web client)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-cli.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-cli
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
new file mode 100644
index 000000000..9d9b8cc2c
--- /dev/null
+++ b/etc/profile-m-z/transmission-common.profile
@@ -0,0 +1,54 @@
+# Firejail profile for transmission-common
+# Description: Fast, easy and free BitTorrent client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include transmission-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/transmission
+noblacklist ${HOME}/.config/transmission
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/transmission
+mkdir ${HOME}/.config/transmission
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/transmission
+whitelist ${HOME}/.config/transmission
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-cache
+private-dev
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/transmission-create.profile b/etc/profile-m-z/transmission-create.profile
new file mode 100644
index 000000000..8220b7887
--- /dev/null
+++ b/etc/profile-m-z/transmission-create.profile
@@ -0,0 +1,13 @@
+# Firejail profile for transmission-create
+# Description: CLI utility to create BitTorrent .torrent files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-create.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-create
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
new file mode 100644
index 000000000..348d3cb80
--- /dev/null
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -0,0 +1,27 @@
+# Firejail profile for transmission-daemon
+# Description: Fast, easy and free BitTorrent client (daemon)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-daemon.local
+# Persistent global definitions
+include globals.local
+
+ignore caps.drop all
+
+mkdir ${HOME}/.config/transmission-daemon
+whitelist ${HOME}/.config/transmission-daemon
+whitelist /var/lib/transmission
+
+caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+protocol packet
+
+private-bin transmission-daemon
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+
+read-write /var/lib/transmission
+writable-var-log
+writable-run-user
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-edit.profile b/etc/profile-m-z/transmission-edit.profile
new file mode 100644
index 000000000..df381b5cd
--- /dev/null
+++ b/etc/profile-m-z/transmission-edit.profile
@@ -0,0 +1,13 @@
+# Firejail profile for transmission-edit
+# Description: CLI utility to modify BitTorrent .torrent files' announce URLs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-edit.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-edit
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile
new file mode 100644
index 000000000..03111ec56
--- /dev/null
+++ b/etc/profile-m-z/transmission-gtk.profile
@@ -0,0 +1,18 @@
+# Firejail profile for transmission-gtk
+# Description: Fast, easy and free BitTorrent client (GTK GUI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-gtk.local
+# Persistent global definitions
+include globals.local
+
+include whitelist-runuser-common.inc
+
+private-bin transmission-gtk
+private-cache
+
+ignore memory-deny-write-execute
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-qt.profile b/etc/profile-m-z/transmission-qt.profile
new file mode 100644
index 000000000..94f3c3a20
--- /dev/null
+++ b/etc/profile-m-z/transmission-qt.profile
@@ -0,0 +1,18 @@
+# Firejail profile for transmission-qt
+# Description: Fast, easy and free BitTorrent client (Qt GUI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-qt.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-qt
+
+# private-lib - breaks on Arch
+ignore private-lib
+
+ignore memory-deny-write-execute
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-remote-cli.profile b/etc/profile-m-z/transmission-remote-cli.profile
new file mode 100644
index 000000000..7b9285e66
--- /dev/null
+++ b/etc/profile-m-z/transmission-remote-cli.profile
@@ -0,0 +1,17 @@
+# Firejail profile for transmission-remote-cli
+# Description: A remote control utility for transmission-daemon (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote-cli.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+private-bin python*,transmission-remote-cli
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
new file mode 100644
index 000000000..a6400e2c0
--- /dev/null
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -0,0 +1,22 @@
+# Firejail profile for transmission-remote-gtk
+# Description: A remote control utility for transmission-daemon (GTK GUI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote-gtk.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/transmission-remote-gtk
+
+mkdir ${HOME}/.config/transmission-remote-gtk
+whitelist ${HOME}/.config/transmission-remote-gtk
+
+private-etc fonts,hostname,hosts,resolv.conf
+# Problems with private-lib (see issue #2889)
+ignore private-lib
+
+ignore memory-deny-write-execute
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
new file mode 100644
index 000000000..fee4999e6
--- /dev/null
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -0,0 +1,14 @@
+# Firejail profile for transmission-remote
+# Description: A remote control utility for transmission-daemon (CLI)
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-remote.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-remote
+private-etc alternatives,hosts,nsswitch.conf
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
new file mode 100644
index 000000000..5a3c83f58
--- /dev/null
+++ b/etc/profile-m-z/transmission-show.profile
@@ -0,0 +1,14 @@
+# Firejail profile for transmission-show
+# Description: CLI utility to show BitTorrent .torrent file metadata
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include transmission-show.local
+# Persistent global definitions
+include globals.local
+
+private-bin transmission-show
+private-etc alternatives,hosts,nsswitch.conf
+
+# Redirect
+include transmission-common.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
new file mode 100644
index 000000000..4e16df553
--- /dev/null
+++ b/etc/profile-m-z/tremulous.profile
@@ -0,0 +1,50 @@
+# Firejail profile for tremulous
+# Description: First Person Shooter game based on the Quake 3 engine
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tremulous.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.tremulous
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tremulous
+whitelist ${HOME}/.tremulous
+whitelist /usr/share/tremulous
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin tremded,tremulous,tremulous-wrapper
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
new file mode 100644
index 000000000..41426c606
--- /dev/null
+++ b/etc/profile-m-z/trojita.profile
@@ -0,0 +1,64 @@
+# Firejail profile for trojita
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include trojita.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.abook
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/flaska.net/trojita
+noblacklist ${HOME}/.config/flaska.net
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.abook
+mkdir ${HOME}/.cache/flaska.net/trojita
+mkdir ${HOME}/.config/flaska.net
+whitelist ${HOME}/.abook
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/flaska.net/trojita
+whitelist ${HOME}/.config/flaska.net
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin trojita
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/truecraft.profile b/etc/profile-m-z/truecraft.profile
index 4e48f6c6b..503e1ae64 100644
--- a/etc/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -1,30 +1,33 @@
 # Firejail profile for truecraft
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/truecraft.local
+include truecraft.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/mono
 noblacklist ${HOME}/.config/truecraft
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.config/mono
 mkdir ${HOME}/.config/truecraft
 whitelist ${HOME}/.config/mono
 whitelist ${HOME}/.config/truecraft
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
@@ -34,5 +37,3 @@ disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
new file mode 100644
index 000000000..8d4675454
--- /dev/null
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -0,0 +1,19 @@
+# Firejail profile alias for teamspeak3
+# Description: TeamSpeak is software for quality voice communication via the Internet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ts3client_runscript.sh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
+noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+
+whitelist ${HOME}/TeamSpeak3-Client-linux_x86
+whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
+
+# Redirect
+include teamspeak3.profile
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
new file mode 100644
index 000000000..3f5a9647e
--- /dev/null
+++ b/etc/profile-m-z/tshark.profile
@@ -0,0 +1,11 @@
+# Firejail profile for tshark
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include tshark.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
new file mode 100644
index 000000000..d2cb0cc8a
--- /dev/null
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -0,0 +1,31 @@
+# Firejail profile for tutanota-desktop
+# Description: Encrypted email client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tutanota-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tuta_integration
+noblacklist ${HOME}/.config/tutanota-desktop
+
+ignore noexec /tmp
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/tuta_integration
+mkdir ${HOME}/.config/tutanota-desktop
+whitelist ${HOME}/.config/tuta_integration
+whitelist ${HOME}/.config/tutanota-desktop
+
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+?HAS_APPIMAGE: ignore private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-opt tutanota-desktop
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
new file mode 100644
index 000000000..807d43281
--- /dev/null
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -0,0 +1,45 @@
+# Firejail profile for tuxguitar
+# Description: Multitrack guitar tablature editor and player (gp3 to gp5)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tuxguitar.local
+# Persistent global definitions
+include globals.local
+
+# tuxguitar fails to launch
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.tuxguitar*
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
new file mode 100644
index 000000000..8a18519ac
--- /dev/null
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -0,0 +1,53 @@
+# Firejail profile for tvbrowser
+# Description: java tv programm form tvbrowser.org
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tvbrowser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/tvbrowser
+noblacklist ${HOME}/.tvbrowser
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tvbrowser
+mkdir ${HOME}/.tvbrowser
+whitelist ${HOME}/.config/tvbrowser
+whitelist ${HOME}/.tvbrowser
+whitelist /usr/share/tvbrowser
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
new file mode 100644
index 000000000..d767b4c9d
--- /dev/null
+++ b/etc/profile-m-z/twitch.profile
@@ -0,0 +1,25 @@
+# Firejail profile for twitch
+# Description: Unofficial electron based desktop warpper for Twitch
+# This file is overwritten after every install/update
+# Persistent local customizations
+include twitch.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore nou2f
+ignore novideo
+
+noblacklist ${HOME}/.config/Twitch
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Twitch
+whitelist ${HOME}/.config/Twitch
+
+private-bin electron,electron[0-9],electron[0-9][0-9],twitch
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt Twitch
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
new file mode 100644
index 000000000..02f05af16
--- /dev/null
+++ b/etc/profile-m-z/udiskie.profile
@@ -0,0 +1,45 @@
+# Firejail profile for udiskie
+# Description: Removable disk automounter using udisks
+# This file is overwritten after every install/update
+# Persistent local customizations
+include udiskie.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !request_key
+shell none
+tracelog
+
+private-bin awk,cut,dbus-send,egrep,file,grep,head,python*,readlink,sed,sh,udiskie,uname,which,xdg-mime,xdg-open,xprop
+# add your configured file browser in udiskie.local, e. g.
+# private-bin nautilus
+# private-bin thunar
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+private-tmp
diff --git a/etc/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 138f69aa8..2e5630f3d 100644
--- a/etc/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -1,15 +1,18 @@
 # Firejail profile for uefitool
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/uefitool.local
+include uefitool.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
+noblacklist ${DOCUMENTS}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 ipc-namespace
@@ -17,17 +20,20 @@ net none
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
+dbus-user none
+dbus-system none
diff --git a/etc/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index 56ff4f886..4420099ff 100644
--- a/etc/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -1,28 +1,34 @@
 # Firejail profile for uget-gtk
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/uget-gtk.local
+include uget-gtk.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/uGet
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
 
-mkdir ~/.config/uGet
+mkdir ${HOME}/.config/uGet
 whitelist ${DOWNLOADS}
-whitelist ~/.config/uGet
-include /etc/firejail/whitelist-common.inc
+whitelist ${HOME}/.config/uGet
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 netfilter
 nodvd
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile
new file mode 100644
index 000000000..0226a7de8
--- /dev/null
+++ b/etc/profile-m-z/unar.profile
@@ -0,0 +1,13 @@
+# Firejail profile for unar
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unar.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin unar
+
+# Redirect
+include ar.profile
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
new file mode 100644
index 000000000..e8424cd7d
--- /dev/null
+++ b/etc/profile-m-z/unbound.profile
@@ -0,0 +1,52 @@
+# Firejail profile for unbound
+# Description: Validating, recursive, caching DNS resolver
+# This file is overwritten after every install/update
+# Persistent local customizations
+include unbound.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+
+whitelist /var/lib/unbound
+whitelist /var/run
+
+caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+noinput
+nonewprivs
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
+
+disable-mnt
+private
+private-dev
+private-tmp
+writable-var
+
+dbus-user none
+dbus-system none
+
+# mdwe can break modules/plugins
+memory-deny-write-execute
diff --git a/etc/profile-m-z/uncompress.profile b/etc/profile-m-z/uncompress.profile
new file mode 100644
index 000000000..f659d8e87
--- /dev/null
+++ b/etc/profile-m-z/uncompress.profile
@@ -0,0 +1,11 @@
+# Firejail profile for uncompress
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include uncompress.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
new file mode 100644
index 000000000..212e6d181
--- /dev/null
+++ b/etc/profile-m-z/unf.profile
@@ -0,0 +1,59 @@
+# Firejail profile for unf
+# Description: UNixize Filename -- replace annoying anti-unix characters in filenames
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unf.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname unf
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin unf
+private-cache
+?HAS_APPIMAGE: ignore private-dev
+private-dev
+private-etc alternatives
+private-lib gcc/*/*/libgcc_s.so.*
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
new file mode 100644
index 000000000..b8f4dc431
--- /dev/null
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -0,0 +1,44 @@
+# Firejail profile for unknown-horizons
+# Description: 2D realtime strategy simulation
+# This file is overwritten after every install/update
+# Persistent local customizations
+include unknown-horizons.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.unknown-horizons
+
+include disable-common.inc
+include disable-exec.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.unknown-horizons
+whitelist ${HOME}/.unknown-horizons
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/unknown-horizons
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+# private-bin unknown-horizons
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-tmp
+
+# doesn't work - maybe all Tcl/Tk programs have this problem
+# memory-deny-write-execute
diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile
new file mode 100644
index 000000000..115d982e2
--- /dev/null
+++ b/etc/profile-m-z/unlzma.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unlzma.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
new file mode 100644
index 000000000..9d3d9b40e
--- /dev/null
+++ b/etc/profile-m-z/unrar.profile
@@ -0,0 +1,15 @@
+# Firejail profile for unrar
+# Description: Unarchiver for .rar files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unrar.local
+# Persistent global definitions
+include globals.local
+
+private-bin unrar
+private-etc alternatives,group,localtime,passwd
+private-tmp
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile
new file mode 100644
index 000000000..d86313028
--- /dev/null
+++ b/etc/profile-m-z/unxz.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unxz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
new file mode 100644
index 000000000..0231e3dba
--- /dev/null
+++ b/etc/profile-m-z/unzip.profile
@@ -0,0 +1,16 @@
+# Firejail profile for unzip
+# Description: De-archiver for .zip files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include unzip.local
+# Persistent global definitions
+include globals.local
+
+# GNOME Shell integration (chrome-gnome-shell)
+noblacklist ${HOME}/.local/share/gnome-shell
+
+private-etc alternatives,group,localtime,passwd
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile
new file mode 100644
index 000000000..0294aceff
--- /dev/null
+++ b/etc/profile-m-z/unzstd.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include unzstd.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
new file mode 100644
index 000000000..b164494fa
--- /dev/null
+++ b/etc/profile-m-z/utox.profile
@@ -0,0 +1,49 @@
+# Firejail profile for utox
+# Description: Lightweight Tox client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include utox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Tox
+noblacklist ${HOME}/.config/tox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/tox
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/tox
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin utox
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
new file mode 100644
index 000000000..3b38f16e0
--- /dev/null
+++ b/etc/profile-m-z/uudeview.profile
@@ -0,0 +1,47 @@
+# Firejail profile for uudeview
+# Description: Smart multi-file multi-part decoder
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include uudeview.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-usr-share-common.inc
+
+caps.drop all
+hostname uudeview
+ipc-namespace
+machine-id
+net none
+nodvd
+#nogroups
+noinput
+nonewprivs
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin uudeview
+private-cache
+private-dev
+private-etc alternatives,ld.so.preload
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
new file mode 100644
index 000000000..41487a8f2
--- /dev/null
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -0,0 +1,40 @@
+# Firejail profile for uzbl-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include uzbl-browser.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/uzbl
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.local/share/uzbl
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/uzbl
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.local/share/uzbl
+mkdir ${HOME}/.password-store
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/uzbl
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.local/share/uzbl
+whitelist ${HOME}/.password-store
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+tracelog
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
new file mode 100644
index 000000000..469e65542
--- /dev/null
+++ b/etc/profile-m-z/viewnior.profile
@@ -0,0 +1,52 @@
+# Firejail profile for viewnior
+# Description: Simple, fast and elegant image viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include viewnior.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.config/viewnior
+noblacklist ${HOME}/.steam
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin viewnior
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
diff --git a/etc/viking.profile b/etc/profile-m-z/viking.profile
index 30e89b511..fd15228cf 100644
--- a/etc/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -1,27 +1,33 @@
 # Firejail profile for viking
+# Description: GPS data editor, analyzer and viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/viking.local
+include viking.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.viking
 noblacklist ${HOME}/.viking-maps
+noblacklist ${DOCUMENTS}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 protocol unix,inet,inet6
 seccomp
 shell none
@@ -29,5 +35,3 @@ shell none
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
new file mode 100644
index 000000000..a6e05a32a
--- /dev/null
+++ b/etc/profile-m-z/vim.profile
@@ -0,0 +1,34 @@
+# Firejail profile for vim
+# Description: Vi IMproved - enhanced vi editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vim
+noblacklist ${HOME}/.viminfo
+noblacklist ${HOME}/.vimrc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+include disable-common.inc
+include disable-programs.inc
+
+include whitelist-runuser-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+
+private-dev
diff --git a/etc/profile-m-z/vimcat.profile b/etc/profile-m-z/vimcat.profile
new file mode 100644
index 000000000..73b76b5ab
--- /dev/null
+++ b/etc/profile-m-z/vimcat.profile
@@ -0,0 +1,10 @@
+# Firejail profile for vimcat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/vimdiff.profile b/etc/profile-m-z/vimdiff.profile
new file mode 100644
index 000000000..f09faf1d6
--- /dev/null
+++ b/etc/profile-m-z/vimdiff.profile
@@ -0,0 +1,10 @@
+# Firejail profile for vimdiff
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/vimpager.profile b/etc/profile-m-z/vimpager.profile
new file mode 100644
index 000000000..af7703752
--- /dev/null
+++ b/etc/profile-m-z/vimpager.profile
@@ -0,0 +1,11 @@
+# Firejail profile for vimpager
+# Description: A vim-based script to use as a PAGER
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimpager.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/vimtutor.profile b/etc/profile-m-z/vimtutor.profile
new file mode 100644
index 000000000..b9584cc49
--- /dev/null
+++ b/etc/profile-m-z/vimtutor.profile
@@ -0,0 +1,10 @@
+# Firejail profile for vimtutor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vimtutor.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vim.profile
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
new file mode 100644
index 000000000..6ab9aa15b
--- /dev/null
+++ b/etc/profile-m-z/virtualbox.profile
@@ -0,0 +1,52 @@
+# Firejail profile for virtualbox
+# Description: x86 virtualization solution
+# This file is overwritten after every install/update
+# Persistent local customizations
+include virtualbox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/.config/VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+# noblacklist /usr/bin/virtualbox
+noblacklist /usr/lib/virtualbox
+noblacklist /usr/lib64/virtualbox
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/VirtualBox
+mkdir ${HOME}/VirtualBox VMs
+whitelist ${HOME}/.config/VirtualBox
+whitelist ${HOME}/VirtualBox VMs
+whitelist ${DOWNLOADS}
+whitelist /usr/share/virtualbox
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+
+apparmor
+caps.keep net_raw,sys_nice
+netfilter
+nodvd
+#nogroups
+notv
+shell none
+tracelog
+
+#disable-mnt
+#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
+private-cache
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile
new file mode 100644
index 000000000..0d80167f3
--- /dev/null
+++ b/etc/profile-m-z/vivaldi-beta.profile
@@ -0,0 +1,7 @@
+# Firejail profile for vivaldi-beta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-beta.local
+
+# Redirect
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile
new file mode 100644
index 000000000..543f206af
--- /dev/null
+++ b/etc/profile-m-z/vivaldi-snapshot.profile
@@ -0,0 +1,7 @@
+# Firejail profile for vivaldi-snapshot
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-snapshot.local
+
+# Redirect
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile
new file mode 100644
index 000000000..94b2cd76c
--- /dev/null
+++ b/etc/profile-m-z/vivaldi-stable.profile
@@ -0,0 +1,7 @@
+# Firejail profile for vivaldi-stable
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-stable.local
+
+# Redirect
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
new file mode 100644
index 000000000..fdeb0307f
--- /dev/null
+++ b/etc/profile-m-z/vivaldi.profile
@@ -0,0 +1,41 @@
+# Firejail profile for vivaldi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi.local
+# Persistent global definitions
+include globals.local
+
+# Allow HTML5 Proprietary Media & DRM/EME (Widevine)
+ignore apparmor
+ignore noexec /var
+noblacklist /var/opt
+whitelist /var/opt/vivaldi
+writable-var
+
+noblacklist ${HOME}/.cache/vivaldi
+noblacklist ${HOME}/.cache/vivaldi-snapshot
+noblacklist ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.config/vivaldi-snapshot
+noblacklist ${HOME}/.local/lib/vivaldi
+
+mkdir ${HOME}/.cache/vivaldi
+mkdir ${HOME}/.cache/vivaldi-snapshot
+mkdir ${HOME}/.config/vivaldi
+mkdir ${HOME}/.config/vivaldi-snapshot
+mkdir ${HOME}/.local/lib/vivaldi
+whitelist ${HOME}/.cache/vivaldi
+whitelist ${HOME}/.cache/vivaldi-snapshot
+whitelist ${HOME}/.config/vivaldi
+whitelist ${HOME}/.config/vivaldi-snapshot
+whitelist ${HOME}/.local/lib/vivaldi
+
+#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
+
+# breaks vivaldi sync
+ignore dbus-user none
+ignore dbus-system none
+
+read-write ${HOME}/.local/lib/vivaldi
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
new file mode 100644
index 000000000..68db032aa
--- /dev/null
+++ b/etc/profile-m-z/vlc.profile
@@ -0,0 +1,53 @@
+# Firejail profile for vlc
+# Description: Multimedia player and streamer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vlc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/vlc
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/aacs
+noblacklist ${HOME}/.local/share/vlc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+read-only ${DESKTOP}
+mkdir ${HOME}/.cache/vlc
+mkdir ${HOME}/.config/vlc
+mkdir ${HOME}/.local/share/vlc
+whitelist ${HOME}/.cache/vlc
+whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.config/aacs
+whitelist ${HOME}/.local/share/vlc
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-var-common.inc
+
+#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
+private-dev
+private-tmp
+
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
+
+# mdwe is disabled due to breaking hardware accelerated decoding
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile
new file mode 100644
index 000000000..582a0f693
--- /dev/null
+++ b/etc/profile-m-z/vmware-player.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-player
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-player.local
+
+# Redirect
+include vmware.profile
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
new file mode 100644
index 000000000..b2b019ff4
--- /dev/null
+++ b/etc/profile-m-z/vmware-view.profile
@@ -0,0 +1,56 @@
+# Firejail profile for vmware-view
+# Description: VMware Horizon Client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-view.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.vmware
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.vmware
+whitelist ${HOME}/.vmware
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+# Add 'ignore novideo' to your vmware-view.local if you need your webcam.
+novideo
+protocol unix,inet,inet6
+seccomp !iopl
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg
+# Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox.
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile
new file mode 100644
index 000000000..6290b57f4
--- /dev/null
+++ b/etc/profile-m-z/vmware-workstation.profile
@@ -0,0 +1,8 @@
+# Firejail profile for vmware-workstation
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware-workstation.local
+
+# Redirect
+include vmware.profile
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
new file mode 100644
index 000000000..cb85836b7
--- /dev/null
+++ b/etc/profile-m-z/vmware.profile
@@ -0,0 +1,43 @@
+# Firejail profile for vmware
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/vmware
+noblacklist ${HOME}/.vmware
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/vmware
+mkdir ${HOME}/.vmware
+whitelist ${HOME}/.cache/vmware
+whitelist ${HOME}/.vmware
+# Add the next lines to your vmware.local if you need to use "shared VM".
+#whitelist /var/lib/vmware
+#writable-var
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.keep chown,net_raw,sys_nice
+netfilter
+nogroups
+notv
+shell none
+tracelog
+
+#disable-mnt
+# Add the next line to your vmware.local to enable private-bin.
+#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
new file mode 100644
index 000000000..a4a4fb7d8
--- /dev/null
+++ b/etc/profile-m-z/vscodium.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vscodium.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.VSCodium
+
+# Redirect
+include code.profile
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
new file mode 100644
index 000000000..fa6ddf1fb
--- /dev/null
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -0,0 +1,13 @@
+# Firejail profile alias for nethack-vultures
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vulturesclaw.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /var/games/vulturesclaw
+whitelist /var/games/vulturesclaw
+
+# Redirect
+include nethack-vultures.profile
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
new file mode 100644
index 000000000..49d3fa94f
--- /dev/null
+++ b/etc/profile-m-z/vultureseye.profile
@@ -0,0 +1,13 @@
+# Firejail profile alias for nethack-vultures
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vultureseye.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /var/games/vultureseye
+whitelist /var/games/vultureseye
+
+# Redirect
+include nethack-vultures.profile
diff --git a/etc/vym.profile b/etc/profile-m-z/vym.profile
index 4f60b2ada..6632ccb6b 100644
--- a/etc/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -1,26 +1,30 @@
 # Firejail profile for vym
+# Description: Mindmapping tool
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/vym.local
+include vym.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
-noblacklist ./.config/InSilmaril
+noblacklist ${HOME}/.config/InSilmaril
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
@@ -30,5 +34,3 @@ disable-mnt
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
new file mode 100644
index 000000000..81c8a2f5c
--- /dev/null
+++ b/etc/profile-m-z/w3m.profile
@@ -0,0 +1,71 @@
+# Firejail profile for w3m
+# Description: WWW browsable pager with excellent tables/frames support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include w3m.local
+# Persistent global definitions
+include globals.local
+
+# Add the next lines to your w3m.local if you want to use w3m-img on a vconsole.
+#ignore nogroups
+#ignore private-dev
+#ignore private-etc
+
+noblacklist ${HOME}/.w3m
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.w3m
+whitelist /usr/share/w3m
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.w3m
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin perl,sh,w3m
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
new file mode 100644
index 000000000..92e0e7a83
--- /dev/null
+++ b/etc/profile-m-z/warmux.profile
@@ -0,0 +1,56 @@
+# Firejail profile for warmux
+# Description: a convivial mass murder game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warmux.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/wormux
+noblacklist ${HOME}/.local/share/wormux
+noblacklist ${HOME}/.wormux
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/wormux
+mkdir ${HOME}/.local/share/wormux
+mkdir ${HOME}/.wormux
+whitelist ${HOME}/.config/wormux
+whitelist ${HOME}/.local/share/wormux
+whitelist ${HOME}/.wormux
+whitelist /usr/share/warmux
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warmux
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
new file mode 100644
index 000000000..5659ec69c
--- /dev/null
+++ b/etc/profile-m-z/warsow.profile
@@ -0,0 +1,55 @@
+# Firejail profile for warsow
+# Description: Fast paced 3D first person shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warsow.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/warsow-2.1
+noblacklist ${HOME}/.local/share/warsow-2.1
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/warsow-2.1
+mkdir ${HOME}/.local/share/warsow-2.1
+whitelist ${HOME}/.cache/warsow-2.1
+whitelist ${HOME}/.local/share/warsow-2.1
+whitelist /usr/share/warsow
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warsow
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
new file mode 100644
index 000000000..46dca0547
--- /dev/null
+++ b/etc/profile-m-z/warzone2100.profile
@@ -0,0 +1,47 @@
+# Firejail profile for warzone2100
+# Description: 3D real time strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warzone2100.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.warzone2100-3.*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.warzone2100-3.1
+mkdir ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.warzone2100-3.1
+whitelist ${HOME}/.warzone2100-3.2
+whitelist /usr/share/games
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warzone2100
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/waterfox-classic.profile b/etc/profile-m-z/waterfox-classic.profile
new file mode 100644
index 000000000..6c7e18a46
--- /dev/null
+++ b/etc/profile-m-z/waterfox-classic.profile
@@ -0,0 +1,7 @@
+# Firejail profile for waterfox-classic
+# This file is overwritten after every install/update
+# Persistent local customizations
+include waterfox-classic.local
+
+# Redirect
+include waterfox.profile
diff --git a/etc/profile-m-z/waterfox-current.profile b/etc/profile-m-z/waterfox-current.profile
new file mode 100644
index 000000000..5e12a6fe3
--- /dev/null
+++ b/etc/profile-m-z/waterfox-current.profile
@@ -0,0 +1,7 @@
+# Firejail profile for waterfox-current
+# This file is overwritten after every install/update
+# Persistent local customizations
+include waterfox-current.local
+
+# Redirect
+include waterfox.profile
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
new file mode 100644
index 000000000..18f1ca79a
--- /dev/null
+++ b/etc/profile-m-z/waterfox.profile
@@ -0,0 +1,28 @@
+# Firejail profile for waterfox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include waterfox.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/waterfox
+noblacklist ${HOME}/.waterfox
+
+mkdir ${HOME}/.cache/waterfox
+mkdir ${HOME}/.waterfox
+whitelist ${HOME}/.cache/waterfox
+whitelist ${HOME}/.waterfox
+
+# Add the next lines to your watefox.local if you want to use the migration wizard.
+#noblacklist ${HOME}/.mozilla
+#whitelist ${HOME}/.mozilla
+
+# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your waterfox.local to enable private-bin.
+#private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
+# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
+# enabled in your firefox-common.local.
+#private-etc waterfox
+
+# Redirect
+include firefox-common.profile
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
new file mode 100644
index 000000000..4d849c582
--- /dev/null
+++ b/etc/profile-m-z/webstorm.profile
@@ -0,0 +1,45 @@
+# Firejail profile for WebStorm
+# This file is overwritten after every install/update
+# Persistent local customizations
+include webstorm.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.WebStorm*
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.local/share/JetBrains
+noblacklist ${HOME}/.tooling
+# Allow KDE file manager to open with log directories (blacklisted by disable-programs.inc)
+noblacklist ${HOME}/.config/dolphinrc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+noblacklist ${PATH}/node
+noblacklist ${HOME}/.nvm
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
new file mode 100644
index 000000000..2fe727b9c
--- /dev/null
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -0,0 +1,38 @@
+# Firejail profile for webui-aria2
+# Run this with firejail --profile=webui-aria2 node node-server.js
+# This file is overwritten after every install/update
+# Persistent local customizations
+include webui-aria2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PATH}/node
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
new file mode 100644
index 000000000..92c968fb6
--- /dev/null
+++ b/etc/profile-m-z/weechat-curses.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for weechat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include weechat-curses.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include weechat.profile
diff --git a/etc/weechat.profile b/etc/profile-m-z/weechat.profile
index b0971ae19..76935212f 100644
--- a/etc/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -1,14 +1,19 @@
 # Firejail profile for weechat
+# Description: Fast, light and extensible chat client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/weechat.local
+include weechat.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.weechat
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-programs.inc
+
+whitelist /usr/share/weechat
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index d6318c81b..345b26a2c 100644
--- a/etc/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -1,18 +1,19 @@
 # Firejail profile for wesnoth
+# Description: Fantasy turn-based strategy game
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/wesnoth.local
+include wesnoth.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.cache/wesnoth
 noblacklist ${HOME}/.config/wesnoth
 noblacklist ${HOME}/.local/share/wesnoth
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 mkdir ${HOME}/.cache/wesnoth
 mkdir ${HOME}/.config/wesnoth
@@ -20,13 +21,16 @@ mkdir ${HOME}/.local/share/wesnoth
 whitelist ${HOME}/.cache/wesnoth
 whitelist ${HOME}/.config/wesnoth
 whitelist ${HOME}/.local/share/wesnoth
-include /etc/firejail/whitelist-common.inc
+include whitelist-common.inc
 
 caps.drop all
 nodvd
+noinput
 nonewprivs
 noroot
 notv
+nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
new file mode 100644
index 000000000..4c21d6965
--- /dev/null
+++ b/etc/profile-m-z/wget.profile
@@ -0,0 +1,60 @@
+# Firejail profile for wget
+# Description: Retrieves files from the web
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include wget.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.netrc
+noblacklist ${HOME}/.wget-hsts
+noblacklist ${HOME}/.wgetrc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+# Depending on workflow you can add the next line to your wget.local.
+#include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin wget
+private-cache
+private-dev
+# Depending on workflow you can add the next line to your wget.local.
+#private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
+#private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
new file mode 100644
index 000000000..2f26bf14c
--- /dev/null
+++ b/etc/profile-m-z/whalebird.profile
@@ -0,0 +1,27 @@
+# Firejail profile for whalebird
+# Description: Electron-based Mastodon/Pleroma client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include whalebird.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Whalebird
+
+mkdir ${HOME}/.config/Whalebird
+whitelist ${HOME}/.config/Whalebird
+
+no3d
+
+private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
+private-etc fonts,machine-id
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
new file mode 100644
index 000000000..755e62f60
--- /dev/null
+++ b/etc/profile-m-z/whois.profile
@@ -0,0 +1,57 @@
+# Firejail profile for whois
+# Description: Intelligent WHOIS client
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include whois.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+hostname whois
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,sh,whois
+private-cache
+private-dev
+private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
+private-lib gconv
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
new file mode 100644
index 000000000..6561be784
--- /dev/null
+++ b/etc/profile-m-z/widelands.profile
@@ -0,0 +1,48 @@
+# Firejail profile for widelands
+# Description: Open source realtime-strategy game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include widelands.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.widelands
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.widelands
+whitelist ${HOME}/.widelands
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin widelands
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
new file mode 100644
index 000000000..1e9b9341b
--- /dev/null
+++ b/etc/profile-m-z/wine.profile
@@ -0,0 +1,41 @@
+# Firejail profile for wine
+# Description: A compatibility layer for running Windows programs
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/winetricks
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.local/share/Steam
+noblacklist ${HOME}/.local/share/steam
+noblacklist ${HOME}/.steam
+noblacklist ${HOME}/.wine
+noblacklist /tmp/.wine-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+# whitelist /usr/share/wine
+# include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
+allow-debuggers
+caps.drop all
+# net none
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound
+notv
+# novideo
+seccomp
+
+private-dev
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
new file mode 100644
index 000000000..151cd2adb
--- /dev/null
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -0,0 +1,32 @@
+# Firejail profile for wire-desktop
+# Description: End-to-end encrypted messenger with file sharing, voice calls and video conferences
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wire-desktop.local
+# Persistent global definitions
+include globals.local
+
+# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
+
+# Disabled until someone reported positive feedback
+ignore include disable-exec.inc
+ignore include disable-xdg.inc
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+ignore include whitelist-var-common.inc
+ignore novideo
+ignore private-cache
+
+ignore dbus-user none
+ignore dbus-system none
+
+noblacklist ${HOME}/.config/Wire
+
+mkdir ${HOME}/.config/Wire
+whitelist ${HOME}/.config/Wire
+
+private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
new file mode 100644
index 000000000..4d54e986e
--- /dev/null
+++ b/etc/profile-m-z/wireshark-gtk.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for wireshark
+# Description: Network protocol analyzer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wireshark-gtk.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
new file mode 100644
index 000000000..4e0694f95
--- /dev/null
+++ b/etc/profile-m-z/wireshark-qt.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for wireshark
+# Description: Network protocol analyzer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wireshark-qt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
new file mode 100644
index 000000000..16875ad9b
--- /dev/null
+++ b/etc/profile-m-z/wireshark.profile
@@ -0,0 +1,53 @@
+# Firejail profile for wireshark
+# Description: Network traffic analyzer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wireshark.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/wireshark
+noblacklist ${HOME}/.wireshark
+noblacklist ${DOCUMENTS}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist /usr/share/wireshark
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+# caps.drop all
+caps.keep dac_override,net_admin,net_raw
+netfilter
+no3d
+# nogroups - breaks network traffic capture for unprivileged users
+noinput
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+nodvd
+nosound
+notv
+nou2f
+novideo
+# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+#seccomp
+shell none
+tracelog
+
+# private-bin wireshark
+private-cache
+private-dev
+# private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
new file mode 100644
index 000000000..b2f3341ee
--- /dev/null
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -0,0 +1,52 @@
+# Firejail profile for wordwarvi
+# Description: Old school '80's style side scrolling space shoot'em up game.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wordwarvi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.wordwarvi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.wordwarvi
+whitelist ${HOME}/.wordwarvi
+whitelist /usr/share/wordwarvi
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin wordwarvi
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wpp.profile b/etc/profile-m-z/wpp.profile
new file mode 100644
index 000000000..a219397a9
--- /dev/null
+++ b/etc/profile-m-z/wpp.profile
@@ -0,0 +1,14 @@
+# Firejail profile for wpp
+# Description: WPS Office - Presentation
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wpp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore machine-id
+ignore nosound
+
+# Redirect
+include wps.profile
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
new file mode 100644
index 000000000..cb0301378
--- /dev/null
+++ b/etc/profile-m-z/wps.profile
@@ -0,0 +1,49 @@
+# Firejail profile for wps
+# Description: WPS Office - Writer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wps.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.kingsoft
+noblacklist ${HOME}/.config/Kingsoft
+noblacklist ${HOME}/.local/share/Kingsoft
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# Add the next line to your wps.local if you don't use network features.
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+# seccomp causes some minor issues. Add the next line to your wps.local if you can live with those.
+#seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/wpspdf.profile b/etc/profile-m-z/wpspdf.profile
new file mode 100644
index 000000000..82080acbc
--- /dev/null
+++ b/etc/profile-m-z/wpspdf.profile
@@ -0,0 +1,11 @@
+# Firejail profile for wpspdf
+# Description: Kingsoft Pdf Reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include et.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include wps.profile
diff --git a/etc/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile
index 1395b81c9..141d167a8 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/profile-m-z/x-terminal-emulator.profile
@@ -1,20 +1,23 @@
 # Firejail profile for x-terminal-emulator
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/x-terminal-emulator.local
+include x-terminal-emulator.local
 # Persistent global definitions
-include /etc/firejail/globals.local
-
+include globals.local
 
 caps.drop all
 ipc-namespace
 net none
-netfilter
 nogroups
+noinput
 noroot
+nou2f
 protocol unix
 seccomp
 
 private-dev
 
+dbus-user none
+dbus-system none
+
 noexec /tmp
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
new file mode 100644
index 000000000..3fcac351d
--- /dev/null
+++ b/etc/profile-m-z/x2goclient.profile
@@ -0,0 +1,51 @@
+# Firejail profile for x2goclient
+# Description: Graphical client for X2Go remote desktop system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include x2goclient.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.x2go
+noblacklist ${HOME}/.x2goclient
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+#no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+#private-bin nxproxy,x2goclient
+private-cache
+private-dev
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,X11,xdg
+#private-lib
+private-opt none
+private-srv none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
new file mode 100644
index 000000000..c9e408ccd
--- /dev/null
+++ b/etc/profile-m-z/xbill.profile
@@ -0,0 +1,54 @@
+# Firejail profile for xbill
+# Description: save your computers from Wingdows [TM] virus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xbill.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xbill
+whitelist /var/games/xbill/scores
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin xbill
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile
new file mode 100644
index 000000000..3f8aa2d34
--- /dev/null
+++ b/etc/profile-m-z/xcalc.profile
@@ -0,0 +1,43 @@
+# Firejail profile for xcalc
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xcalc.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private
+private-bin xcalc
+private-dev
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/xchat.profile b/etc/profile-m-z/xchat.profile
index ab62160b5..a94444aab 100644
--- a/etc/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
@@ -1,15 +1,16 @@
 # Firejail profile for xchat
+# Description: IRC client for X similar to AmIRC
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/xchat.local
+include xchat.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/xchat
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-programs.inc
 
 caps.drop all
 nodvd
@@ -19,4 +20,4 @@ notv
 protocol unix,inet,inet6
 seccomp
 
-# private-bin requires perl, python, etc.
+# private-bin requires perl, python*, etc.
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
new file mode 100644
index 000000000..26383bda3
--- /dev/null
+++ b/etc/profile-m-z/xed.profile
@@ -0,0 +1,54 @@
+# Firejail profile for xed
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xed.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xed
+noblacklist ${HOME}/.python-history
+noblacklist ${HOME}/.python_history
+noblacklist ${HOME}/.pythonhist
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+machine-id
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xed
+private-dev
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+# xed uses python plugins, memory-deny-write-execute breaks python
+# memory-deny-write-execute
diff --git a/etc/xfburn.profile b/etc/profile-m-z/xfburn.profile
index ec1aca75f..91e25048d 100644
--- a/etc/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -1,16 +1,17 @@
 # Firejail profile for xfburn
+# Description: CD-burner application for Xfce Desktop Environment
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/xfburn.local
+include xfburn.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
-noblacklist ~/.config/xfburn
+noblacklist ${HOME}/.config/xfburn
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 caps.drop all
 netfilter
@@ -27,5 +28,4 @@ tracelog
 
 # private-bin xfburn
 # private-dev
-# private-etc fonts
 # private-tmp
diff --git a/etc/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index ab52d17e9..fcfec10d0 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -1,34 +1,40 @@
 # Firejail profile for xfce4-dict
+# Description: Dictionary plugin for Xfce4 panel
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/xfce4-dict.local
+include xfce4-dict.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/xfce4-dict
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
 disable-mnt
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
new file mode 100644
index 000000000..05c46dffb
--- /dev/null
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -0,0 +1,57 @@
+# Firejail profile for xfce4-mixer
+# Description: Volume control for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-mixer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+whitelist /usr/share/gstreamer-*
+whitelist /usr/share/xfce4
+whitelist /usr/share/xfce4-mixer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+disable-mnt
+private-bin xfce4-mixer,xfconf-query
+private-cache
+private-dev
+private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-tmp
+
+dbus-user filter
+dbus-user.own org.xfce.xfce4-mixer
+dbus-user.talk org.xfce.Xfconf
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index 868b4796b..5004b8fb6 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -1,36 +1,42 @@
 # Firejail profile for xfce4-notes
+# Description: Notes application for the Xfce4 desktop
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/xfce4-notes.local
+include xfce4-notes.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
 noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc
 noblacklist ${HOME}/.local/share/notes
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 no3d
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
 shell none
 
 disable-mnt
+private-cache
 private-dev
 private-tmp
 
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
new file mode 100644
index 000000000..b869ae005
--- /dev/null
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xfce4-screenshooter
+# Description: Xfce screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-screenshooter.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xfce4
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin xfce4-screenshooter,xfconf-query
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute -- see #3790
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
new file mode 100644
index 000000000..070e5e0f7
--- /dev/null
+++ b/etc/profile-m-z/xiphos.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xiphos
+# Description: Environment for Bible reading, study, and research
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xiphos.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.sword
+noblacklist ${HOME}/.xiphos
+
+blacklist ${HOME}/.bashrc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.sword
+mkdir ${HOME}/.xiphos
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.xiphos
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin xiphos
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
+private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
new file mode 100644
index 000000000..d5e25cfe7
--- /dev/null
+++ b/etc/profile-m-z/xlinks.profile
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks
+private-etc fonts
+
+# Redirect
+include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
new file mode 100644
index 000000000..1ae6a60ca
--- /dev/null
+++ b/etc/profile-m-z/xlinks2
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks2
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks2
+private-etc fonts
+
+# Redirect
+include links2.profile
diff --git a/etc/xmms.profile b/etc/profile-m-z/xmms.profile
index 717c81fd0..4003f69a2 100644
--- a/etc/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -1,23 +1,28 @@
 # Firejail profile for xmms
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/xmms.local
+include xmms.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 noblacklist ${HOME}/.xmms
+noblacklist ${MUSIC}
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
 caps.drop all
 netfilter
 no3d
+noinput
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
new file mode 100644
index 000000000..8179e8d76
--- /dev/null
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -0,0 +1,46 @@
+# Firejail profile for xmr-stak
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xmr-stak.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xmr-stak
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.xmr-stak
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private ${HOME}/.xmr-stak
+private-bin xmr-stak
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
+private-opt cuda
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
new file mode 100644
index 000000000..f1766fcf4
--- /dev/null
+++ b/etc/profile-m-z/xonotic-glx.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xonotic-glx.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xonotic.profile
diff --git a/etc/xonotic-glx.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile
index 041a063bb..6f0c7cf4c 100644
--- a/etc/xonotic-glx.profile
+++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile
@@ -1,6 +1,6 @@
 # Firejail profile alias for xonotic
 # This file is overwritten after every install/update
-
+include xonotic-sdl-wrapper.local
 
 # Redirect
-include /etc/firejail/xonotic.profile
+include xonotic.profile
diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
new file mode 100644
index 000000000..4b680edb1
--- /dev/null
+++ b/etc/profile-m-z/xonotic-sdl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xonotic-sdl.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xonotic.profile
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
new file mode 100644
index 000000000..6ffe9ece9
--- /dev/null
+++ b/etc/profile-m-z/xonotic.profile
@@ -0,0 +1,57 @@
+# Firejail profile for xonotic
+# Description: A free, fast-paced crossplatform first-person shooter
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xonotic.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xonotic
+
+include allow-bin-sh.inc
+include allow-opengl-game.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.xonotic
+whitelist ${HOME}/.xonotic
+whitelist /usr/share/xonotic
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic*
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.xonotic
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
new file mode 100644
index 000000000..e4282a125
--- /dev/null
+++ b/etc/profile-m-z/xournal.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xournal
+# Description: Note taking and PDF editing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xournal
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin xournal
+private-cache
+private-dev
+private-etc alternatives,fonts,group,machine-id,passwd
+# TODO should use private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
new file mode 100644
index 000000000..a23ad68df
--- /dev/null
+++ b/etc/profile-m-z/xournalpp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for xournalpp
+# Description: Handwriting note-taking software with PDF annotation support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournalpp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/xournalpp
+noblacklist ${HOME}/.config/xournalpp
+noblacklist ${HOME}/.xournalpp
+
+include allow-lua.inc
+
+whitelist /usr/share/texlive
+whitelist /usr/share/xournalpp
+whitelist /var/lib/texmf
+include whitelist-runuser-common.inc
+
+#mkdir ${HOME}/.cache/xournalpp
+#mkdir ${HOME}/.config/xournalpp
+#whitelist ${HOME}/.cache/xournalpp
+#whitelist ${HOME}/.config/xournalpp
+#whitelist ${HOME}/.xournalpp
+#whitelist ${HOME}/.texlive20*
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+
+private-bin kpsewhich,pdflatex,xournalpp
+private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive
+
+# Redirect
+include xournal.profile
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
new file mode 100644
index 000000000..0149d36a3
--- /dev/null
+++ b/etc/profile-m-z/xpdf.profile
@@ -0,0 +1,45 @@
+# Firejail profile for xpdf
+# Description: Portable Document Format (PDF) reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xpdf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.xpdfrc
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xplayer-audio-preview.profile b/etc/profile-m-z/xplayer-audio-preview.profile
new file mode 100644
index 000000000..0559b8183
--- /dev/null
+++ b/etc/profile-m-z/xplayer-audio-preview.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xplayer-audio-preview
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xplayer-audio-preview.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xplayer.profile
diff --git a/etc/profile-m-z/xplayer-video-thumbnailer.profile b/etc/profile-m-z/xplayer-video-thumbnailer.profile
new file mode 100644
index 000000000..6b2878476
--- /dev/null
+++ b/etc/profile-m-z/xplayer-video-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xplayer-video-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xplayer-video-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xplayer.profile
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
new file mode 100644
index 000000000..d1ea2c9d5
--- /dev/null
+++ b/etc/profile-m-z/xplayer.profile
@@ -0,0 +1,50 @@
+# Firejail profile for xplayer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/xplayer
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+read-only ${DESKTOP}
+mkdir ${HOME}/.config/xplayer
+mkdir ${HOME}/.local/share/xplayer
+whitelist ${HOME}/.config/xplayer
+whitelist ${HOME}/.local/share/xplayer
+include whitelist-common.inc
+include whitelist-player-common.inc
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+netfilter
+nogroups
+noinput
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
+private-dev
+# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/xpra.profile b/etc/profile-m-z/xpra.profile
index 2bd91e8b5..aed6c102f 100644
--- a/etc/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -1,24 +1,28 @@
 # Firejail profile for xpra
+# Description: Tool to detach/reattach running X programs
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
-include /etc/firejail/xpra.local
+include xpra.local
 # Persistent global definitions
-include /etc/firejail/globals.local
+include globals.local
 
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
-# To enable it, create a firejail-xpra  symlink in /usr/local/bin:
+# To enable it, create a firejail-xpra symlink in /usr/local/bin:
 #
 #    $ sudo ln -s /usr/bin/firejail /usr/local/bin/xpra
 #
 # or run "sudo firecfg"
 
-blacklist /media
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
 
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-programs.inc
 
 whitelist /var/lib/xkb
 # whitelisting home directory, or including whitelist-common.inc
@@ -28,20 +32,23 @@ caps.drop all
 # xpra needs to be allowed access to the abstract Unix socket namespace.
 nodvd
 nogroups
+noinput
 nonewprivs
 # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
 #noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix
 seccomp
 shell none
 
+disable-mnt
 # private home directory doesn't work on some distros, so we go for a regular home
 # private
 # older Xpra versions also use Xvfb
-# private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
+# private-bin bash,cat,dbus-launch,ldconfig,ls,pactl,python*,sh,strace,which,xauth,xkbcomp,Xorg,xpra,Xvfb
 private-dev
-# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
+# private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
diff --git a/etc/profile-m-z/xreader-previewer.profile b/etc/profile-m-z/xreader-previewer.profile
new file mode 100644
index 000000000..6e1dcb5d2
--- /dev/null
+++ b/etc/profile-m-z/xreader-previewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xreader-previewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xreader-previewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xreader.profile
diff --git a/etc/profile-m-z/xreader-thumbnailer.profile b/etc/profile-m-z/xreader-thumbnailer.profile
new file mode 100644
index 000000000..a6925fcde
--- /dev/null
+++ b/etc/profile-m-z/xreader-thumbnailer.profile
@@ -0,0 +1,10 @@
+# Firejail profile for xreader-thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xreader-thumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include xreader.profile
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
new file mode 100644
index 000000000..f59adc6e2
--- /dev/null
+++ b/etc/profile-m-z/xreader.profile
@@ -0,0 +1,45 @@
+# Firejail profile for xreader
+# Description: Document viewer for files like PDF and Postscript. X-Apps Project.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xreader.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/xreader
+noblacklist ${HOME}/.config/xreader
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+# Breaks xreader on Mint 18.3
+# include whitelist-var-common.inc
+
+# apparmor
+caps.drop all
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xreader,xreader-previewer,xreader-thumbnailer
+private-dev
+private-etc alternatives,fonts,ld.so.cache
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
new file mode 100644
index 000000000..5c8d6a47e
--- /dev/null
+++ b/etc/profile-m-z/xviewer.profile
@@ -0,0 +1,49 @@
+# Firejail profile for xviewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xviewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.config/xviewer
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.steam
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-var-common.inc
+
+# apparmor - makes settings immutable
+caps.drop all
+# net none - makes settings immutable
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xviewer
+private-dev
+private-lib
+private-tmp
+
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/xxd.profile b/etc/profile-m-z/xxd.profile
new file mode 100644
index 000000000..864e8ce9c
--- /dev/null
+++ b/etc/profile-m-z/xxd.profile
@@ -0,0 +1,12 @@
+# Firejail profile for xxd
+# Description: Tool to make (or reverse) a hex dump
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xxd.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile
new file mode 100644
index 000000000..7d6be2f49
--- /dev/null
+++ b/etc/profile-m-z/xz.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xz.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile
new file mode 100644
index 000000000..8ba77eece
--- /dev/null
+++ b/etc/profile-m-z/xzcat.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
new file mode 100644
index 000000000..9626048ba
--- /dev/null
+++ b/etc/profile-m-z/xzcmp.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzcmp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile
new file mode 100644
index 000000000..79f71f2fd
--- /dev/null
+++ b/etc/profile-m-z/xzdec.profile
@@ -0,0 +1,11 @@
+# Firejail profile for xzdec
+# Description: XZ-format compression utilities - tiny decompressors
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzdec.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
new file mode 100644
index 000000000..825fa9180
--- /dev/null
+++ b/etc/profile-m-z/xzdiff.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
new file mode 100644
index 000000000..8d50a3bc6
--- /dev/null
+++ b/etc/profile-m-z/xzegrep.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzegrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
new file mode 100644
index 000000000..a8aac86b7
--- /dev/null
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzfgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
new file mode 100644
index 000000000..ac4cc81c4
--- /dev/null
+++ b/etc/profile-m-z/xzgrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xzgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile
new file mode 100644
index 000000000..f17c5e1f6
--- /dev/null
+++ b/etc/profile-m-z/xzless.profile
@@ -0,0 +1,11 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xzless.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile
new file mode 100644
index 000000000..ef4106f66
--- /dev/null
+++ b/etc/profile-m-z/xzmore.profile
@@ -0,0 +1,12 @@
+# Firejail profile alias for cpio
+# Description: Library and command line tools for XZ and LZMA compressed files
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include xzmore.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
new file mode 100644
index 000000000..81cd021f7
--- /dev/null
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -0,0 +1,28 @@
+# Firejail profile for yandex-browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yandex-browser.local
+# Persistent global definitions
+include globals.local
+
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
+noblacklist ${HOME}/.cache/yandex-browser
+noblacklist ${HOME}/.cache/yandex-browser-beta
+noblacklist ${HOME}/.config/yandex-browser
+noblacklist ${HOME}/.config/yandex-browser-beta
+
+mkdir ${HOME}/.cache/yandex-browser
+mkdir ${HOME}/.cache/yandex-browser-beta
+mkdir ${HOME}/.config/yandex-browser
+mkdir ${HOME}/.config/yandex-browser-beta
+whitelist ${HOME}/.cache/yandex-browser
+whitelist ${HOME}/.cache/yandex-browser-beta
+whitelist ${HOME}/.config/yandex-browser
+whitelist ${HOME}/.config/yandex-browser-beta
+
+# Redirect
+include chromium-common.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
new file mode 100644
index 000000000..05b55d071
--- /dev/null
+++ b/etc/profile-m-z/yarn.profile
@@ -0,0 +1,10 @@
+# Firejail profile for yarn
+# Description: Fast, reliable, and secure dependency management
+quiet
+# Persistent local customizations
+include yarn.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
new file mode 100644
index 000000000..2a6dbe1bf
--- /dev/null
+++ b/etc/profile-m-z/yelp.profile
@@ -0,0 +1,77 @@
+# Firejail profile for yelp
+# Description: Help browser for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yelp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/yelp
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+whitelist /usr/libexec/webkit2gtk-4.0
+whitelist /usr/share/doc
+whitelist /usr/share/groff
+whitelist /usr/share/help
+whitelist /usr/share/man
+whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
+whitelist /usr/share/yelp-xsl
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support.
+#machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# nosound - add the next line to your yelp.local if you don't need sound support.
+#nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin groff,man,tbl,troff,yelp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Yelp
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+# read-only ${HOME} breaks some features:
+#  1. yelp --editor-mode
+#  2. saving the window geometry
+# add 'ignore read-only ${HOME}' to your yelp.local if you need these features.
+read-only ${HOME}
+read-write ${HOME}/.cache
+#  3. printing to PDF in ${DOCUMENTS}
+# additionally add 'noblacklist ${DOCUMENTS}' and 'whitelist ${DOCUMENTS}' to
+# your yelp.local if you need PDF printing support.
+#noblacklist ${DOCUMENTS}
+#whitelist ${DOCUMENTS}
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
new file mode 100644
index 000000000..5d6fb47c1
--- /dev/null
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -0,0 +1,56 @@
+# Firejail profile for youtube-dl-gui
+# Description: A cross platform front-end GUI of the popular youtube-dl media downloader
+include youtube-dl-gui.local
+# This file is overwritten after every install/update
+include globals.local
+
+#These are blacklisted by disable-interpreters.inc
+include allow-python2.inc
+include allow-python3.inc
+
+noblacklist ${HOME}/.config/youtube-dlg
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/youtube-dlg
+whitelist ${HOME}/.config/youtube-dlg
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
new file mode 100644
index 000000000..145e565fd
--- /dev/null
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -0,0 +1,67 @@
+# Firejail profile for youtube-dl
+# Description: Downloader of videos from YouTube and other sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-dl.local
+# Persistent global definitions
+include globals.local
+
+# breaks when installed under ${HOME} via `pip install --user` (see #2833)
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.config/youtube-dl
+noblacklist ${HOME}/.netrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin env,ffmpeg,python*,youtube-dl
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
new file mode 100644
index 000000000..b54dd37ad
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for youtube-viewer
+# Description: Trizen's CLI Youtube viewer with login support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/youtube-viewer
+noblacklist ${HOME}/.config/youtube-viewer
+
+mkdir ${HOME}/.cache/youtube-viewer
+mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.cache/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
+
+private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
+
+# Redirect
+include youtube-viewers-common.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
new file mode 100644
index 000000000..a05f05c51
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for youtube-viewer clones
+# Description: common profile for Trizen's Youtube viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube-viewers-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/youtube-dl
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
new file mode 100644
index 000000000..efb001ee6
--- /dev/null
+++ b/etc/profile-m-z/youtube.profile
@@ -0,0 +1,24 @@
+# Firejail profile for youtube
+# Description: Unofficial electron based desktop warpper for YouTube
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reported positive feedback
+ignore nou2f
+
+noblacklist ${HOME}/.config/Youtube
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/Youtube
+whitelist ${HOME}/.config/Youtube
+
+private-bin electron,electron[0-9],electron[0-9][0-9],youtube
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt Youtube
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
new file mode 100644
index 000000000..ce7161a70
--- /dev/null
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -0,0 +1,21 @@
+# Firejail profile for youtubemusic-nativefier
+# Description: Unofficial electron based desktop warpper for YouTube Music
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
+
+include disable-shell.inc
+
+mkdir ${HOME}/.config/youtubemusic-nativefier-040164
+whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+
+private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt youtubemusic-nativefier
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
new file mode 100644
index 000000000..1c3382a08
--- /dev/null
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -0,0 +1,19 @@
+# Firejail profile for yt-dlp
+# Description: Downloader of videos of various sites
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include yt-dlp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/yt-dlp
+noblacklist ${HOME}/.config/yt-dlp
+noblacklist ${HOME}/yt-dlp.conf
+
+private-bin yt-dlp
+private-etc yt-dlp.conf
+
+# Redirect
+include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
new file mode 100644
index 000000000..ab46fccc2
--- /dev/null
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -0,0 +1,21 @@
+# Firejail profile for ytmdesktop
+# Description: Unofficial electron based desktop warpper for YouTube Music
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user none
+
+noblacklist ${HOME}/.config/youtube-music-desktop-app
+
+mkdir ${HOME}/.config/youtube-music-desktop-app
+whitelist ${HOME}/.config/youtube-music-desktop-app
+
+# private-bin env,ytmdesktop
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+# private-opt
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
new file mode 100644
index 000000000..1f11f133f
--- /dev/null
+++ b/etc/profile-m-z/zaproxy.profile
@@ -0,0 +1,47 @@
+# Firejail profile for zaproxy
+# Description: Integrated penetration testing tool for finding vulnerabilities in web applications
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zaproxy.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ZAP
+
+# Allow java (blacklisted by disable-devel.inc)
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.java
+mkdir ${HOME}/.ZAP
+whitelist ${HOME}/.java
+whitelist ${HOME}/.ZAP
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
new file mode 100644
index 000000000..f534aee8f
--- /dev/null
+++ b/etc/profile-m-z/zart.profile
@@ -0,0 +1,38 @@
+# Firejail profile for zart
+# Description: A GUI for G'MIC real-time manipulations on the output of a webcam
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zart.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix
+seccomp
+shell none
+
+private-bin ffmpeg,ffplay,ffprobe,melt,zart
+private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
new file mode 100644
index 000000000..68c9b0a93
--- /dev/null
+++ b/etc/profile-m-z/zathura.profile
@@ -0,0 +1,62 @@
+# Firejail profile for zathura
+# Description: Document viewer with a minimalistic interface
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zathura.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/zathura
+noblacklist ${HOME}/.local/share/zathura
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/zathura
+mkdir ${HOME}/.local/share/zathura
+whitelist /usr/share/doc
+whitelist /usr/share/zathura
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin zathura
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
+# private-lib has problems on Debian 10
+#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/zathura
+read-write ${HOME}/.local/share/zathura
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile
new file mode 100644
index 000000000..5de13ab90
--- /dev/null
+++ b/etc/profile-m-z/zcat.profile
@@ -0,0 +1,15 @@
+# Firejail profile for zcat
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Allow running kernel config check
+ignore include disable-shell.inc
+noblacklist /proc/config.gz
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zcmp.profile b/etc/profile-m-z/zcmp.profile
new file mode 100644
index 000000000..795cdae2a
--- /dev/null
+++ b/etc/profile-m-z/zcmp.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zcmp
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zcmp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zdiff.profile b/etc/profile-m-z/zdiff.profile
new file mode 100644
index 000000000..1e75e38fe
--- /dev/null
+++ b/etc/profile-m-z/zdiff.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zdiff
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zdiff.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
new file mode 100644
index 000000000..c148e717b
--- /dev/null
+++ b/etc/profile-m-z/zeal.profile
@@ -0,0 +1,60 @@
+# Firejail profile for zeal
+# Description: Offline API documentation browser
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zeal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Zeal
+noblacklist ${HOME}/.cache/Zeal
+noblacklist ${HOME}/.local/share/Zeal
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Zeal
+mkdir ${HOME}/.config/qt5ct
+mkdir ${HOME}/.config/Zeal
+mkdir ${HOME}/.local/share/Zeal
+whitelist ${HOME}/.cache/Zeal
+whitelist ${HOME}/.config/Zeal
+whitelist ${HOME}/.local/share/Zeal
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin zeal
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-m-z/zegrep.profile b/etc/profile-m-z/zegrep.profile
new file mode 100644
index 000000000..54dc6b2a0
--- /dev/null
+++ b/etc/profile-m-z/zegrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zegrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zegrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zfgrep.profile b/etc/profile-m-z/zfgrep.profile
new file mode 100644
index 000000000..73b22f2e8
--- /dev/null
+++ b/etc/profile-m-z/zfgrep.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zfgrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zfgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zforce.profile b/etc/profile-m-z/zforce.profile
new file mode 100644
index 000000000..d62e57065
--- /dev/null
+++ b/etc/profile-m-z/zforce.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zforce
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zforce.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile
new file mode 100644
index 000000000..f63dc871f
--- /dev/null
+++ b/etc/profile-m-z/zgrep.profile
@@ -0,0 +1,15 @@
+# Firejail profile for zgrep
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Allow running kernel config check
+ignore include disable-shell.inc
+noblacklist /proc/config.gz
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
new file mode 100644
index 000000000..fa67b76c7
--- /dev/null
+++ b/etc/profile-m-z/zim.profile
@@ -0,0 +1,71 @@
+# Firejail profile for Zim
+# Description: Desktop wiki & notekeeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zim.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/zim
+noblacklist ${HOME}/.config/zim
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+
+mkdir ${HOME}/.cache/zim
+mkdir ${HOME}/.config/zim
+mkdir ${HOME}/Notebooks
+whitelist ${HOME}/.cache/zim
+whitelist ${HOME}/.config/zim
+whitelist ${HOME}/Notebooks
+whitelist ${DESKTOP}
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
+whitelist /usr/share/zim
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin python*,zim
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/zless.profile b/etc/profile-m-z/zless.profile
new file mode 100644
index 000000000..0a26cda1f
--- /dev/null
+++ b/etc/profile-m-z/zless.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zless
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zless.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zmore.profile b/etc/profile-m-z/zmore.profile
new file mode 100644
index 000000000..3a8f63562
--- /dev/null
+++ b/etc/profile-m-z/zmore.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zmore
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zmore.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/znew.profile b/etc/profile-m-z/znew.profile
new file mode 100644
index 000000000..a8593e58e
--- /dev/null
+++ b/etc/profile-m-z/znew.profile
@@ -0,0 +1,11 @@
+# Firejail profile for znew
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include znew.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include gzip.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
new file mode 100644
index 000000000..ac615d861
--- /dev/null
+++ b/etc/profile-m-z/zoom.profile
@@ -0,0 +1,35 @@
+# Firejail profile for zoom
+# Description: Video Conferencing and Web Conferencing Service
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zoom.local
+# Persistent global definitions
+include globals.local
+
+# Disabled until someone reports positive feedback.
+ignore apparmor
+ignore novideo
+ignore dbus-user none
+ignore dbus-system none
+
+# nogroups breaks webcam access on non-systemd systems (see #3711).
+# If you use such a system, add 'ignore nogroups' to your zoom.local.
+#ignore nogroups
+
+noblacklist ${HOME}/.config/zoomus.conf
+noblacklist ${HOME}/.zoom
+
+nowhitelist ${DOWNLOADS}
+
+mkdir ${HOME}/.cache/zoom
+mkfile ${HOME}/.config/zoomus.conf
+mkdir ${HOME}/.zoom
+whitelist ${HOME}/.cache/zoom
+whitelist ${HOME}/.config/zoomus.conf
+whitelist ${HOME}/.zoom
+
+# Disable for now, see https://github.com/netblue30/firejail/issues/3726
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/zpaq.profile b/etc/profile-m-z/zpaq.profile
new file mode 100644
index 000000000..80329ecfd
--- /dev/null
+++ b/etc/profile-m-z/zpaq.profile
@@ -0,0 +1,15 @@
+# Firejail profile for zpaq
+# Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zpaq.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# mdwx breaks 'list' functionality
+ignore memory-deny-write-execute
+
+# Redirect
+include cpio.profile
diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile
new file mode 100644
index 000000000..faeb5c5c5
--- /dev/null
+++ b/etc/profile-m-z/zstd.profile
@@ -0,0 +1,11 @@
+# Firejail profile for zstd
+# Description: Zstandard - Fast real-time compression algorithm
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include zstd.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include archiver-common.profile
diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
new file mode 100644
index 000000000..df4c493fd
--- /dev/null
+++ b/etc/profile-m-z/zstdcat.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zstdcat.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
new file mode 100644
index 000000000..8a2683119
--- /dev/null
+++ b/etc/profile-m-z/zstdgrep.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zstdgrep.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile
new file mode 100644
index 000000000..e5821e4c5
--- /dev/null
+++ b/etc/profile-m-z/zstdless.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zstdless.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
new file mode 100644
index 000000000..0a43fd556
--- /dev/null
+++ b/etc/profile-m-z/zstdmt.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for zstd
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zstdmt.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include zstd.profile
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
new file mode 100644
index 000000000..604da4c8e
--- /dev/null
+++ b/etc/profile-m-z/zulip.profile
@@ -0,0 +1,48 @@
+# Firejail profile for zulip
+# Description: Real-time team chat based on the email threading model
+# This file is overwritten after every install/update
+# Persistent local customizations
+include zulip.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Zulip
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Zulip
+whitelist ${HOME}/.config/Zulip
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin locale,zulip
+private-cache
+private-dev
+private-etc asound.conf,fonts,machine-id
+private-tmp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
deleted file mode 100644
index 72c52d967..000000000
--- a/etc/psi-plus.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for psi-plus
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/psi-plus.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/psi+
-noblacklist ${HOME}/.local/share/psi+
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/psi+
-mkdir ~/.config/psi+
-mkdir ~/.local/share/psi+
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/psi+
-whitelist ~/.config/psi+
-whitelist ~/.local/share/psi+
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
deleted file mode 100644
index aeb52b991..000000000
--- a/etc/qbittorrent.profile
+++ /dev/null
@@ -1,51 +0,0 @@
-# Firejail profile for qbittorrent
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/qbittorrent.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/qBittorrent
-noblacklist ~/.config/qBittorrent
-noblacklist ~/.config/qBittorrentrc
-noblacklist ~/.config/qt5ct
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/qBittorrent
-mkdir ~/.config/qBittorrent
-mkdir ~/.local/share/data/qBittorrent
-whitelist  ${DOWNLOADS}
-whitelist ~/.cache/qBittorrent
-whitelist ~/.config/qBittorrent
-whitelist ~/.config/qBittorrentrc
-whitelist ~/.config/qt5ct
-whitelist ~/.local/share/data/qBittorrent
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-machine-id
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-# shell none
-
-# private-bin qbittorrent
-private-dev
-# private-etc X11,fonts,xdg,resolv.conf
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
deleted file mode 100644
index 2d1df0f72..000000000
--- a/etc/qpdfview.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for qpdfview
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/qpdfview.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.config/qt5ct
-noblacklist ${HOME}/.local/share/qpdfview
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin qpdfview
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
deleted file mode 100644
index 5cbe68c90..000000000
--- a/etc/qtox.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for qtox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/qtox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/qt5ct
-noblacklist ~/.config/tox
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.config/qt5ct
-mkdir ${HOME}/.config/tox
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/qt5ct
-whitelist ${HOME}/.config/tox
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-bin qtox
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/quassel.profile b/etc/quassel.profile
deleted file mode 100644
index af0f723f1..000000000
--- a/etc/quassel.profile
+++ /dev/null
@@ -1,20 +0,0 @@
-# Firejail profile for quassel
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/quassel.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
deleted file mode 100644
index 7b7086bde..000000000
--- a/etc/qupzilla.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for qupzilla
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/qupzilla.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/qupzilla
-noblacklist ${HOME}/.config/qupzilla
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/qupzilla
-whitelist ~/.config/qupzilla
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
deleted file mode 100644
index 31721617f..000000000
--- a/etc/qutebrowser.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for qutebrowser
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/qutebrowser.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/qutebrowser
-noblacklist ~/.config/qutebrowser
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/qutebrowser
-mkdir ~/.config/qutebrowser
-mkdir ~/.local/share/qutebrowser
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/qutebrowser
-whitelist ~/.config/qutebrowser
-whitelist ~/.local/share/qutebrowser
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
diff --git a/etc/rambox.profile b/etc/rambox.profile
deleted file mode 100644
index 2696df86b..000000000
--- a/etc/rambox.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for rambox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/rambox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/Rambox
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/Rambox
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.config/Rambox
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-# tracelog
diff --git a/etc/ranger.profile b/etc/ranger.profile
deleted file mode 100644
index 9be19c4b1..000000000
--- a/etc/ranger.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for ranger
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/ranger.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# noblacklist /usr/bin/cpan*
-noblacklist /usr/bin/perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/share/perl*
-noblacklist ~/.config/ranger
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-
-private-dev
diff --git a/etc/remmina.profile b/etc/remmina.profile
deleted file mode 100644
index 3bb6aa0b1..000000000
--- a/etc/remmina.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for remmina
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/remmina.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/remmina
-noblacklist ${HOME}/.local/share/remmina
-noblacklist ${HOME}/.ssh
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
deleted file mode 100644
index 9401f6681..000000000
--- a/etc/rhythmbox.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for rhythmbox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/rhythmbox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-# no3d
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin rhythmbox
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
deleted file mode 100644
index 3de5de34a..000000000
--- a/etc/ristretto.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for ristretto
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/ristretto.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/ristretto
-noblacklist ~/.Steam
-noblacklist ~/.steam
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/rocketchat.profile b/etc/rocketchat.profile
deleted file mode 100644
index da92cd938..000000000
--- a/etc/rocketchat.profile
+++ /dev/null
@@ -1,14 +0,0 @@
-# Firejail profile for rocketchat
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/rocketchat.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/Rocket.Chat
-
-whitelist ${HOME}/.config/Rocket.Chat
-include /etc/firejail/whitelist-common.inc
-
-# Redirect
-include /etc/firejail/electron.profile
diff --git a/etc/scribus.profile b/etc/scribus.profile
deleted file mode 100644
index 1b2d0c0b8..000000000
--- a/etc/scribus.profile
+++ /dev/null
@@ -1,46 +0,0 @@
-# Firejail profile for scribus
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/scribus.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Support for PDF readers comes with Scribus 1.5 and higher
-noblacklist ~/.config/okularpartrc
-noblacklist ~/.config/okularrc
-noblacklist ~/.config/scribus
-noblacklist ~/.config/scribusrc
-noblacklist ~/.gimp*
-noblacklist ~/.kde/share/apps/okular
-noblacklist ~/.kde/share/config/okularpartrc
-noblacklist ~/.kde/share/config/okularrc
-noblacklist ~/.kde4/share/apps/okular
-noblacklist ~/.kde4/share/config/okularpartrc
-noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/okular
-noblacklist ~/.local/share/scribus
-noblacklist ~/.scribus
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-tracelog
-
-#private-bin scribus,gs
-private-dev
-# private-tmp
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile
deleted file mode 100644
index ce4c4d416..000000000
--- a/etc/sdat2img.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for sdat2img
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/sdat2img.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-# private-bin sdat2img,env,python,python3,python3.6
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile
deleted file mode 100644
index 1ceed99fd..000000000
--- a/etc/seamonkey-bin.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for seamonkey
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/seamonkey.profile
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
deleted file mode 100644
index 36dde66b0..000000000
--- a/etc/seamonkey.profile
+++ /dev/null
@@ -1,48 +0,0 @@
-# Firejail profile for seamonkey
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/seamonkey.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/mozilla
-noblacklist ~/.mozilla
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/mozilla
-mkdir ~/.mozilla
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/mozilla
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.mozilla
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-tracelog
-
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/server.profile b/etc/server.profile
deleted file mode 100644
index 860e0056d..000000000
--- a/etc/server.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for server
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/server.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# generic server profile
-# it allows /sbin and /usr/sbin directories - this is where servers are installed
-# depending on your usage, you can enable some of the commands below:
-
-blacklist /tmp/.X11-unix
-
-noblacklist /sbin
-noblacklist /usr/sbin
-# noblacklist /var/opt
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps
-no3d
-nodvd
-nosound
-notv
-novideo
-seccomp
-
-# netfilter /etc/firejail/webserver.net
-
-# disable-mnt
-private
-# private-bin program
-private-dev
-# private-etc none
-# private-lib
-private-tmp
-
-# memory-deny-write-execute
-# noexec ${HOME}
-# noexec /tmp
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
deleted file mode 100644
index 4e8b1da05..000000000
--- a/etc/shotcut.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for shotcut
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/shotcut.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.config/Meltytech
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix
-seccomp
-shell none
-
-#private-bin shotcut,melt,qmelt,nice
-private-dev
-
-#noexec ${HOME}
-noexec /tmp
diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile
deleted file mode 100644
index 977cfea99..000000000
--- a/etc/silentarmy.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for silentarmy
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/silentarmy.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-# include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private
-# private-bin silentarmy,sa-solver,python3
-private-dev
-private-opt none
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile
deleted file mode 100644
index edd4db861..000000000
--- a/etc/simple-scan.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for simple-scan
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/simple-scan.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/simple-scan
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-# novideo
-protocol unix,inet,inet6,netlink
-# simple-scan makes ioperm system calls, which are blacklisted by default.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-shell none
-tracelog
-
-# private-bin simple-scan
-# private-dev
-# private-etc fonts
-# private-tmp
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
deleted file mode 100644
index fda5204e2..000000000
--- a/etc/simutrans.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for simutrans
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/simutrans.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.simutrans
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.simutrans
-whitelist ~/.simutrans
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix
-seccomp
-shell none
-
-# private-bin simutrans
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
deleted file mode 100644
index 1a53cc71c..000000000
--- a/etc/skanlite.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for skanlite
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/skanlite.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-# net none
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-# novideo
-protocol unix,netlink
-# skanlite makes ioperm system calls, which are blacklisted by default.
-seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
-shell none
-
-# private-bin skanlite,kbuildsycoca4
-# private-dev
-# private-etc
-# private-tmp
diff --git a/etc/skype.profile b/etc/skype.profile
deleted file mode 100644
index b12f9879e..000000000
--- a/etc/skype.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for skype
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/skype.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.Skype
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-#private-bin skype,bash
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile
deleted file mode 100644
index b69a208a8..000000000
--- a/etc/skypeforlinux.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for skypeforlinux
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/skypeforlinux.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/skypeforlinux
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/slack.profile b/etc/slack.profile
deleted file mode 100644
index faf875cf1..000000000
--- a/etc/slack.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for slack
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/slack.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /var
-
-noblacklist ${HOME}/.config/Slack
-noblacklist ${HOME}/Downloads
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.config
-mkdir ${HOME}/.config/Slack
-whitelist ${HOME}/.config/Slack
-whitelist ${HOME}/Downloads
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-name slack
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-bin slack
-private-dev
-private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime
-private-tmp
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
deleted file mode 100644
index 7563ad730..000000000
--- a/etc/smplayer.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for smplayer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/smplayer.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.mplayer
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-# nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-bin smplayer,smtube,mplayer,mpv
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/snap.profile b/etc/snap.profile
deleted file mode 100644
index 38aef7c23..000000000
--- a/etc/snap.profile
+++ /dev/null
@@ -1,16 +0,0 @@
-# Firejail profile for snap
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/snap.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Generic Ubuntu snap application profile
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${DOWNLOADS}
-whitelist ~/snap
-include /etc/firejail/whitelist-common.inc
diff --git a/etc/soffice.profile b/etc/soffice.profile
deleted file mode 100644
index c702a4ece..000000000
--- a/etc/soffice.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for libreoffice
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/libreoffice.profile
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
deleted file mode 100644
index 5d7129b5a..000000000
--- a/etc/soundconverter.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for soundconverter
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/soundconverter.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/spotify.profile b/etc/spotify.profile
deleted file mode 100644
index 3506b793b..000000000
--- a/etc/spotify.profile
+++ /dev/null
@@ -1,50 +0,0 @@
-# Firejail profile for spotify
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/spotify.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist ${HOME}/.bashrc
-blacklist /lost+found
-blacklist /sbin
-blacklist /srv
-blacklist /sys
-
-noblacklist ${HOME}/.cache/spotify
-noblacklist ${HOME}/.config/spotify
-noblacklist ${HOME}/.local/share/spotify
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.cache/spotify
-mkdir ${HOME}/.config/spotify
-mkdir ${HOME}/.local/share/spotify
-whitelist ${HOME}/.cache/spotify
-whitelist ${HOME}/.config/spotify
-whitelist ${HOME}/.local/share/spotify
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-bin spotify,bash,sh,dash
-private-dev
-private-etc fonts,machine-id,pulse,resolv.conf
-private-opt spotify
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
deleted file mode 100644
index 65e8073c9..000000000
--- a/etc/sqlitebrowser.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for sqlitebrowser
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/sqlitebrowser.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/sqlitebrowser
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-bin sqlitebrowser
-private-dev
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
deleted file mode 100644
index 7ac0b8417..000000000
--- a/etc/ssh.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for ssh
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/ssh.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist /etc/ssh
-noblacklist /tmp/ssh-*
-noblacklist ~/.ssh
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-# noroot - see issue #1543
-nosound
-notv
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-dev
-# private-tmp # Breaks when exiting
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
-writable-run-user
-
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
deleted file mode 100644
index e12a38164..000000000
--- a/etc/start-tor-browser.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for start-tor-browser
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/start-tor-browser.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
-private-dev
-private-etc fonts
-private-tmp
-
-noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
deleted file mode 100644
index 33c082533..000000000
--- a/etc/steam.profile
+++ /dev/null
@@ -1,51 +0,0 @@
-# Firejail profile for steam
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/steam.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.java
-noblacklist ${HOME}/.killingfloor
-noblacklist ${HOME}/.local/share/3909/PapersPlease
-noblacklist ${HOME}/.local/share/aspyr-media
-noblacklist ${HOME}/.local/share/cdprojektred
-noblacklist ${HOME}/.local/share/feral-interactive
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/SuperHexagon
-noblacklist ${HOME}/.local/share/Terraria
-noblacklist ${HOME}/.local/share/vpltd
-noblacklist ${HOME}/.local/share/vulkan
-noblacklist ${HOME}/.steam
-noblacklist ${HOME}/.steampath
-noblacklist ${HOME}/.steampid
-# with >=llvm-4 mesa drivers need llvm stuff
-noblacklist /usr/lib/llvm*
-# needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
-noblacklist /sbin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-# novideo should be commented for VR
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-# tracelog disabled as it breaks integrated browser
-# tracelog
-
-# private-dev should be commented for controllers
-private-dev
-# private-etc breaks some games
-#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
-private-tmp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
deleted file mode 100644
index 360b9f881..000000000
--- a/etc/stellarium.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for stellarium
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/stellarium.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/stellarium
-noblacklist ~/.stellarium
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/stellarium
-mkdir ~/.stellarium
-whitelist ~/.config/stellarium
-whitelist ~/.stellarium
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-machine-id
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-bin stellarium
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/strings.profile b/etc/strings.profile
deleted file mode 100644
index 90bb35ecd..000000000
--- a/etc/strings.profile
+++ /dev/null
@@ -1,26 +0,0 @@
-# Firejail profile for strings
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/strings.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-# private-bin strings - breaking on Debian
-private-dev
-
-memory-deny-write-execute
-
-include /etc/firejail/default.profile
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
deleted file mode 100644
index cd6496a7b..000000000
--- a/etc/supertux2.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for supertux2
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/supertux2.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.local/share/supertux2
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.local/share/supertux2
-whitelist ~/.local/share/supertux2
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,netlink
-seccomp
-shell none
-
-# private-bin supertux2
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/surf.profile b/etc/surf.profile
deleted file mode 100644
index 251331902..000000000
--- a/etc/surf.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for surf
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/surf.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.surf
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.surf
-whitelist ${DOWNLOADS}
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-private-bin ls,surf,sh,dash,bash,curl,dmenu,printf,sed,sleep,st,stterm,xargs,xprop
-private-dev
-private-etc passwd,group,hosts,resolv.conf,fonts,ssl
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/tar.profile b/etc/tar.profile
deleted file mode 100644
index f14894c25..000000000
--- a/etc/tar.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for tar
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/tar.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-hostname tar
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-# support compressed archives
-private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
-private-dev
-private-etc passwd,group,localtime
-
-include /etc/firejail/default.profile
diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile
deleted file mode 100644
index df6557a90..000000000
--- a/etc/telegram-desktop.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for telegram
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/telegram.profile
diff --git a/etc/telegram.profile b/etc/telegram.profile
deleted file mode 100644
index e3ccaf1a0..000000000
--- a/etc/telegram.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for telegram
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/telegram.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.TelegramDesktop
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-
-disable-mnt
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
new file mode 100644
index 000000000..7628313e0
--- /dev/null
+++ b/etc/templates/profile.template
@@ -0,0 +1,227 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION OF THE PROGRAM
+# This file is overwritten after every install/update
+# --- CUT HERE ---
+# This is a generic template to help you create profiles.
+# PRs welcome at https://github.com/netblue30/firejail/.
+#
+# Rules to follow:
+#  - lines with one # are often used in profiles
+#  - lines with two ## are only needed in special situations
+#  - make the profile as restrictive as possible while still keeping the program useful
+#    (e.g. a program that is unable to save user's work is considered bad practice)
+#  - dedicate ample time (based on the complexity of the application) to profile testing before
+#    submitting a pull request
+#  - keep the sections structure, use a single empty line as separator
+#  - entries within sections are alphabetically sorted
+#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
+#    to not do this for essential utilities as this may *break* your OS! (related discussion:
+#    https://github.com/netblue30/firejail/issues/2507)
+#  - remove this comment section and any generic comment past 'Persistent global definitions'
+#
+# Sections structure
+#   HEADER
+#   COMMENTS
+#   IGNORES
+#   NOBLACKLISTS
+#   ALLOW INCLUDES
+#   BLACKLISTS
+#   DISABLE INCLUDES
+#   NOWHITELISTS
+#   MKDIRS
+#   WHITELISTS
+#   WHITELIST INCLUDES
+#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
+#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
+#   DBUS FILTER
+#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
+#   REDIRECT INCLUDES
+#
+# The following macros may be used in path names to substitute common locations:
+#  ${DESKTOP}
+#  ${DOCUMENTS}
+#  ${DOWNLOADS}
+#  ${HOME} (user's home)
+#  ${PATH} (contents of PATH env var)
+#  ${MUSIC}
+#  ${RUNUSER} (/run/user/UID)
+#  ${VIDEOS}
+#
+# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
+#
+# --- CUT HERE ---
+##quiet
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+include globals.local
+
+##ignore noexec ${HOME}
+##ignore noexec /tmp
+
+# It is common practice to add files/dirs containing program-specific configuration
+# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
+# (keep list sorted) and then disable blacklisting below.
+# One way to retrieve the files a program uses is:
+#  - launch binary with --private naming a sandbox
+#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
+#  - work with the program, make some configuration changes and save them, open new documents,
+#    install plugins if they exists, etc.
+#  - join the sandbox with bash:
+#      `firejail --join=test bash`
+#  - look what has changed and use that information to populate blacklist and whitelist sections
+#      `ls -aR`
+#noblacklist PATH
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+#include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+#include allow-common-devel.inc
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+#include allow-gjs.inc
+
+# Allow java (blacklisted by disable-devel.inc)
+#include allow-java.inc
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+#include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+#include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+#include allow-python2.inc
+#include allow-python3.inc
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+#include allow-ruby.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
+##blacklist PATH
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only; supersedes Disable Wayland)
+#blacklist ${RUNUSER}
+# Remove the next blacklist if you system has no /usr/libexec dir,
+# otherwise try to add it.
+#blacklist /usr/libexec
+
+# disable-*.inc includes
+# remove disable-write-mnt.inc if you set disable-mnt
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-programs.inc
+#include disable-shell.inc
+#include disable-write-mnt.inc
+#include disable-X11.inc
+#include disable-xdg.inc
+
+# This section often mirrors noblacklist section above. The idea is
+# that if a user feels too restricted (e.g. unable to save files into
+# home directory) they may disable whitelist (nowhitelist)
+# in PROFILE.local but still be protected by BLACKLISTS section
+# (explanation at https://github.com/netblue30/firejail/issues/1569)
+#mkdir PATH
+##mkfile PATH
+#whitelist PATH
+#include whitelist-common.inc
+#include whitelist-run-common.inc
+#include whitelist-runuser-common.inc
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+
+##allusers
+#apparmor
+#caps.drop all
+##caps.keep CAPS
+##hostname NAME
+# CLI only
+##ipc-namespace
+# breaks audio and sometimes dbus related functions
+#machine-id
+# 'net none' or 'netfilter'
+#net none
+#netfilter
+#no3d
+##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
+#nodvd
+#nogroups
+#noinput
+#nonewprivs
+#noroot
+#nosound
+#notv
+#nou2f
+#novideo
+# Remove each unneeded protocol:
+#  - unix is usually needed
+#  - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
+#  - netlink is rarely needed
+#  - packet and bluetooth almost never
+#protocol unix,inet,inet6,netlink,packet,bluetooth
+#seccomp
+##seccomp !chroot
+##seccomp.drop SYSCALLS (see syscalls.txt)
+#seccomp.block-secondary
+##seccomp-error-action log (only for debugging seccomp issues)
+#shell none
+#tracelog
+# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
+##x11 none
+
+#disable-mnt
+##private
+# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
+#private-bin PROGRAMS
+#private-cache
+#private-dev
+#private-etc FILES
+# private-etc templates (see also #1734, #2093)
+#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+#    Extra: group,magic,magic.mgc,passwd
+#  3D: bumblebee,drirc,glvnd,nvidia
+#  Audio: alsa,asound.conf,machine-id,pulse
+#  D-Bus: dbus-1,machine-id
+#  GUI: fonts,pango,X11
+#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
+#  KDE: kde4rc,kde5rc
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+#    Extra: gai.conf,proxychains.conf
+#  Qt: Trolltech.conf
+##private-lib LIBS
+##private-opt NAME
+#private-tmp
+##writable-etc
+##writable-run-user
+##writable-var
+##writable-var-log
+
+# Since 0.9.63 also a more granular control of dbus is supported.
+# To get the dbus-addresses an application needs access to you can
+# check with flatpak (when the application is distributed that way):
+#    flatpak remote-info --show-metadata flathub <APP-ID>
+# Notes:
+#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
+#  - Some features like native notifications are implemented as portal too.
+#  - In order to make dconf work (when used by the app) you need to allow
+#    'ca.desrt.dconf' even when not allowed by flatpak.
+# Notes and policies about addresses can be found at
+# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
+#dbus-user filter
+#dbus-user.own com.github.netblue30.firejail
+#dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
+
+##env VAR=VALUE
+##join-or-start NAME
+#memory-deny-write-execute
+##noexec PATH
+##read-only ${HOME}
+##read-write ${HOME}
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
new file mode 100644
index 000000000..0c7ba0b72
--- /dev/null
+++ b/etc/templates/redirect_alias-profile.template
@@ -0,0 +1,44 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+#NOTE: keep include globals.local commented, except when redirecting to a *-common.profile
+
+# For more information, see profile.template
+
+# Ignoring option(s) from the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
+
+# Additional noblacklisting (when needed)
+#noblacklist PATH
+
+# Additional allow includes (when needed)
+
+# Additional blacklisting (when needed)
+#blacklist PATH
+
+# Additional whitelisting (when needed)
+#NOTE: never use mkdir/mkfile when 'private' is set (see https://github.com/netblue30/firejail/issues/903)
+#mkdir PATH
+##mkfile PATH
+#whitelist PATH
+
+# Additional options (when needed)
+
+# Additional private-options (when needed)
+# Add programs to private-bin (when needed)
+#private-bin PROGRAMS
+# Add files to private-etc (when needed)
+#private-etc FILES
+
+# Additional special options (when needed)
+
+# Redirect
+include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
new file mode 100644
index 000000000..827b075e5
--- /dev/null
+++ b/etc/templates/syscalls.txt
@@ -0,0 +1,112 @@
+Hints to write own seccomp filters
+==================================
+
+
+The different seccomp commands
+------------------------------
+
+Always have a look at 'man 1 firejail'.
+
+ - seccomp
+    Blocks all syscalls in the default-group.
+     - The default-group is @default-nodebuggers, unless allow-debuggers is
+       specified, then @default is used.
+     - Listed syscalls and groups are also blocked.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.block-secondary
+    Allows only native syscalls, all syscalls for other architectures are blocked.
+ - seccomp.drop
+    Blocks all listed syscalls.
+     - Exceptions are possible by putting a ! in before the name of a syscall.
+ - seccomp.keep
+    Allows only listed syscalls.
+     To write your own seccomp.keep line, see:
+     - https://firejail.wordpress.com/documentation-2/seccomp-guide/
+     - https://github.com/netblue30/firejail/blob/master/contrib/syscalls.sh
+
+Definition of groups
+--------------------
+
+@aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit
+@basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev
+@chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32
+@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
+@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
+@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
+@default-keep=execveat,execve,prctl
+@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
+@io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select
+@ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget
+@keyring=add_key,keyctl,request_key
+@memlock=mlock,mlock2,mlockall,munlock,munlockall
+@module=delete_module,finit_module,init_module
+@mount=chroot,mount,pivot_root,umount,umount2
+@network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
+@process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot
+@resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy
+@setuid=setgid,setgid32,setgroups,setgroups32,setregid,setregid32,setresgid,setresgid32,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32
+@signal=rt_sigaction,rt_sigpending,rt_sigprocmask,rt_sigsuspend,rt_sigtimedwait,sigaction,sigaltstack,signal,signalfd,signalfd4,sigpending,sigprocmask,sigsuspend
+@swap=swapon,swapoff
+@sync=fdatasync,fsync,msync,sync,sync_file_range,sync_file_range2,syncfs
+@system-service=@aio,@basic-io,@chown,@default,@file-system,@io-event,@ipc,@keyring,@memlock,@network-io,@process,@resources,@setuid,@signal,@sync,@timer,brk,capget,capset,copy_file_range,fadvise64,fadvise64_64,flock,get_mempolicy,getcpu,getpriority,getrandom,ioctl,ioprio_get,kcmp,madvise,mprotect,mremap,name_to_handle_at,oldolduname,olduname,personality,readahead,readdir,remap_file_pages,sched_get_priority_max,sched_get_priority_min,sched_getaffinity,sched_getattr,sched_getparam,sched_getscheduler,sched_rr_get_interval,sched_yield,sendfile,sendfile64,setfsgid,setfsgid32,setfsuid,setfsuid32,setpgid,setsid,splice,sysinfo,tee,umask,uname,userfaultfd,vmsplice
+@timer=alarm,getitimer,setitimer,timer_create,timer_delete,timer_getoverrun,timer_gettime,timer_settime,timerfd_create,timerfd_gettime,timerfd_settime,times
+
+Inheritance of groups
+---------------------
+
++---------------+
+| @default-keep |
++---------------+
+
++----------------+  +---------+  +--------+  +--------------+
+| @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
+| @debug         |  | @module |  +--------+  | @basic-io    |
+| @obsolete      |  | @raw-io |     :  :     | @file-system |
+| @mount         |  | @reboot |     :  :     | @io-event    |
++----------------+  | @swap   |     :  :     | @ipc         |
+   :                +---------+     :  :     | @keyring     |
+   :                  :  :          :  :     | @memlock     |
+   :    ..............:  :          :  :     | @network-io  |
+   :    :                :  ........:  :     | @process     |
+   :    :                :  :          :     | @resources   |
++----------+    +-------------+        :     | @setuid      |
+| @default |    | @privileged |        :     | @signal      |
++----------+    +-------------+        :     | @sync        |
+   :    :                              :     | @timer       |
+   :    :...........................   :     +--------------+
+   :                               :   :        :
++----------------------+        +-----------------+
+| @default-nodebuggers |        | @system-service |
++----------------------+        +-----------------+
+
+
+What to do if seccomp breaks a program
+--------------------------------------
+
+Start `journalctl --grep=SECCOMP --follow` in a terminal and run
+`firejail --seccomp-error-action=log /path/to/program` in a second terminal.
+Now switch back to the first terminal (where `journalctl` is running) and look
+for the numbers of the blocked syscall(s) (`syscall=<NUMBER>`). As soon as you
+have found them, you can stop `journalctl` (^C) and execute
+`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall.
+In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`.
+Now you can add a seccomp exception using `seccomp !NAME`.
+
+If the blocked syscall is ptrace, consider to add allow-debuggers to the profile.
+
+```
+term1$ journalctl --grep=SECCOMP --follow
+term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop
+term1$ (journalctl --grep=SECCOMP --follow)
+audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ...
+^C
+term1$ firejail --debug-syscalls | grep "^161[[:space:]]"
+161     - chroot
+```
+Profile: `seccomp -> seccomp !chroot`
diff --git a/etc/terasology.profile b/etc/terasology.profile
deleted file mode 100644
index ca580c0d0..000000000
--- a/etc/terasology.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for terasology
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/default.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-noblacklist ${HOME}/.java
-noblacklist ${HOME}/.local/share/terasology
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.java
-mkdir ${HOME}/.local/share/terasology
-whitelist ${HOME}/.java
-whitelist ${HOME}/.local/share/terasology
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl,java-8-openjdk,java-7-openjdk
-private-tmp
-
-noexec ${HOME}
diff --git a/etc/thunar.profile b/etc/thunar.profile
deleted file mode 100644
index 1545e8c7e..000000000
--- a/etc/thunar.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for Thunar
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/Thunar.profile
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
deleted file mode 100644
index db944a2c0..000000000
--- a/etc/thunderbird.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for thunderbird
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/thunderbird.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Users have thunderbird set to open a browser by clicking a link in an email
-# We are not allowed to blacklist browser-specific directories
-
-noblacklist ~/.cache/thunderbird
-noblacklist ~/.gnupg
-noblacklist ~/.icedove
-noblacklist ~/.thunderbird
-
-mkdir ~/.cache/thunderbird
-mkdir ~/.gnupg
-mkdir ~/.icedove
-mkdir ~/.thunderbird
-whitelist ~/.cache/thunderbird
-whitelist ~/.gnupg
-whitelist ~/.icedove
-whitelist ~/.thunderbird
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-ignore private-tmp
-machine-id
-disable-mnt
-read-only ~/.config/mimeapps.list
-
-# allow browsers
-# Redirect
-include /etc/firejail/firefox.profile
diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile
deleted file mode 100644
index bf3a80139..000000000
--- a/etc/tor-browser-en.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for torbrowser-launcher
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/torbrowser-launcher.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
deleted file mode 100644
index 3b6b65bec..000000000
--- a/etc/torbrowser-launcher.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for torbrowser-launcher
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/torbrowser-launcher.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.tor-browser-en
-noblacklist ~/.config/torbrowser
-noblacklist ~/.local/share/torbrowser
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ~/.tor-browser-en
-whitelist ~/.config/torbrowser
-whitelist ~/.local/share/torbrowser
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher
-private-dev
-private-etc fonts
-private-tmp
-
-noexec /tmp
diff --git a/etc/totem.profile b/etc/totem.profile
deleted file mode 100644
index ccf292da0..000000000
--- a/etc/totem.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for totem
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/totem.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/totem
-noblacklist ~/.local/share/totem
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6
-seccomp
-shell none
-
-private-bin totem
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile
deleted file mode 100644
index c7446ed68..000000000
--- a/etc/transmission-cli.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for transmission-cli
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/transmission-cli.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin transmission-cli
-private-dev
-private-etc none
-private-tmp
-
-memory-deny-write-execute
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
deleted file mode 100644
index 6a8d6c679..000000000
--- a/etc/transmission-gtk.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for transmission-gtk
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/transmission-gtk.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/transmission
-mkdir ~/.config/transmission
-whitelist  ${DOWNLOADS}
-whitelist ~/.cache/transmission
-whitelist ~/.config/transmission
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin transmission-gtk
-private-dev
-private-tmp
-
-memory-deny-write-execute
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
deleted file mode 100644
index 4db8e19ce..000000000
--- a/etc/transmission-qt.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for transmission-qt
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/transmission-qt.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/transmission
-mkdir ~/.config/transmission
-whitelist  ${DOWNLOADS}
-whitelist ~/.cache/transmission
-whitelist ~/.config/transmission
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin transmission-qt
-private-dev
-private-tmp
-
-memory-deny-write-execute
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile
deleted file mode 100644
index 0b09bffcb..000000000
--- a/etc/transmission-show.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for transmission-show
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/transmission-show.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# private-bin
-private-dev
-private-etc none
-private-tmp
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
deleted file mode 100644
index 30e2a619d..000000000
--- a/etc/tuxguitar.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for tuxguitar
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/tuxguitar.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.java
-noblacklist ~/.tuxguitar*
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-tracelog
-
-private-dev
-private-tmp
-
-# noexec ${HOME} - tuxguitar may fail to launch
-noexec /tmp
diff --git a/etc/unbound.profile b/etc/unbound.profile
deleted file mode 100644
index d380b5698..000000000
--- a/etc/unbound.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for unbound
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/unbound.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist /sbin
-noblacklist /usr/sbin
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps
-# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
-no3d
-nodvd
-nonewprivs
-nosound
-notv
-novideo
-seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
-
-disable-mnt
-private
-private-dev
-
-# mdwe can break modules/plugins
-memory-deny-write-execute
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
deleted file mode 100644
index 5f70843d6..000000000
--- a/etc/unknown-horizons.profile
+++ /dev/null
@@ -1,31 +0,0 @@
-# Firejail profile for unknown-horizons
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/unknown-horizons.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.unknown-horizons
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.unknown-horizons
-whitelist ~/.unknown-horizons
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,netlink,inet,inet6
-seccomp
-shell none
-
-# private-bin unknown-horizons
-private-dev
-# private-etc none
-private-tmp
diff --git a/etc/unrar.profile b/etc/unrar.profile
deleted file mode 100644
index 12559a721..000000000
--- a/etc/unrar.profile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Firejail profile for unrar
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/unrar.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-hostname unrar
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-private-bin unrar
-private-dev
-private-etc passwd,group,localtime
-private-tmp
-
-include /etc/firejail/default.profile
diff --git a/etc/unzip.profile b/etc/unzip.profile
deleted file mode 100644
index 9828fa9b4..000000000
--- a/etc/unzip.profile
+++ /dev/null
@@ -1,26 +0,0 @@
-# Firejail profile for unzip
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/unzip.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-hostname unzip
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-private-bin unzip
-private-dev
-private-etc passwd,group,localtime
-
-include /etc/firejail/default.profile
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
deleted file mode 100644
index b30cbaa2a..000000000
--- a/etc/uudeview.profile
+++ /dev/null
@@ -1,24 +0,0 @@
-# Firejail profile for uudeview
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/uudeview.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-hostname uudeview
-ignore noroot
-net none
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-private-bin uudeview
-private-dev
-private-etc ld.so.preload
-
-include /etc/firejail/default.profile
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
deleted file mode 100644
index e7c931f30..000000000
--- a/etc/uzbl-browser.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for uzbl-browser
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/uzbl-browser.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/uzbl
-noblacklist ~/.gnupg
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/uzbl
-mkdir ~/.gnupg
-mkdir ~/.local/share/uzbl
-mkdir ~/.password-store
-whitelist ${DOWNLOADS}
-whitelist ~/.config/uzbl
-whitelist ~/.gnupg
-whitelist ~/.local/share/uzbl
-whitelist ~/.password-store
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-tracelog
diff --git a/etc/viewnior.profile b/etc/viewnior.profile
deleted file mode 100644
index af4a2d655..000000000
--- a/etc/viewnior.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for viewnior
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/viewnior.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist ~/.Xauthority
-blacklist ~/.bashrc
-
-noblacklist ~/.Steam
-noblacklist ~/.config/viewnior
-noblacklist ~/.steam
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin viewnior
-private-dev
-private-etc fonts
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/vim.profile b/etc/vim.profile
deleted file mode 100644
index 97ed06d96..000000000
--- a/etc/vim.profile
+++ /dev/null
@@ -1,25 +0,0 @@
-# Firejail profile for vim
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/vim.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.vim
-noblacklist ~/.viminfo
-noblacklist ~/.vimrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
deleted file mode 100644
index b01e6d144..000000000
--- a/etc/virtualbox.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for virtualbox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/virtualbox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.VirtualBox
-noblacklist ${HOME}/.config/VirtualBox
-noblacklist ${HOME}/VirtualBox VMs
-# noblacklist /usr/bin/virtualbox
-noblacklist /usr/lib/virtualbox
-noblacklist /usr/lib64/virtualbox
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.config/VirtualBox
-mkdir ~/VirtualBox VMs
-whitelist ~/.config/VirtualBox
-whitelist ~/VirtualBox VMs
-whitelist ${DOWNLOADS}
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-notv
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
deleted file mode 100644
index d1ceb74f4..000000000
--- a/etc/vivaldi-beta.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for vivaldi
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile
deleted file mode 100644
index d1ceb74f4..000000000
--- a/etc/vivaldi-stable.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for vivaldi
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
deleted file mode 100644
index 503916b26..000000000
--- a/etc/vivaldi.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for vivaldi
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/vivaldi.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/vivaldi
-noblacklist ~/.config/vivaldi
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/vivaldi
-mkdir ~/.config/vivaldi
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/vivaldi
-whitelist ~/.config/vivaldi
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/vlc.profile b/etc/vlc.profile
deleted file mode 100644
index 4e6d37fc5..000000000
--- a/etc/vlc.profile
+++ /dev/null
@@ -1,34 +0,0 @@
-# Firejail profile for vlc
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/vlc.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/vlc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-machine-id
-netfilter
-# nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
-private-dev
-private-tmp
-
-# mdwe is disabled due to breaking hardware accelerated decoding
-# memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/w3m.profile b/etc/w3m.profile
deleted file mode 100644
index 0d3037b26..000000000
--- a/etc/w3m.profile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Firejail profile for w3m
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/w3m.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.w3m
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin w3m
-private-dev
-private-etc none
-private-tmp
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
deleted file mode 100644
index 976f7db5f..000000000
--- a/etc/warzone2100.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for warzone2100
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/warzone2100.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.warzone2100-3.*
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-# mkdir ~/.warzone2100-3.1
-# mkdir ~/.warzone2100-3.2
-whitelist ~/.warzone2100-3.1
-whitelist ~/.warzone2100-3.2
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-bin warzone2100
-private-dev
-private-tmp
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
deleted file mode 100644
index 67995f345..000000000
--- a/etc/waterfox.profile
+++ /dev/null
@@ -1,89 +0,0 @@
-# Firejail profile for waterfox
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/waterfox.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/mozilla
-noblacklist ~/.cache/waterfox
-noblacklist ~/.config/okularpartrc
-noblacklist ~/.config/okularrc
-noblacklist ~/.config/qpdfview
-noblacklist ~/.kde/share/apps/okular
-noblacklist ~/.kde/share/config/okularpartrc
-noblacklist ~/.kde/share/config/okularrc
-noblacklist ~/.kde4/share/apps/okular
-noblacklist ~/.kde4/share/config/okularpartrc
-noblacklist ~/.kde4/share/config/okularrc
-noblacklist ~/.local/share/gnome-shell/extensions
-noblacklist ~/.local/share/okular
-noblacklist ~/.local/share/qpdfview
-noblacklist ~/.mozilla
-noblacklist ~/.waterfox
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/mozilla/firefox
-mkdir ~/.mozilla
-mkdir ~/.cache/waterfox
-mkdir ~/.waterfox
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/gnome-mplayer/plugin
-whitelist ~/.cache/mozilla/firefox
-whitelist ~/.cache/waterfox
-whitelist ~/.config/gnome-mplayer
-whitelist ~/.config/okularpartrc
-whitelist ~/.config/okularrc
-whitelist ~/.config/pipelight-silverlight5.1
-whitelist ~/.config/pipelight-widevine
-whitelist ~/.config/qpdfview
-whitelist ~/.kde/share/apps/okular
-whitelist ~/.kde/share/config/okularpartrc
-whitelist ~/.kde/share/config/okularrc
-whitelist ~/.kde4/share/apps/okular
-whitelist ~/.kde4/share/config/okularpartrc
-whitelist ~/.kde4/share/config/okularrc
-whitelist ~/.keysnail.js
-whitelist ~/.lastpass
-whitelist ~/.local/share/gnome-shell/extensions
-whitelist ~/.local/share/okular
-whitelist ~/.local/share/qpdfview
-whitelist ~/.mozilla
-whitelist ~/.waterfox
-whitelist ~/.pentadactyl
-whitelist ~/.pentadactylrc
-whitelist ~/.pki
-whitelist ~/.vimperator
-whitelist ~/.vimperatorrc
-whitelist ~/.wine-pipelight
-whitelist ~/.wine-pipelight64
-whitelist ~/.zotero
-whitelist ~/dwhelper
-include /etc/firejail/whitelist-common.inc
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-tracelog
-
-# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
-# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash
-private-dev
-# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile
deleted file mode 100644
index 0da7d45d6..000000000
--- a/etc/weechat-curses.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for weechat
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/weechat.profile
diff --git a/etc/wget.profile b/etc/wget.profile
deleted file mode 100644
index 5072cb9c5..000000000
--- a/etc/wget.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for wget
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/wget.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-noblacklist ~/.wgetrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-# private-bin wget
-private-dev
-# private-etc resolv.conf
-# private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
deleted file mode 100644
index 310149ecd..000000000
--- a/etc/whitelist-common.inc
+++ /dev/null
@@ -1,60 +0,0 @@
-# Local customizations come here
-include /etc/firejail/whitelist-common.local
-
-# common whitelist for all profiles
-
-whitelist ~/.XCompose
-whitelist ~/.config/mimeapps.list
-whitelist ~/.icons
-whitelist ~/.local/share/icons
-whitelist ~/.config/user-dirs.dirs
-read-only ~/.config/user-dirs.dirs
-whitelist ~/.asoundrc
-whitelist ~/.config/Trolltech.conf
-whitelist ~/.local/share/mime
-whitelist ~/.drirc
-whitelist ~/.mime.types
-whitelist ~/.local/share/applications
-read-only ~/.local/share/applications
-whitelist ~/.config/ibus
-
-# fonts
-whitelist ~/.fonts
-whitelist ~/.fonts.d
-whitelist ~/.fontconfig
-whitelist ~/.fonts.conf
-whitelist ~/.fonts.conf.d
-whitelist ~/.local/share/fonts
-whitelist ~/.config/fontconfig
-whitelist ~/.cache/fontconfig
-whitelist ~/.pangorc
-
-# gtk
-whitelist ~/.gtkrc
-whitelist ~/.gtkrc-2.0
-whitelist ~/.gtk-2.0
-whitelist ~/.config/gtk-2.0
-whitelist ~/.config/gtk-3.0
-whitelist ~/.config/gtkrc
-whitelist ~/.config/gtkrc-2.0
-whitelist ~/.themes
-whitelist ~/.local/share/themes
-whitelist ~/.kde/share/config/gtkrc
-whitelist ~/.kde/share/config/gtkrc-2.0
-whitelist ~/.kde4/share/config/gtkrc
-whitelist ~/.kde4/share/config/gtkrc-2.0
-whitelist ~/.gnome2
-whitelist ~/.gnome2-private
-
-# dconf
-mkdir ~/.config/dconf
-whitelist ~/.config/dconf
-
-# qt/kde
-whitelist ~/.config/kdeglobals
-whitelist ~/.kde/share/config/oxygenrc
-whitelist ~/.kde/share/config/kdeglobals
-whitelist ~/.kde/share/icons
-whitelist ~/.kde4/share/config/oxygenrc
-whitelist ~/.kde4/share/config/kdeglobals
-whitelist ~/.kde4/share/icons
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
deleted file mode 100644
index 024995f20..000000000
--- a/etc/whitelist-var-common.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-# Local customizations come here
-include /etc/firejail/whitelist-var-common.local
-
-# common /var whitelist for all profiles
-
-whitelist /var/lib/dbus
-whitelist /var/lib/menu-xdg
-whitelist /var/cache/fontconfig
-whitelist /var/tmp
-whitelist /var/run
-whitelist /var/lock
diff --git a/etc/wine.profile b/etc/wine.profile
deleted file mode 100644
index b1bc7df78..000000000
--- a/etc/wine.profile
+++ /dev/null
@@ -1,25 +0,0 @@
-# Firejail profile for wine
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/wine.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
-noblacklist ${HOME}/.steam
-noblacklist ${HOME}/.wine
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-seccomp
diff --git a/etc/wire.profile b/etc/wire.profile
deleted file mode 100644
index af14f686f..000000000
--- a/etc/wire.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for wire
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/wire.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
-# To use wire with firejail run "firejail /opt/Wire/wire"
-
-noblacklist ~/.config/Wire
-noblacklist ~/.config/wire
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-disable-mnt
-private-dev
-private-tmp
diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile
deleted file mode 100644
index 38599b85e..000000000
--- a/etc/wireshark-gtk.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for wireshark
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/wireshark.profile
diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile
deleted file mode 100644
index 38599b85e..000000000
--- a/etc/wireshark-qt.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for wireshark
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/wireshark.profile
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
deleted file mode 100644
index f1a17ba93..000000000
--- a/etc/wireshark.profile
+++ /dev/null
@@ -1,36 +0,0 @@
-# Firejail profile for wireshark
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/wireshark.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/wireshark
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.keep dac_override,net_admin,net_raw
-netfilter
-no3d
-# nogroups - breaks unprivileged wireshark usage
-# nonewprivs - breaks unprivileged wireshark usage
-# noroot
-nodvd
-nosound
-notv
-novideo
-# protocol unix,inet,inet6,netlink
-# seccomp - breaks unprivileged wireshark usage
-shell none
-tracelog
-
-# private-bin wireshark
-private-dev
-# private-etc fonts,group,hosts,machine-id,passwd
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xed.profile b/etc/xed.profile
deleted file mode 100644
index bb8b0bf23..000000000
--- a/etc/xed.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for xed
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xed.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.config/xed
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-machine-id
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin xed
-private-dev
-# private-etc fonts
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
deleted file mode 100644
index 5a07d4b74..000000000
--- a/etc/xiphos.profile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Firejail profile for xiphos
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xiphos.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist ~/.Xauthority
-blacklist ~/.bashrc
-
-noblacklist ~/.sword
-noblacklist ~/.xiphos
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-whitelist ${HOME}/.sword
-whitelist ${HOME}/.xiphos
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin xiphos
-private-dev
-private-etc fonts,resolv.conf,sword
-private-tmp
diff --git a/etc/xmr-stak-cpu.profile b/etc/xmr-stak-cpu.profile
deleted file mode 100644
index 9cc6e0c1f..000000000
--- a/etc/xmr-stak-cpu.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for xmr-stak-cpu
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xmr-stak-cpu.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private
-private-bin xmr-stak-cpu
-private-dev
-private-etc xmr-stak-cpu.json
-private-lib
-private-opt none
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile
deleted file mode 100644
index 041a063bb..000000000
--- a/etc/xonotic-sdl.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for xonotic
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/xonotic.profile
diff --git a/etc/xonotic.profile b/etc/xonotic.profile
deleted file mode 100644
index 6dc62c33b..000000000
--- a/etc/xonotic.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for xonotic
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xonotic.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.xonotic
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ${HOME}/.xonotic
-whitelist ${HOME}/.xonotic
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dash,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
-private-dev
-# private-etc breaks audio on some distros
-#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
deleted file mode 100644
index f34358521..000000000
--- a/etc/xpdf.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for xpdf
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xpdf.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.xpdfrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-
-private-dev
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
deleted file mode 100644
index 5c845e977..000000000
--- a/etc/xplayer.profile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Firejail profile for xplayer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xplayer.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/xplayer
-noblacklist ~/.local/share/xplayer
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-netfilter
-nogroups
-nonewprivs
-noroot
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
-private-dev
-# private-etc fonts
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
deleted file mode 100644
index bebcb262f..000000000
--- a/etc/xreader.profile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Firejail profile for xreader
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xreader.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/xreader
-noblacklist ~/.config/xreader
-noblacklist ~/.local/share
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin xreader,xreader-previewer,xreader-thumbnailer
-private-dev
-# private-etc fonts,ld.so.cache
-# xreader needs access to /tmp/mozilla* to work in firefox
-# private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
deleted file mode 100644
index 53f2a0c82..000000000
--- a/etc/xviewer.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for xviewer
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/xviewer.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.Steam
-noblacklist ~/.config/xviewer
-noblacklist ~/.local/share/Trash
-noblacklist ~/.steam
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-# net none - makes settings immutable
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-private-bin xviewer
-private-dev
-private-etc fonts
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/xz.profile b/etc/xz.profile
deleted file mode 100644
index d77fc85b4..000000000
--- a/etc/xz.profile
+++ /dev/null
@@ -1,6 +0,0 @@
-# Firejail profile alias for cpio
-# This file is overwritten after every install/update
-
-
-# Redirect
-include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
deleted file mode 100644
index d5c4ac6f0..000000000
--- a/etc/xzdec.profile
+++ /dev/null
@@ -1,23 +0,0 @@
-# Firejail profile for xzdec
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/xzdec.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /tmp/.X11-unix
-
-ignore noroot
-net none
-no3d
-nodvd
-nosound
-notv
-novideo
-shell none
-tracelog
-
-private-dev
-
-include /etc/firejail/default.profile
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile
deleted file mode 100644
index bfb7b9d87..000000000
--- a/etc/yandex-browser.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for yandex-browser
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/yandex-browser.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.cache/yandex-browser
-noblacklist ~/.cache/yandex-browser-beta
-noblacklist ~/.config/yandex-browser
-noblacklist ~/.config/yandex-browser-beta
-noblacklist ~/.pki
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.cache/yandex-browser
-mkdir ~/.cache/yandex-browser-beta
-mkdir ~/.config/yandex-browser
-mkdir ~/.config/yandex-browser-beta
-mkdir ~/.pki
-whitelist ${DOWNLOADS}
-whitelist ~/.cache/yandex-browser
-whitelist ~/.cache/yandex-browser-beta
-whitelist ~/.config/yandex-browser
-whitelist ~/.config/yandex-browser-beta
-whitelist ~/.pki
-include /etc/firejail/whitelist-common.inc
-
-caps.keep sys_chroot,sys_admin
-netfilter
-nodvd
-nogroups
-notv
-shell none
-
-private-dev
-# private-tmp - problems with multiple browser sessions
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
deleted file mode 100644
index d41591fd6..000000000
--- a/etc/youtube-dl.profile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Firejail profile for youtube-dl
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include /etc/firejail/youtube-dl.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ${HOME}/.netrc
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-include /etc/firejail/whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/zart.profile b/etc/zart.profile
deleted file mode 100644
index 6e136d0c9..000000000
--- a/etc/zart.profile
+++ /dev/null
@@ -1,30 +0,0 @@
-# Firejail profile for zart
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/zart.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-ipc-namespace
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix
-seccomp
-shell none
-
-private-bin zart,ffmpeg,melt,ffprobe,ffplay
-private-dev
-
-noexec ${HOME}
-noexec /tmp
diff --git a/etc/zathura.profile b/etc/zathura.profile
deleted file mode 100644
index 0036a3521..000000000
--- a/etc/zathura.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for zathura
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/zathura.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/zathura
-noblacklist ~/.local/share/zathura
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-passwdmgr.inc
-include /etc/firejail/disable-programs.inc
-
-caps.drop all
-net none
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-protocol unix
-seccomp
-shell none
-
-private-bin zathura
-private-dev
-private-etc fonts
-private-tmp
-read-only ~/
-read-write ~/.local/share/zathura/
diff --git a/etc/zoom.profile b/etc/zoom.profile
deleted file mode 100644
index 381df9ab5..000000000
--- a/etc/zoom.profile
+++ /dev/null
@@ -1,28 +0,0 @@
-# Firejail profile for zoom
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/zoom.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-noblacklist ~/.config/zoomus.conf
-
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-include /etc/firejail/disable-programs.inc
-
-mkdir ~/.zoom
-whitelist ~/.cache/zoom
-whitelist ~/.zoom
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-netfilter
-nodvd
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-
-private-tmp
diff --git a/gcov.sh b/gcov.sh
index df1fcb51b..65f06a4d4 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 gcov_init() {
         USER=`whoami`
@@ -10,11 +13,18 @@ gcov_init() {
         /usr/lib/firejail/fcopy --help > /dev/null
         /usr/lib/firejail/fldd --help > /dev/null
         firecfg --help > /dev/null
+
+        /usr/lib/firejail/fnetfilter --help > /dev/null
+        /usr/lib/firejail/fsec-print --help > /dev/null
+        /usr/lib/firejail/fsec-optimize --help > /dev/null
+        /usr/lib/firejail/faudit --help > /dev/null
+        /usr/lib/firejail/fbuilder --help > /dev/null
+
         sudo chown $USER:$USER `find .`
 }
 
 generate() {
-        lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
+        lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
         lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new  --output-file gcov-file
         rm -fr gcov-dir
         genhtml -q gcov-file --output-directory gcov-dir
@@ -25,9 +35,9 @@ generate() {
 
 
 gcov_init
-lcov -q --capture -d src/firejail -d src/firemon -d  src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file-old
+lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file-old
 
-#make test-environment
+#make test-utils
 #generate
 #sleep 2
 #exit
@@ -50,6 +60,10 @@ make test-stress
 generate
 sleep 2
 
+make test-ssh
+generate
+sleep 2
+
 make test-appimage
 generate
 sleep 2
diff --git a/install.sh b/install.sh
index a8a506096..e26cea7b0 100755
--- a/install.sh
+++ b/install.sh
@@ -1,2 +1,6 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
 echo "installing..."
diff --git a/linecnt.sh b/linecnt.sh
new file mode 100755
index 000000000..ccce2da82
--- /dev/null
+++ b/linecnt.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+gcov_init() {
+        USER=`whoami`
+        firejail --help > /dev/null
+        firemon --help > /dev/null
+        /usr/lib/firejail/fnet --help > /dev/null
+        /usr/lib/firejail/fseccomp --help > /dev/null
+        /usr/lib/firejail/ftee --help > /dev/null
+        /usr/lib/firejail/fcopy --help > /dev/null
+        /usr/lib/firejail/fldd --help > /dev/null
+        firecfg --help > /dev/null
+
+        /usr/lib/firejail/fnetfilter --help > /dev/null
+        /usr/lib/firejail/fsec-print --help > /dev/null
+        /usr/lib/firejail/fsec-optimize --help > /dev/null
+        /usr/lib/firejail/faudit --help > /dev/null
+        /usr/lib/firejail/fbuilder --help > /dev/null
+
+        sudo chown $USER:$USER `find .`
+}
+
+rm -fr gcov-dir
+gcov_init
+lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
+        -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
+        -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file
+genhtml -q gcov-file --output-directory gcov-dir
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4
new file mode 100644
index 000000000..dcabb92a1
--- /dev/null
+++ b/m4/ax_check_compile_flag.m4
@@ -0,0 +1,74 @@
+# ===========================================================================
+#  https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the current language's compiler
+#   or gives an error.  (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the current language's default
+#   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
+#   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
+#   force the compiler to issue an error when a bad flag is given.
+#
+#   INPUT gives an alternative input source to AC_COMPILE_IFELSE.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 5
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+  AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_VAR_IF(CACHEVAR,yes,
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
diff --git a/mkasc.sh b/mkasc.sh
index 3bbfc6eb5..31c3f4ffd 100755
--- a/mkasc.sh
+++ b/mkasc.sh
@@ -1,6 +1,9 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
-echo "Calculationg SHA256 for all files in /transfer - firejail version $1"
+echo "Calculating SHA256 for all files in /transfer - firejail version $1"
 
 cd /transfer
 sha256sum * > firejail-$1-unsigned
diff --git a/mkdeb.sh b/mkdeb.sh.in
index 68f0e12d4..e45acf8eb 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh.in
@@ -1,10 +1,30 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
 # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
 # a code archive should already be available
 
+set -e
+NAME=@PACKAGE_NAME@
+VERSION=@PACKAGE_VERSION@
+PACKAGE_TARNAME=@PACKAGE_TARNAME@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_SELINUX=@HAVE_SELINUX@
+EXTRA_VERSION=$1
+
+CONFIG_ARGS="--prefix=/usr"
+if [ -n "$HAVE_APPARMOR" ]; then
+    CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor"
+fi
+if [ -n "$HAVE_SELINUX" ]; then
+    CONFIG_ARGS="$CONFIG_ARGS --enable-selinux"
+fi
+
 TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.xz"
-CODE_DIR="$1-$2"
+CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
+CODE_DIR="$NAME-$VERSION"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
 DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
 
@@ -18,7 +38,7 @@ echo "*****************************************"
 tar -xJvf $CODE_ARCHIVE
 #mkdir -p $INSTALL_DIR
 cd $CODE_DIR
-./configure --prefix=/usr --enable-git-install
+./configure $CONFIG_ARGS
 make -j2
 mkdir debian
 DESTDIR=debian make install-strip
@@ -32,19 +52,19 @@ echo "*****************************************"
 mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-cp platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
+install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
 mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$2/g"  platform/debian/control > $DEBIAN_CTRL_DIR/control
+sed "s/FIREJAILVER/$VERSION/g"  $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
 
 mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-cp platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
+install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
 
-cp platform/debian/conffiles $DEBIAN_CTRL_DIR/.
+find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
+chmod 644 $DEBIAN_CTRL_DIR/conffiles
 find $INSTALL_DIR  -type d | xargs chmod 755
 cd $CODE_DIR
 fakeroot dpkg-deb --build debian
 lintian --no-tag-display-limit debian.deb
-mv debian.deb ../firejail_$2_1_amd64.deb
-echo "if building a 32bit package, rename the deb file manually"
+mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
 cd ..
 rm -fr $CODE_DIR
diff --git a/mketc.sh b/mketc.sh
index f98c5479f..0aa313b17 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -1,22 +1,17 @@
 #!/bin/sh
-rm -fr .etc
-mkdir .etc
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
-for file in etc/*.profile etc/*.inc etc/*.net;
-do
-        sed "s;/etc/firejail;$1/firejail;g" $file > .$file
-done
-
-if [ "x$2" = "xyes" ]
-then
 sed -i -e '
 1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\
 # If this is not your case you can remove --enable-busybox-workaround from\
 # ./configure options, for added security.\
+noblacklist \${PATH}/busybox\
+noblacklist \${PATH}/crontab\
 noblacklist \${PATH}/mount\
-noblacklist \${PATH}/umount\
+noblacklist \${PATH}/nc\
 noblacklist \${PATH}/su\
 noblacklist \${PATH}/sudo\
-noblacklist \${PATH}/nc\
-' .etc/disable-common.inc
-fi
+noblacklist \${PATH}/umount\
+' "$1"
diff --git a/mkman.sh b/mkman.sh
index e36475aad..8767972d1 100755
--- a/mkman.sh
+++ b/mkman.sh
@@ -1,4 +1,9 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set -e
 
 sed "s/VERSION/$1/g" $2 > $3
 MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
diff --git a/mkuid.sh b/mkuid.sh
index a59f58143..0264628cc 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 echo "extracting UID_MIN and GID_MIN"
 echo "#ifndef FIREJAIL_UIDS_H" > uids.h
@@ -6,15 +9,15 @@ echo "#define FIREJAIL_UIDS_H" >> uids.h
 
 if [ -r /etc/login.defs ]
 then
-        echo "// using values extracted from /etc/login.defs" >> uids.h
         UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
         GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs`
-        echo "#define UID_MIN $UID_MIN" >> uids.h
-        echo "#define GID_MIN $GID_MIN" >> uids.h
-else
-        echo "// using default values" >> uids.h
-        echo "#define UID_MIN 1000" >> uids.h
-        echo "#define GID_MIN 1000" >> uids.h
 fi
 
+# use default values if not found
+[ -z "$UID_MIN" ] && UID_MIN="1000"
+[ -z "$GID_MIN" ] && GID_MIN="1000"
+
+echo "#define UID_MIN $UID_MIN" >> uids.h
+echo "#define GID_MIN $GID_MIN" >> uids.h
+
 echo "#endif" >> uids.h
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
deleted file mode 100644
index cee008786..000000000
--- a/platform/debian/conffiles
+++ /dev/null
@@ -1,417 +0,0 @@
-/etc/firejail/0ad.profile
-/etc/firejail/2048-qt.profile
-/etc/firejail/7z.profile
-/etc/firejail/Cryptocat.profile
-/etc/firejail/Cyberfox.profile
-/etc/firejail/FossaMail.profile
-/etc/firejail/Gitter.profile
-/etc/firejail/Mathematica.profile
-/etc/firejail/Telegram.profile
-/etc/firejail/Thunar.profile
-/etc/firejail/VirtualBox.profile
-/etc/firejail/Wire.profile
-/etc/firejail/Xephyr.profile
-/etc/firejail/Xvfb.profile
-/etc/firejail/abrowser.profile
-/etc/firejail/akregator.profile
-/etc/firejail/amarok.profile
-/etc/firejail/android-studio.profile
-/etc/firejail/apktool.profile
-/etc/firejail/arduino.profile
-/etc/firejail/ark.profile
-/etc/firejail/arm.profile
-/etc/firejail/atom-beta.profile
-/etc/firejail/atom.profile
-/etc/firejail/atool.profile
-/etc/firejail/atril.profile
-/etc/firejail/audacious.profile
-/etc/firejail/audacity.profile
-/etc/firejail/aweather.profile
-/etc/firejail/baloo_file.profile
-/etc/firejail/baobab.profile
-/etc/firejail/bibletime.profile
-/etc/firejail/bitlbee.profile
-/etc/firejail/bleachbit.profile
-/etc/firejail/blender.profile
-/etc/firejail/bless.profile
-/etc/firejail/brasero.profile
-/etc/firejail/brave.profile
-/etc/firejail/caja.profile
-/etc/firejail/calibre.profile
-/etc/firejail/catfish.profile
-/etc/firejail/cherrytree.profile
-/etc/firejail/chromium-browser.profile
-/etc/firejail/chromium.profile
-/etc/firejail/claws-mail.profile
-/etc/firejail/clementine.profile
-/etc/firejail/clipit.profile
-/etc/firejail/cmus.profile
-/etc/firejail/conkeror.profile
-/etc/firejail/corebird.profile
-/etc/firejail/cpio.profile
-/etc/firejail/cryptocat.profile
-/etc/firejail/curl.profile
-/etc/firejail/cvlc.profile
-/etc/firejail/cyberfox.profile
-/etc/firejail/darktable.profile
-/etc/firejail/deadbeef.profile
-/etc/firejail/default.profile
-/etc/firejail/deluge.profile
-/etc/firejail/dex2jar.profile
-/etc/firejail/dia.profile
-/etc/firejail/digikam.profile
-/etc/firejail/dillo.profile
-/etc/firejail/dino.profile
-/etc/firejail/disable-common.inc
-/etc/firejail/disable-devel.inc
-/etc/firejail/disable-passwdmgr.inc
-/etc/firejail/disable-programs.inc
-/etc/firejail/display.profile
-/etc/firejail/dnscrypt-proxy.profile
-/etc/firejail/dnsmasq.profile
-/etc/firejail/dolphin.profile
-/etc/firejail/dosbox.profile
-/etc/firejail/dragon.profile
-/etc/firejail/dropbox.profile
-/etc/firejail/ebook-viewer.profile
-/etc/firejail/electron.profile
-/etc/firejail/elinks.profile
-/etc/firejail/emacs.profile
-/etc/firejail/empathy.profile
-/etc/firejail/enchant.profile
-/etc/firejail/engrampa.profile
-/etc/firejail/eog.profile
-/etc/firejail/eom.profile
-/etc/firejail/epiphany.profile
-/etc/firejail/etr.profile
-/etc/firejail/evince.profile
-/etc/firejail/evolution.profile
-/etc/firejail/exiftool.profile
-/etc/firejail/fbreader.profile
-/etc/firejail/feh.profile
-/etc/firejail/file-roller.profile
-/etc/firejail/file.profile
-/etc/firejail/filezilla.profile
-/etc/firejail/firefox-esr.profile
-/etc/firejail/firefox.profile
-/etc/firejail/firefox-nightly.profile
-/etc/firejail/firejail.config
-/etc/firejail/flashpeak-slimjet.profile
-/etc/firejail/flowblade.profile
-/etc/firejail/fontforge.profile
-/etc/firejail/fossamail.profile
-/etc/firejail/franz.profile
-/etc/firejail/frozen-bubble.profile
-/etc/firejail/gajim.profile
-/etc/firejail/galculator.profile
-/etc/firejail/geany.profile
-/etc/firejail/geary.profile
-/etc/firejail/gedit.profile
-/etc/firejail/geeqie.profile
-/etc/firejail/ghb.profile
-/etc/firejail/gimp-2.8.profile
-/etc/firejail/gimp.profile
-/etc/firejail/git.profile
-/etc/firejail/gitg.profile
-/etc/firejail/gitter.profile
-/etc/firejail/gjs.profile
-/etc/firejail/globaltime.profile
-/etc/firejail/gnome-2048.profile
-/etc/firejail/gnome-books.profile
-/etc/firejail/gnome-calculator.profile
-/etc/firejail/gnome-chess.profile
-/etc/firejail/gnome-clocks.profile
-/etc/firejail/gnome-contacts.profile
-/etc/firejail/gnome-documents.profile
-/etc/firejail/gnome-font-viewer.profile
-/etc/firejail/gnome-maps.profile
-/etc/firejail/gnome-mplayer.profile
-/etc/firejail/gnome-music.profile
-/etc/firejail/gnome-photos.profile
-/etc/firejail/gnome-twitch.profile
-/etc/firejail/gnome-weather.profile
-/etc/firejail/goobox.profile
-/etc/firejail/google-chrome-beta.profile
-/etc/firejail/google-chrome-stable.profile
-/etc/firejail/google-chrome-unstable.profile
-/etc/firejail/google-chrome.profile
-/etc/firejail/google-play-music-desktop-player.profile
-/etc/firejail/gpa.profile
-/etc/firejail/gpg-agent.profile
-/etc/firejail/gpg.profile
-/etc/firejail/gpicview.profile
-/etc/firejail/gpredict.profile
-/etc/firejail/gtar.profile
-/etc/firejail/gthumb.profile
-/etc/firejail/guayadeque.profile
-/etc/firejail/gucharmap.profile
-/etc/firejail/gwenview.profile
-/etc/firejail/gzip.profile
-/etc/firejail/handbrake-gtk.profile
-/etc/firejail/handbrake.profile
-/etc/firejail/hashcat.profile
-/etc/firejail/hedgewars.profile
-/etc/firejail/hexchat.profile
-/etc/firejail/highlight.profile
-/etc/firejail/hugin.profile
-/etc/firejail/icecat.profile
-/etc/firejail/icedove.profile
-/etc/firejail/iceweasel.profile
-/etc/firejail/idea.sh.profile
-/etc/firejail/img2txt.profile
-/etc/firejail/inkscape.profile
-/etc/firejail/inox.profile
-/etc/firejail/iridium-browser.profile
-/etc/firejail/iridium.profile
-/etc/firejail/jd-gui.profile
-/etc/firejail/jitsi.profile
-/etc/firejail/k3b.profile
-/etc/firejail/kate.profile
-/etc/firejail/kcalc.profile
-/etc/firejail/keepass.profile
-/etc/firejail/keepass2.profile
-/etc/firejail/keepassx.profile
-/etc/firejail/keepassx2.profile
-/etc/firejail/keepassxc.profile
-/etc/firejail/kino.profile
-/etc/firejail/kmail.profile
-/etc/firejail/knotes.profile
-/etc/firejail/kodi.profile
-/etc/firejail/konversation.profile
-/etc/firejail/ktorrent.profile
-/etc/firejail/kwrite.profile
-/etc/firejail/leafpad.profile
-/etc/firejail/less.profile
-/etc/firejail/libreoffice.profile
-/etc/firejail/liferea.profile
-/etc/firejail/localc.profile
-/etc/firejail/lodraw.profile
-/etc/firejail/loffice.profile
-/etc/firejail/lofromtemplate.profile
-/etc/firejail/login.users
-/etc/firejail/loimpress.profile
-/etc/firejail/lollypop.profile
-/etc/firejail/lomath.profile
-/etc/firejail/loweb.profile
-/etc/firejail/lowriter.profile
-/etc/firejail/luminance-hdr.profile
-/etc/firejail/lximage-qt.profile
-/etc/firejail/lxmusic.profile
-/etc/firejail/lxterminal.profile
-/etc/firejail/lynx.profile
-/etc/firejail/mate-calc.profile
-/etc/firejail/mate-calculator.profile
-/etc/firejail/mate-color-select.profile
-/etc/firejail/mate-dictionary.profile
-/etc/firejail/mathematica.profile
-/etc/firejail/mcabber.profile
-/etc/firejail/mediainfo.profile
-/etc/firejail/mediathekview.profile
-/etc/firejail/meld.profile
-/etc/firejail/midori.profile
-/etc/firejail/minetest.profile
-/etc/firejail/mousepad.profile
-/etc/firejail/mplayer.profile
-/etc/firejail/mpv.profile
-/etc/firejail/multimc5.profile
-/etc/firejail/mumble.profile
-/etc/firejail/mupdf.profile
-/etc/firejail/mupen64plus.profile
-/etc/firejail/musescore.profile
-/etc/firejail/mutt.profile
-/etc/firejail/nautilus.profile
-/etc/firejail/nemo.profile
-/etc/firejail/neverball.profile
-/etc/firejail/netsurf.profile
-/etc/firejail/nolocal.net
-/etc/firejail/nylas.profile
-/etc/firejail/obs.profile
-/etc/firejail/odt2txt.profile
-/etc/firejail/okular.profile
-/etc/firejail/open-invaders.profile
-/etc/firejail/openbox.profile
-/etc/firejail/openshot.profile
-/etc/firejail/opera-beta.profile
-/etc/firejail/opera.profile
-/etc/firejail/orage.profile
-/etc/firejail/palemoon.profile
-/etc/firejail/parole.profile
-/etc/firejail/pcmanfm.profile
-/etc/firejail/pdfsam.profile
-/etc/firejail/pdftotext.profile
-/etc/firejail/peek.profile
-/etc/firejail/picard.profile
-/etc/firejail/pidgin.profile
-/etc/firejail/pingus.profile
-/etc/firejail/pithos.profile
-/etc/firejail/pix.profile
-/etc/firejail/pluma.profile
-/etc/firejail/polari.profile
-/etc/firejail/psi-plus.profile
-/etc/firejail/qbittorrent.profile
-/etc/firejail/qemu-launcher.profile
-/etc/firejail/qemu-system-x86_64.profile
-/etc/firejail/qlipper.profile
-/etc/firejail/qpdfview.profile
-/etc/firejail/qtox.profile
-/etc/firejail/quassel.profile
-/etc/firejail/quiterss.profile
-/etc/firejail/qupzilla.profile
-/etc/firejail/qutebrowser.profile
-/etc/firejail/rambox.profile
-/etc/firejail/ranger.profile
-/etc/firejail/remmina.profile
-/etc/firejail/rhythmbox.profile
-/etc/firejail/riot-web.profile
-/etc/firejail/ristretto.profile
-/etc/firejail/rtorrent.profile
-/etc/firejail/scribus.profile
-/etc/firejail/sdat2img.profile
-/etc/firejail/seamonkey-bin.profile
-/etc/firejail/seamonkey.profile
-/etc/firejail/server.profile
-/etc/firejail/silentarmy.profile
-/etc/firejail/simple-scan.profile
-/etc/firejail/simutrans.profile
-/etc/firejail/skanlite.profile
-/etc/firejail/skype.profile
-/etc/firejail/skypeforlinux.profile
-/etc/firejail/slack.profile
-/etc/firejail/smplayer.profile
-/etc/firejail/snap.profile
-/etc/firejail/soffice.profile
-/etc/firejail/soundconverter.profile
-/etc/firejail/spotify.profile
-/etc/firejail/sqlitebrowser.profile
-/etc/firejail/ssh-agent.profile
-/etc/firejail/ssh.profile
-/etc/firejail/start-tor-browser.profile
-/etc/firejail/steam.profile
-/etc/firejail/stellarium.profile
-/etc/firejail/strings.profile
-/etc/firejail/supertux2.profile
-/etc/firejail/synfigstudio.profile
-/etc/firejail/tar.profile
-/etc/firejail/telegram-desktop.profile
-/etc/firejail/telegram.profile
-/etc/firejail/thunar.profile
-/etc/firejail/thunderbird.profile
-/etc/firejail/torbrowser-launcher.profile
-/etc/firejail/totem.profile
-/etc/firejail/tracker.profile
-/etc/firejail/transmission-cli.profile
-/etc/firejail/transmission-gtk.profile
-/etc/firejail/transmission-qt.profile
-/etc/firejail/transmission-show.profile
-/etc/firejail/truecraft.profile
-/etc/firejail/tuxguitar.profile
-/etc/firejail/uget-gtk.profile
-/etc/firejail/unbound.profile
-/etc/firejail/unknown-horizons.profile
-/etc/firejail/unrar.profile
-/etc/firejail/unzip.profile
-/etc/firejail/uudeview.profile
-/etc/firejail/uzbl-browser.profile
-/etc/firejail/viewnior.profile
-/etc/firejail/viking.profile
-/etc/firejail/vim.profile
-/etc/firejail/virtualbox.profile
-/etc/firejail/vivaldi-beta.profile
-/etc/firejail/vivaldi-stable.profile
-/etc/firejail/vivaldi.profile
-/etc/firejail/vlc.profile
-/etc/firejail/vym.profile
-/etc/firejail/w3m.profile
-/etc/firejail/warzone2100.profile
-/etc/firejail/waterfox.profile
-/etc/firejail/webserver.net
-/etc/firejail/weechat-curses.profile
-/etc/firejail/weechat.profile
-/etc/firejail/wesnoth.profile
-/etc/firejail/wget.profile
-/etc/firejail/whitelist-common.inc
-/etc/firejail/wine.profile
-/etc/firejail/wire.profile
-/etc/firejail/wireshark-gtk.profile
-/etc/firejail/wireshark-qt.profile
-/etc/firejail/wireshark.profile
-/etc/firejail/xchat.profile
-/etc/firejail/xed.profile
-/etc/firejail/xfburn.profile
-/etc/firejail/xfce4-dict.profile
-/etc/firejail/xfce4-notes.profile
-/etc/firejail/xiphos.profile
-/etc/firejail/xmms.profile
-/etc/firejail/xonotic-glx.profile
-/etc/firejail/xonotic-sdl.profile
-/etc/firejail/xonotic.profile
-/etc/firejail/xpdf.profile
-/etc/firejail/xplayer.profile
-/etc/firejail/xpra.profile
-/etc/firejail/xreader.profile
-/etc/firejail/xviewer.profile
-/etc/firejail/xz.profile
-/etc/firejail/xzdec.profile
-/etc/firejail/youtube-dl.profile
-/etc/firejail/zathura.profile
-/etc/firejail/zoom.profile
-/etc/firejail/yandex-browser.profile
-/etc/firejail/itch.profile
-/etc/firejail/whitelist-var-common.inc
-/etc/firejail/ffmpeg.profile
-/etc/firejail/Natron.profile
-/etc/firejail/Viber.profile
-/etc/firejail/amule.profile
-/etc/firejail/arch-audit.profile
-/etc/firejail/ardour4.profile
-/etc/firejail/ardour5.profile
-/etc/firejail/bluefish.profile
-/etc/firejail/brackets.profile
-/etc/firejail/calligra.profile
-/etc/firejail/calligraauthor.profile
-/etc/firejail/calligraconverter.profile
-/etc/firejail/calligraflow.profile
-/etc/firejail/calligraplan.profile
-/etc/firejail/calligraplanwork.profile
-/etc/firejail/calligrasheets.profile
-/etc/firejail/cin.profile
-/etc/firejail/calligrastage.profile
-/etc/firejail/calligrawords.profile
-/etc/firejail/cinelerra.profile
-/etc/firejail/clamav.profile
-/etc/firejail/clamdscan.profile
-/etc/firejail/clamdtop.profile
-/etc/firejail/clamscan.profile
-/etc/firejail/cliqz.profile
-/etc/firejail/conky.profile
-/etc/firejail/dooble-qt4.profile
-/etc/firejail/dooble.profile
-/etc/firejail/fetchmail.profile
-/etc/firejail/freecad.profile
-/etc/firejail/freecadcmd.profile
-/etc/firejail/freshclam.profile
-/etc/firejail/google-earth.profile
-/etc/firejail/imagej.profile
-/etc/firejail/karbon.profile
-/etc/firejail/kdenlive.profile
-/etc/firejail/krita.profile
-/etc/firejail/linphone.profile
-/etc/firejail/lmms.profile
-/etc/firejail/macrofusion.profile
-/etc/firejail/mpd.profile
-/etc/firejail/natron.profile
-/etc/firejail/openshot-qt.profile
-/etc/firejail/pinta.profile
-/etc/firejail/ricochet.profile
-/etc/firejail/rocketchat.profile
-/etc/firejail/shotcut.profile
-/etc/firejail/smtube.profile
-/etc/firejail/surf.profile
-/etc/firejail/teamspeak3.profile
-/etc/firejail/terasology.profile
-/etc/firejail/tor-browser-en.profile
-/etc/firejail/tor.profile
-/etc/firejail/uefitool.profile
-/etc/firejail/x-terminal-emulator.profile
-/etc/firejail/xmr-stak-cpu.profile
-/etc/firejail/zart.profile
diff --git a/platform/debian/control b/platform/debian/control.amd64
index 4161cbfb2..f666200d5 100644
--- a/platform/debian/control
+++ b/platform/debian/control.amd64
@@ -1,13 +1,13 @@
 Package: firejail
 Version: FIREJAILVER-1
 Architecture: amd64
-Maintainer: netblue30 <netblue30@yahoo.com>
+Maintainer: netblue30 <netblue30@protonmail.com>
 Installed-Size: 2024
 Depends: libc6
 Suggests: python, python3
 Section: admin
-Priority: extra
-Homepage: http://github.com/netblue30/firejail
+Priority: optional
+Homepage: https://github.com/netblue30/firejail
 Description: Linux namepaces sandbox program.
  Firejail  is  a  SUID sandbox program that reduces the risk of security
  breaches by restricting the running environment of untrusted applications
diff --git a/platform/debian/control.i386 b/platform/debian/control.i386
new file mode 100644
index 000000000..ab9e0fc52
--- /dev/null
+++ b/platform/debian/control.i386
@@ -0,0 +1,20 @@
+Package: firejail
+Version: FIREJAILVER-1
+Architecture: i386
+Maintainer: netblue30 <netblue30@protonmail.com>
+Installed-Size: 2024
+Depends: libc6
+Suggests: python, python3
+Section: admin
+Priority: optional
+Homepage: https://github.com/netblue30/firejail
+Description: Linux namepaces sandbox program.
+ Firejail  is  a  SUID sandbox program that reduces the risk of security
+ breaches by restricting the running environment of untrusted applications
+ using Linux namespaces and seccmp-bpf. It includes sandbox profiles for
+ Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission
+ and VLC.
+ .
+ Firejail also expands the restricted shell facility found in bash by
+ adding Linux namespace support. It also supports sandboxing SSH users
+ upon login.
diff --git a/platform/debian/copyright b/platform/debian/copyright
index 83952080f..d4bdb1283 100644
--- a/platform/debian/copyright
+++ b/platform/debian/copyright
@@ -7,7 +7,7 @@ This is the Debian/Ubuntu prepackaged version of firejail.
     and networking stack isolation, and it runs on any recent Linux system. It
     includes a sandbox profile for Mozilla Firefox.
 
-    Copyright (C) 2014-2017 Firejail Authors (see README file for more details)
+    Copyright (C) 2014-2021 Firejail Authors (see README file for more details)
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -26,4 +26,4 @@ This is the Debian/Ubuntu prepackaged version of firejail.
 The complete text of the GNU General Public License can be found
 in /usr/share/common-licenses/GPL-2.
 
-Homepage: http://github.com/netblue30/firejail.
+Homepage: https://github.com/netblue30/firejail.
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index 382f85bb2..86cd6006e 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -1,17 +1,17 @@
 Name: __NAME__
 Version: __VERSION__
 Release: 1
-Summary: Linux namepaces sandbox program
+Summary: Linux namespaces sandbox program
 
 License: GPLv2+
 Group: Development/Tools
 Source0: https://github.com/netblue30/firejail/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-URL: http://github.com/netblue30/firejail
+URL: https://github.com/netblue30/firejail
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 
 %description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
+Firejail is a SUID sandbox program that reduces the risk of security
 breaches by restricting the running environment of untrusted applications
 using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
 
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
 %setup -q
 
 %build
-%configure --disable-userns
+%configure __CONFIG_OPT__
 make %{?_smp_mflags}
 
 %install
@@ -35,19 +35,18 @@ rm -rf %{buildroot}
 %attr(4755, -, -) %{_bindir}/__NAME__
 %{_bindir}/firecfg
 %{_bindir}/firemon
-%{_libdir}/__NAME__/firecfg.config
-%{_libdir}/__NAME__/ftee
-%{_libdir}/__NAME__/faudit
-%{_libdir}/__NAME__/fshaper.sh
-%{_libdir}/__NAME__/libtrace.so
-%{_libdir}/__NAME__/libtracelog.so
+%{_bindir}/jailcheck
+%{_libdir}/__NAME__
 %{_datarootdir}/bash-completion/completions/__NAME__
 %{_datarootdir}/bash-completion/completions/firecfg
 %{_datarootdir}/bash-completion/completions/firemon
+%{_datarootdir}/zsh/site-functions/_firejail
 %{_docdir}/__NAME__
 %{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man1/jailcheck.1.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
-%config %{_sysconfdir}/__NAME__
+%{_mandir}/man5/__NAME__-users.5.gz
+%config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index b63340e43..b8470dd71 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
-# Usage: ./platform/rpm/mkrpm.sh firejail <version>
+# Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
 #
 # Builds rpms in a temporary directory then places the result in the
 # current working directory.
@@ -8,6 +11,7 @@
 name=$1
 # Strip any trailing prefix from the version like -rc1 etc
 version=$(echo "$2" | sed 's/\-.*//g')
+config_opt=$3
 
 if [[ ! -f platform/rpm/${name}.spec ]]; then
     echo error: spec file not found for name \"${name}\"
@@ -19,6 +23,10 @@ if [[ -z "${version}" ]]; then
     exit 1
 fi
 
+if [[ -z "${config_opt}" ]]; then
+    config_opt="--disable-userns --disable-contrib-install"
+fi
+
 # Make a temporary directory and arrange to clean up on exit
 tmpdir=$(mktemp -d)
 mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
@@ -29,11 +37,14 @@ trap cleanup EXIT
 
 # Create the spec file
 tmp_spec_file=${tmpdir}/SPECS/${name}.spec
-sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
+sed -e "s/__NAME__/${name}/g" \
+    -e "s/__VERSION__/${version}/g" \
+    -e "s/__CONFIG_OPT__/${config_opt}/g" \
+    platform/rpm/${name}.spec >${tmp_spec_file}
 # FIXME: We could parse RELNOTES and create a %changelog section here
 
 # Copy the source to build into a tarball
-tar czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . --transform "s/^./${name}-${version}/" --exclude='./.git*' --exclude='./test*'
+tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
 
 # Build the files (rpm, debug rpm and source rpm)
 rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
deleted file mode 100755
index 13049f736..000000000
--- a/platform/rpm/old-mkrpm.sh
+++ /dev/null
@@ -1,667 +0,0 @@
-#!/bin/bash
-VERSION="0.9.51"
-rm -fr ~/rpmbuild
-rm -f firejail-$VERSION-1.x86_64.rpm
-
-mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
-cat <<EOF >~/.rpmmacros
-%_topdir   %(echo $HOME)/rpmbuild
-%_tmppath  %{_topdir}/tmp
-EOF
-
-cd ~/rpmbuild
-echo "building directory tree"
-
-mkdir -p firejail-$VERSION/usr/bin
-install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
-install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
-install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
-
-mkdir -p  firejail-$VERSION/usr/lib/firejail
-install -m 755 /usr/lib/firejail/faudit  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fcopy  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fgit-install.sh  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fgit-uninstall.sh  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/firecfg.config  firejail-$VERSION/usr/lib/firejail/.
-# Python 3  is not available on CentOS
-#install -m 755 /usr/lib/firejail/fix_private-bin.py  firejail-$VERSION/usr/lib/firejail/.
-#install -m 755 /usr/lib/firejail/fjclip.py  firejail-$VERSION/usr/lib/firejail/.
-#install -m 755 /usr/lib/firejail/fjdisplay.py  firejail-$VERSION/usr/lib/firejail/.
-#install -m 755 /usr/lib/firejail/fjresize.py  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fldd  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fnet  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fseccomp  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
-install -m 755 /usr/lib/firejail/fbuilder  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/libpostexecseccomp.so  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.64  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.debug  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.32  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.block_secondary  firejail-$VERSION/usr/lib/firejail/.
-install -m 644 /usr/lib/firejail/seccomp.mdwx  firejail-$VERSION/usr/lib/firejail/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man1
-install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
-install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
-install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
-
-mkdir -p firejail-$VERSION/usr/share/man/man5
-install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
-install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
-
-mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
-install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
-install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
-
-mkdir -p firejail-$VERSION/etc/firejail
-install -m 644 /etc/firejail/* firejail-$VERSION/etc/firejail/.
-
-mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
-install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
-install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
-install -m 644 /usr/share/bash-completion/completions/firecfg  firejail-$VERSION/usr/share/bash-completion/completions/.
-
-echo "building tar.gz archive"
-tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
-
-cp firejail-$VERSION.tar.gz SOURCES/.
-
-echo "building config spec"
-cat <<EOF > SPECS/firejail.spec
-%define        __spec_install_post %{nil}
-%define          debug_package %{nil}
-%define        __os_install_post %{_dbpath}/brp-compress
-
-Summary: Linux namepaces sandbox program
-Name: firejail
-Version: $VERSION
-Release: 1
-License: GPL+
-Group: Development/Tools
-SOURCE0 : %{name}-%{version}.tar.gz
-URL: http://firejail.wordpress.com
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of untrusted applications
-using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
-
-%prep
-%setup -q
-
-%build
-
-%install
-rm -rf %{buildroot}
-mkdir -p  %{buildroot}
-
-cp -a * %{buildroot}
-
-
-%clean
-rm -rf %{buildroot}
-
-%files
-%defattr(-,root,root,-)
-%{_sysconfdir}/%{name}/0ad.profile
-%{_sysconfdir}/%{name}/abrowser.profile
-%{_sysconfdir}/%{name}/atom-beta.profile
-%{_sysconfdir}/%{name}/atom.profile
-%{_sysconfdir}/%{name}/atril.profile
-%{_sysconfdir}/%{name}/audacious.profile
-%{_sysconfdir}/%{name}/audacity.profile
-%{_sysconfdir}/%{name}/aweather.profile
-%{_sysconfdir}/%{name}/bitlbee.profile
-%{_sysconfdir}/%{name}/brave.profile
-%{_sysconfdir}/%{name}/cherrytree.profile
-%{_sysconfdir}/%{name}/chromium-browser.profile
-%{_sysconfdir}/%{name}/chromium.profile
-%{_sysconfdir}/%{name}/clementine.profile
-%{_sysconfdir}/%{name}/cmus.profile
-%{_sysconfdir}/%{name}/conkeror.profile
-%{_sysconfdir}/%{name}/corebird.profile
-%{_sysconfdir}/%{name}/cpio.profile
-%{_sysconfdir}/%{name}/cyberfox.profile
-%{_sysconfdir}/%{name}/Cyberfox.profile
-%{_sysconfdir}/%{name}/deadbeef.profile
-%{_sysconfdir}/%{name}/default.profile
-%{_sysconfdir}/%{name}/deluge.profile
-%{_sysconfdir}/%{name}/dillo.profile
-%{_sysconfdir}/%{name}/disable-common.inc
-%{_sysconfdir}/%{name}/disable-devel.inc
-%{_sysconfdir}/%{name}/disable-passwdmgr.inc
-%{_sysconfdir}/%{name}/disable-programs.inc
-%{_sysconfdir}/%{name}/dnscrypt-proxy.profile
-%{_sysconfdir}/%{name}/dnsmasq.profile
-%{_sysconfdir}/%{name}/dosbox.profile
-%{_sysconfdir}/%{name}/dropbox.profile
-%{_sysconfdir}/%{name}/empathy.profile
-%{_sysconfdir}/%{name}/eom.profile
-%{_sysconfdir}/%{name}/epiphany.profile
-%{_sysconfdir}/%{name}/evince.profile
-%{_sysconfdir}/%{name}/fbreader.profile
-%{_sysconfdir}/%{name}/file.profile
-%{_sysconfdir}/%{name}/filezilla.profile
-%{_sysconfdir}/%{name}/firefox-esr.profile
-%{_sysconfdir}/%{name}/firefox.profile
-%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
-%{_sysconfdir}/%{name}/flashpeak-slimjet.profile
-%{_sysconfdir}/%{name}/franz.profile
-%{_sysconfdir}/%{name}/gajim.profile
-%{_sysconfdir}/%{name}/gitter.profile
-%{_sysconfdir}/%{name}/gnome-chess.profile
-%{_sysconfdir}/%{name}/gnome-mplayer.profile
-%{_sysconfdir}/%{name}/google-chrome-beta.profile
-%{_sysconfdir}/%{name}/google-chrome.profile
-%{_sysconfdir}/%{name}/google-chrome-stable.profile
-%{_sysconfdir}/%{name}/google-chrome-unstable.profile
-%{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
-%{_sysconfdir}/%{name}/gpredict.profile
-%{_sysconfdir}/%{name}/gtar.profile
-%{_sysconfdir}/%{name}/gthumb.profile
-%{_sysconfdir}/%{name}/gwenview.profile
-%{_sysconfdir}/%{name}/gzip.profile
-%{_sysconfdir}/%{name}/hedgewars.profile
-%{_sysconfdir}/%{name}/hexchat.profile
-%{_sysconfdir}/%{name}/icecat.profile
-%{_sysconfdir}/%{name}/icedove.profile
-%{_sysconfdir}/%{name}/iceweasel.profile
-%{_sysconfdir}/%{name}/inox.profile
-%{_sysconfdir}/%{name}/jitsi.profile
-%{_sysconfdir}/%{name}/kmail.profile
-%{_sysconfdir}/%{name}/konversation.profile
-%{_sysconfdir}/%{name}/less.profile
-%{_sysconfdir}/%{name}/libreoffice.profile
-%{_sysconfdir}/%{name}/localc.profile
-%{_sysconfdir}/%{name}/lodraw.profile
-%{_sysconfdir}/%{name}/loffice.profile
-%{_sysconfdir}/%{name}/lofromtemplate.profile
-%config(noreplace) %{_sysconfdir}/%{name}/login.users
-%{_sysconfdir}/%{name}/loimpress.profile
-%{_sysconfdir}/%{name}/lomath.profile
-%{_sysconfdir}/%{name}/loweb.profile
-%{_sysconfdir}/%{name}/lowriter.profile
-%{_sysconfdir}/%{name}/lxterminal.profile
-%{_sysconfdir}/%{name}/mathematica.profile
-%{_sysconfdir}/%{name}/Mathematica.profile
-%{_sysconfdir}/%{name}/mcabber.profile
-%{_sysconfdir}/%{name}/midori.profile
-%{_sysconfdir}/%{name}/mpv.profile
-%{_sysconfdir}/%{name}/mupen64plus.profile
-%{_sysconfdir}/%{name}/netsurf.profile
-%{_sysconfdir}/%{name}/nolocal.net
-%{_sysconfdir}/%{name}/okular.profile
-%{_sysconfdir}/%{name}/openbox.profile
-%{_sysconfdir}/%{name}/opera-beta.profile
-%{_sysconfdir}/%{name}/opera.profile
-%{_sysconfdir}/%{name}/palemoon.profile
-%{_sysconfdir}/%{name}/parole.profile
-%{_sysconfdir}/%{name}/pidgin.profile
-%{_sysconfdir}/%{name}/pix.profile
-%{_sysconfdir}/%{name}/polari.profile
-%{_sysconfdir}/%{name}/psi-plus.profile
-%{_sysconfdir}/%{name}/qbittorrent.profile
-%{_sysconfdir}/%{name}/qtox.profile
-%{_sysconfdir}/%{name}/quassel.profile
-%{_sysconfdir}/%{name}/quiterss.profile
-%{_sysconfdir}/%{name}/qutebrowser.profile
-%{_sysconfdir}/%{name}/rhythmbox.profile
-%{_sysconfdir}/%{name}/rtorrent.profile
-%{_sysconfdir}/%{name}/seamonkey-bin.profile
-%{_sysconfdir}/%{name}/seamonkey.profile
-%{_sysconfdir}/%{name}/server.profile
-%{_sysconfdir}/%{name}/skypeforlinux.profile
-%{_sysconfdir}/%{name}/skype.profile
-%{_sysconfdir}/%{name}/slack.profile
-%{_sysconfdir}/%{name}/snap.profile
-%{_sysconfdir}/%{name}/soffice.profile
-%{_sysconfdir}/%{name}/spotify.profile
-%{_sysconfdir}/%{name}/ssh.profile
-%{_sysconfdir}/%{name}/steam.profile
-%{_sysconfdir}/%{name}/stellarium.profile
-%{_sysconfdir}/%{name}/strings.profile
-%{_sysconfdir}/%{name}/tar.profile
-%{_sysconfdir}/%{name}/telegram.profile
-%{_sysconfdir}/%{name}/Telegram.profile
-%{_sysconfdir}/%{name}/thunderbird.profile
-%{_sysconfdir}/%{name}/totem.profile
-%{_sysconfdir}/%{name}/transmission-gtk.profile
-%{_sysconfdir}/%{name}/transmission-qt.profile
-%{_sysconfdir}/%{name}/uget-gtk.profile
-%{_sysconfdir}/%{name}/unbound.profile
-%{_sysconfdir}/%{name}/unrar.profile
-%{_sysconfdir}/%{name}/unzip.profile
-%{_sysconfdir}/%{name}/uudeview.profile
-%{_sysconfdir}/%{name}/vivaldi-beta.profile
-%{_sysconfdir}/%{name}/vivaldi.profile
-%{_sysconfdir}/%{name}/vlc.profile
-%{_sysconfdir}/%{name}/warzone2100.profile
-%{_sysconfdir}/%{name}/webserver.net
-%{_sysconfdir}/%{name}/weechat-curses.profile
-%{_sysconfdir}/%{name}/weechat.profile
-%{_sysconfdir}/%{name}/wesnoth.profile
-%{_sysconfdir}/%{name}/whitelist-common.inc
-%{_sysconfdir}/%{name}/wine.profile
-%{_sysconfdir}/%{name}/xchat.profile
-%{_sysconfdir}/%{name}/xplayer.profile
-%{_sysconfdir}/%{name}/xreader.profile
-%{_sysconfdir}/%{name}/xviewer.profile
-%{_sysconfdir}/%{name}/xzdec.profile
-%{_sysconfdir}/%{name}/xz.profile
-%{_sysconfdir}/%{name}/zathura.profile
-%{_sysconfdir}/%{name}/7z.profile
-%{_sysconfdir}/%{name}/keepass.profile
-%{_sysconfdir}/%{name}/keepassx.profile
-%{_sysconfdir}/%{name}/claws-mail.profile
-%{_sysconfdir}/%{name}/mutt.profile
-%{_sysconfdir}/%{name}/git.profile
-%{_sysconfdir}/%{name}/emacs.profile
-%{_sysconfdir}/%{name}/vim.profile
-%{_sysconfdir}/%{name}/xpdf.profile
-%{_sysconfdir}/%{name}/virtualbox.profile
-%{_sysconfdir}/%{name}/openshot.profile
-%{_sysconfdir}/%{name}/flowblade.profile
-%{_sysconfdir}/%{name}/eog.profile
-%{_sysconfdir}/%{name}/evolution.profile
-%{_sysconfdir}/%{name}/feh.profile
-%{_sysconfdir}/%{name}/inkscape.profile
-%{_sysconfdir}/%{name}/gimp.profile
-%{_sysconfdir}/%{name}/luminance-hdr.profile
-%{_sysconfdir}/%{name}/mupdf.profile
-%{_sysconfdir}/%{name}/qpdfview.profile
-%{_sysconfdir}/%{name}/ranger.profile
-%{_sysconfdir}/%{name}/synfigstudio.profile
-# 0.9.45
-%{_sysconfdir}/%{name}/Cryptocat.profile
-%{_sysconfdir}/%{name}/FossaMail.profile
-%{_sysconfdir}/%{name}/Thunar.profile
-%{_sysconfdir}/%{name}/VirtualBox.profile
-%{_sysconfdir}/%{name}/Wire.profile
-%{_sysconfdir}/%{name}/amarok.profile
-%{_sysconfdir}/%{name}/ark.profile
-%{_sysconfdir}/%{name}/atool.profile
-%{_sysconfdir}/%{name}/bleachbit.profile
-%{_sysconfdir}/%{name}/bless.profile
-%{_sysconfdir}/%{name}/brasero.profile
-%{_sysconfdir}/%{name}/cryptocat.profile
-%{_sysconfdir}/%{name}/cvlc.profile
-%{_sysconfdir}/%{name}/display.profile
-%{_sysconfdir}/%{name}/dolphin.profile
-%{_sysconfdir}/%{name}/dragon.profile
-%{_sysconfdir}/%{name}/elinks.profile
-%{_sysconfdir}/%{name}/enchant.profile
-%{_sysconfdir}/%{name}/engrampa.profile
-%{_sysconfdir}/%{name}/exiftool.profile
-%{_sysconfdir}/%{name}/file-roller.profile
-%{_sysconfdir}/%{name}/fossamail.profile
-%{_sysconfdir}/%{name}/gedit.profile
-%{_sysconfdir}/%{name}/geeqie.profile
-%{_sysconfdir}/%{name}/gjs.profile
-%{_sysconfdir}/%{name}/gnome-2048.profile
-%{_sysconfdir}/%{name}/gnome-books.profile
-%{_sysconfdir}/%{name}/gnome-calculator.profile
-%{_sysconfdir}/%{name}/gnome-clocks.profile
-%{_sysconfdir}/%{name}/gnome-contacts.profile
-%{_sysconfdir}/%{name}/gnome-documents.profile
-%{_sysconfdir}/%{name}/gnome-maps.profile
-%{_sysconfdir}/%{name}/gnome-music.profile
-%{_sysconfdir}/%{name}/gnome-photos.profile
-%{_sysconfdir}/%{name}/gnome-weather.profile
-%{_sysconfdir}/%{name}/goobox.profile
-%{_sysconfdir}/%{name}/gpa.profile
-%{_sysconfdir}/%{name}/gpg-agent.profile
-%{_sysconfdir}/%{name}/gpg.profile
-%{_sysconfdir}/%{name}/gpicview.profile
-%{_sysconfdir}/%{name}/guayadeque.profile
-%{_sysconfdir}/%{name}/highlight.profile
-%{_sysconfdir}/%{name}/img2txt.profile
-%{_sysconfdir}/%{name}/iridium-browser.profile
-%{_sysconfdir}/%{name}/iridium.profile
-%{_sysconfdir}/%{name}/jd-gui.profile
-%{_sysconfdir}/%{name}/k3b.profile
-%{_sysconfdir}/%{name}/kate.profile
-%{_sysconfdir}/%{name}/keepass2.profile
-%{_sysconfdir}/%{name}/keepassx2.profile
-%{_sysconfdir}/%{name}/keepassxc.profile
-%{_sysconfdir}/%{name}/kino.profile
-%{_sysconfdir}/%{name}/lollypop.profile
-%{_sysconfdir}/%{name}/lynx.profile
-%{_sysconfdir}/%{name}/mediainfo.profile
-%{_sysconfdir}/%{name}/mediathekview.profile
-%{_sysconfdir}/%{name}/mousepad.profile
-%{_sysconfdir}/%{name}/multimc5.profile
-%{_sysconfdir}/%{name}/mumble.profile
-%{_sysconfdir}/%{name}/nautilus.profile
-%{_sysconfdir}/%{name}/odt2txt.profile
-%{_sysconfdir}/%{name}/pdfsam.profile
-%{_sysconfdir}/%{name}/pdftotext.profile
-%{_sysconfdir}/%{name}/pithos.profile
-%{_sysconfdir}/%{name}/pluma.profile
-%{_sysconfdir}/%{name}/qemu-launcher.profile
-%{_sysconfdir}/%{name}/qemu-system-x86_64.profile
-%{_sysconfdir}/%{name}/qupzilla.profile
-%{_sysconfdir}/%{name}/scribus.profile
-%{_sysconfdir}/%{name}/simple-scan.profile
-%{_sysconfdir}/%{name}/skanlite.profile
-%{_sysconfdir}/%{name}/ssh-agent.profile
-%{_sysconfdir}/%{name}/start-tor-browser.profile
-%{_sysconfdir}/%{name}/thunar.profile
-%{_sysconfdir}/%{name}/tracker.profile
-%{_sysconfdir}/%{name}/transmission-cli.profile
-%{_sysconfdir}/%{name}/transmission-show.profile
-%{_sysconfdir}/%{name}/uzbl-browser.profile
-%{_sysconfdir}/%{name}/vivaldi-stable.profile
-%{_sysconfdir}/%{name}/w3m.profile
-%{_sysconfdir}/%{name}/wget.profile
-%{_sysconfdir}/%{name}/wire.profile
-%{_sysconfdir}/%{name}/wireshark.profile
-%{_sysconfdir}/%{name}/xed.profile
-%{_sysconfdir}/%{name}/xfburn.profile
-%{_sysconfdir}/%{name}/xiphos.profile
-%{_sysconfdir}/%{name}/xmms.profile
-%{_sysconfdir}/%{name}/xonotic-glx.profile
-%{_sysconfdir}/%{name}/xonotic-sdl.profile
-%{_sysconfdir}/%{name}/xonotic.profile
-%{_sysconfdir}/%{name}/xpra.profile
-%{_sysconfdir}/%{name}/zoom.profile
-%{_sysconfdir}/%{name}/2048-qt.profile
-%{_sysconfdir}/%{name}/Xephyr.profile
-%{_sysconfdir}/%{name}/Xvfb.profile
-%{_sysconfdir}/%{name}/akregator.profile
-%{_sysconfdir}/%{name}/arduino.profile
-%{_sysconfdir}/%{name}/baloo_file.profile
-%{_sysconfdir}/%{name}/bibletime.profile
-%{_sysconfdir}/%{name}/blender.profile
-%{_sysconfdir}/%{name}/caja.profile
-%{_sysconfdir}/%{name}/clipit.profile
-%{_sysconfdir}/%{name}/dia.profile
-%{_sysconfdir}/%{name}/dino.profile
-%{_sysconfdir}/%{name}/fontforge.profile
-%{_sysconfdir}/%{name}/galculator.profile
-%{_sysconfdir}/%{name}/geany.profile
-%{_sysconfdir}/%{name}/gimp-2.8.profile
-%{_sysconfdir}/%{name}/globaltime.profile
-%{_sysconfdir}/%{name}/gnome-font-viewer.profile
-%{_sysconfdir}/%{name}/gucharmap.profile
-%{_sysconfdir}/%{name}/hugin.profile
-%{_sysconfdir}/%{name}/kcalc.profile
-%{_sysconfdir}/%{name}/knotes.profile
-%{_sysconfdir}/%{name}/kodi.profile
-%{_sysconfdir}/%{name}/ktorrent.profile
-%{_sysconfdir}/%{name}/leafpad.profile
-%{_sysconfdir}/%{name}/lximage-qt.profile
-%{_sysconfdir}/%{name}/lxmusic.profile
-%{_sysconfdir}/%{name}/mate-calc.profile
-%{_sysconfdir}/%{name}/mate-calculator.profile
-%{_sysconfdir}/%{name}/mate-color-select.profile
-%{_sysconfdir}/%{name}/mate-dictionary.profile
-%{_sysconfdir}/%{name}/meld.profile
-%{_sysconfdir}/%{name}/nemo.profile
-%{_sysconfdir}/%{name}/nylas.profile
-%{_sysconfdir}/%{name}/orage.profile
-%{_sysconfdir}/%{name}/pcmanfm.profile
-%{_sysconfdir}/%{name}/qlipper.profile
-%{_sysconfdir}/%{name}/ristretto.profile
-%{_sysconfdir}/%{name}/viewnior.profile
-%{_sysconfdir}/%{name}/viking.profile
-%{_sysconfdir}/%{name}/xfce4-dict.profile
-%{_sysconfdir}/%{name}/xfce4-notes.profile
-%{_sysconfdir}/%{name}/youtube-dl.profile
-%{_sysconfdir}/%{name}/catfish.profile
-%{_sysconfdir}/%{name}/darktable.profile
-%{_sysconfdir}/%{name}/digikam.profile
-%{_sysconfdir}/%{name}/handbrake.profile
-%{_sysconfdir}/%{name}/vym.profile
-%{_sysconfdir}/%{name}/waterfox.profile
-# 0.9.49
-%{_sysconfdir}/%{name}/Gitter.profile
-%{_sysconfdir}/%{name}/android-studio.profile
-%{_sysconfdir}/%{name}/apktool.profile
-%{_sysconfdir}/%{name}/arm.profile
-%{_sysconfdir}/%{name}/baobab.profile
-%{_sysconfdir}/%{name}/calibre.profile
-%{_sysconfdir}/%{name}/curl.profile
-%{_sysconfdir}/%{name}/dex2jar.profile
-%{_sysconfdir}/%{name}/ebook-viewer.profile
-%{_sysconfdir}/%{name}/electron.profile
-%{_sysconfdir}/%{name}/etr.profile
-%{_sysconfdir}/%{name}/firefox-nightly.profile
-%{_sysconfdir}/%{name}/frozen-bubble.profile
-%{_sysconfdir}/%{name}/geary.profile
-%{_sysconfdir}/%{name}/ghb.profile
-%{_sysconfdir}/%{name}/gitg.profile
-%{_sysconfdir}/%{name}/gnome-twitch.profile
-%{_sysconfdir}/%{name}/handbrake-gtk.profile
-%{_sysconfdir}/%{name}/hashcat.profile
-%{_sysconfdir}/%{name}/idea.sh.profile
-%{_sysconfdir}/%{name}/kwrite.profile
-%{_sysconfdir}/%{name}/liferea.profile
-%{_sysconfdir}/%{name}/mplayer.profile
-%{_sysconfdir}/%{name}/musescore.profile
-%{_sysconfdir}/%{name}/neverball.profile
-%{_sysconfdir}/%{name}/obs.profile
-%{_sysconfdir}/%{name}/open-invaders.profile
-%{_sysconfdir}/%{name}/peek.profile
-%{_sysconfdir}/%{name}/picard.profile
-%{_sysconfdir}/%{name}/pingus.profile
-%{_sysconfdir}/%{name}/rambox.profile
-%{_sysconfdir}/%{name}/remmina.profile
-%{_sysconfdir}/%{name}/riot-web.profile
-%{_sysconfdir}/%{name}/sdat2img.profile
-%{_sysconfdir}/%{name}/silentarmy.profile
-%{_sysconfdir}/%{name}/simutrans.profile
-%{_sysconfdir}/%{name}/smplayer.profile
-%{_sysconfdir}/%{name}/soundconverter.profile
-%{_sysconfdir}/%{name}/sqlitebrowser.profile
-%{_sysconfdir}/%{name}/supertux2.profile
-%{_sysconfdir}/%{name}/telegram-desktop.profile
-%{_sysconfdir}/%{name}/torbrowser-launcher.profile
-%{_sysconfdir}/%{name}/truecraft.profile
-%{_sysconfdir}/%{name}/tuxguitar.profile
-%{_sysconfdir}/%{name}/unknown-horizons.profile
-%{_sysconfdir}/%{name}/wireshark-gtk.profile
-%{_sysconfdir}/%{name}/wireshark-qt.profile
-%{_sysconfdir}/%{name}/itch.profile
-%{_sysconfdir}/%{name}/minetest.profile
-%{_sysconfdir}/%{name}/yandex-browser.profile
-# 0.9.51
-%{_sysconfdir}/%{name}/Natron.profile
-%{_sysconfdir}/%{name}/Viber.profile
-%{_sysconfdir}/%{name}/amule.profile
-%{_sysconfdir}/%{name}/arch-audit.profile
-%{_sysconfdir}/%{name}/ardour4.profile
-%{_sysconfdir}/%{name}/ardour5.profile
-%{_sysconfdir}/%{name}/bluefish.profile
-%{_sysconfdir}/%{name}/brackets.profile
-%{_sysconfdir}/%{name}/calligra.profile
-%{_sysconfdir}/%{name}/calligraauthor.profile
-%{_sysconfdir}/%{name}/calligraconverter.profile
-%{_sysconfdir}/%{name}/calligraflow.profile
-%{_sysconfdir}/%{name}/calligraplan.profile
-%{_sysconfdir}/%{name}/calligraplanwork.profile
-%{_sysconfdir}/%{name}/calligrasheets.profile
-%{_sysconfdir}/%{name}/calligrastage.profile
-%{_sysconfdir}/%{name}/calligrawords.profile
-%{_sysconfdir}/%{name}/cin.profile
-%{_sysconfdir}/%{name}/cinelerra.profile
-%{_sysconfdir}/%{name}/clamav.profile
-%{_sysconfdir}/%{name}/clamdscan.profile
-%{_sysconfdir}/%{name}/clamdtop.profile
-%{_sysconfdir}/%{name}/clamscan.profile
-%{_sysconfdir}/%{name}/cliqz.profile
-%{_sysconfdir}/%{name}/conky.profile
-%{_sysconfdir}/%{name}/dooble-qt4.profile
-%{_sysconfdir}/%{name}/dooble.profile
-%{_sysconfdir}/%{name}/fetchmail.profile
-%{_sysconfdir}/%{name}/ffmpeg.profile
-%{_sysconfdir}/%{name}/freecad.profile
-%{_sysconfdir}/%{name}/freecadcmd.profile
-%{_sysconfdir}/%{name}/freshclam.profile
-%{_sysconfdir}/%{name}/google-earth.profile
-%{_sysconfdir}/%{name}/imagej.profile
-%{_sysconfdir}/%{name}/karbon.profile
-%{_sysconfdir}/%{name}/kdenlive.profile
-%{_sysconfdir}/%{name}/krita.profile
-%{_sysconfdir}/%{name}/linphone.profile
-%{_sysconfdir}/%{name}/lmms.profile
-%{_sysconfdir}/%{name}/macrofusion.profile
-%{_sysconfdir}/%{name}/mpd.profile
-%{_sysconfdir}/%{name}/natron.profile
-%{_sysconfdir}/%{name}/openshot-qt.profile
-%{_sysconfdir}/%{name}/pinta.profile
-%{_sysconfdir}/%{name}/ricochet.profile
-%{_sysconfdir}/%{name}/rocketchat.profile
-%{_sysconfdir}/%{name}/shotcut.profile
-%{_sysconfdir}/%{name}/smtube.profile
-%{_sysconfdir}/%{name}/surf.profile
-%{_sysconfdir}/%{name}/teamspeak3.profile
-%{_sysconfdir}/%{name}/terasology.profile
-%{_sysconfdir}/%{name}/tor-browser-en.profile
-%{_sysconfdir}/%{name}/tor.profile
-%{_sysconfdir}/%{name}/uefitool.profile
-%{_sysconfdir}/%{name}/whitelist-var-common.inc
-%{_sysconfdir}/%{name}/x-terminal-emulator.profile
-%{_sysconfdir}/%{name}/xmr-stak-cpu.profile
-%{_sysconfdir}/%{name}/zart.profile
- 
-/usr/bin/firejail
-/usr/bin/firemon
-/usr/bin/firecfg
-
-/usr/lib/firejail/libtrace.so
-/usr/lib/firejail/libtracelog.so
-/usr/lib/firejail/libpostexecseccomp.so
-/usr/lib/firejail/faudit
-/usr/lib/firejail/ftee
-/usr/lib/firejail/fbuilder
-/usr/lib/firejail/firecfg.config
-/usr/lib/firejail/fshaper.sh
-/usr/lib/firejail/fcopy
-/usr/lib/firejail/fgit-install.sh
-/usr/lib/firejail/fgit-uninstall.sh
-#/usr/lib/firejail/fix_private-bin.py
-#/usr/lib/firejail/fjclip.py
-#/usr/lib/firejail/fjdisplay.py
-#/usr/lib/firejail/fjresize.py
-/usr/lib/firejail/fnet
-/usr/lib/firejail/fldd
-/usr/lib/firejail/fseccomp
-/usr/lib/firejail/seccomp
-/usr/lib/firejail/seccomp.64
-/usr/lib/firejail/seccomp.debug
-/usr/lib/firejail/seccomp.32
-/usr/lib/firejail/seccomp.block_secondary
-/usr/lib/firejail/seccomp.mdwx
-
-/usr/share/doc/packages/firejail/COPYING
-/usr/share/doc/packages/firejail/README
-/usr/share/doc/packages/firejail/RELNOTES
-/usr/share/man/man1/firejail.1.gz
-/usr/share/man/man1/firemon.1.gz
-/usr/share/man/man1/firecfg.1.gz
-/usr/share/man/man5/firejail-profile.5.gz
-/usr/share/man/man5/firejail-login.5.gz
-/usr/share/bash-completion/completions/firejail
-/usr/share/bash-completion/completions/firemon
-/usr/share/bash-completion/completions/firecfg
-
-%post
-chmod u+s /usr/bin/firejail
-
-%changelog
-* Sat Sep 23 2017  netblue30 <netblue30@yahoo.com> 0.9.51-1
-
-* Fri Sep 8 2017  netblue30 <netblue30@yahoo.com> 0.9.50-1
-
-* Mon Jun 12 2017  netblue30 <netblue30@yahoo.com> 0.9.48-1
-
-* Mon May 15 2017  netblue30 <netblue30@yahoo.com> 0.9.46-1
-
-* Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
-  - CVE-2016-7545 submitted by Aleksey Manevich
-  - modifs: removed man firejail-config
-  - modifs: --private-tmp whitelists /tmp/.X11-unix directory
-  - modifs: Nvidia drivers added to --private-dev
-  - modifs: /srv supported by --whitelist
-  - feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
-  - feature: support starting/joining sandbox is a single command
-    (--join-or-start)
-  - feature: X11 detection support for --audit
-  - feature: assign a name to the interface connected to the bridge
-    (--veth-name)
-  - feature: all user home directories are visible (--allusers)
-  - feature: add files to sandbox container (--put)
-  - feature: blocking x11 (--x11=block)
-  - feature: X11 security extension (--x11=xorg)
-  - feature: disable 3D hardware acceleration (--no3d)
-  - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
-  - feature: move files in sandbox (--put)
-  - feature: accept wildcard patterns in user  name field of restricted
-    shell login feature
-  - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
-  - new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
-  - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
-  - new profiles: Flowblade, Eye of GNOME (eog), Evolution
-  - bugfixes
-
-* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
-  - security: --whitelist deleted files, submitted by Vasya Novikov
-  - security: disable x32 ABI in seccomp, submitted by Jann Horn
-  - security: tighten --chroot, submitted by Jann Horn
-  - security: terminal sandbox escape, submitted by Stephan Sokolow
-  - security: several TOCTOU fixes submitted by Aleksey Manevich
-  - modifs: bringing back --private-home option
-  - modifs: deprecated --user option, please use "sudo -u username firejail"
-  - modifs: allow symlinks in home directory for --whitelist option
-  - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
-  - modifs: recursive mkdir
-  - modifs: include /dev/snd in --private-dev
-  - modifs: seccomp filter update
-  - modifs: release archives moved to .xz format
-  - feature: AppImage support (--appimage)
-  - feature: AppArmor support (--apparmor)
-  - feature: Ubuntu snap support (/etc/firejail/snap.profile)
-  - feature: Sandbox auditing support (--audit)
-  - feature: remove environment variable (--rmenv)
-  - feature: noexec support (--noexec)
-  - feature: clean local overlay storage directory (--overlay-clean)
-  - feature: store and reuse overlay (--overlay-named)
-  - feature: allow debugging inside the sandbox with gdb and strace
-         (--allow-debuggers)
-  - feature: mkfile profile command
-  - feature: quiet profile command
-  - feature: x11 profile command
-  - feature: option to fix desktop files (firecfg --fix)
-  - compile time: Busybox support (--enable-busybox-workaround)
-  - compile time: disable overlayfs (--disable-overlayfs)
-  - compile time: disable whitlisting (--disable-whitelist)
-  - compile time: disable global config (--disable-globalcfg)
-  - run time: enable/disable overlayfs (overlayfs yes/no)
-  - run time: enable/disable  quiet as default (quiet-by-default yes/no)
-  - run time: user-defined network filter (netfilter-default)
-  - run time: enable/disable whitelisting (whitelist yes/no)
-  - run time: enable/disable remounting of /proc and /sys
-          (remount-proc-sys yes/no)
-  - run time: enable/disable chroot desktop features (chroot-desktop yes/no)
-  - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
-  - profiles: pix, audacity, xz, xzdec, gzip, cpio, less
-  - profiles: Atom Beta, Atom, jitsi, eom, uudeview
-  - profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
-  - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
-  - bugfixes
-
-EOF
-
-echo "building rpm"
-rpmbuild -ba SPECS/firejail.spec
-rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
-cd ..
-rm -f firejail-$VERSION-1.x86_64.rpm
-cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh
deleted file mode 100755
index d7f924293..000000000
--- a/platform/snap/snap.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-rm -fr faudit-snap
-rm -f faudit_*.snap
-mkdir faudit-snap
-cd faudit-snap
-snapcraft init
-cp ../snapcraft.yaml .
-#snapcraft stage
-mkdir -p stage/usr/lib/firejail
-cp ../../../src/faudit/faudit stage/usr/lib/firejail/.
-find stage
-snapcraft stage
-snapcraft snap
-cd ..
-mv faudit-snap/faudit_*.snap ../../.
-rm -fr faudit-snap
-
-
-
diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml
deleted file mode 100644
index d3755de96..000000000
--- a/platform/snap/snapcraft.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: faudit  # the name of the snap
-version: 0  # the version of the snap
-summary: Fireajail audit snap edition  # 79 char long summary
-description: faudit program extracted from Firejail and packaged as a snap  # a longer description for the snap
-confinement: strict  # use "strict" to enforce system access only via declared interfaces
-
-apps:
-    faudit:
-        command: /usr/lib/firejail/faudit
-
-parts:
-    faudit:  # Replace with a part name of your liking
-        # Get more information about plugins by running
-        # snapcraft help plugins
-        # and more information about the available plugins
-        # by running
-        # snapcraft list-plugins
-        plugin: nil
-        snap:
-        - usr/lib/firejail/faudit
diff --git a/src/bash_completion/Makefile.in b/src/bash_completion/Makefile.in
new file mode 100644
index 000000000..f7db9e6b4
--- /dev/null
+++ b/src/bash_completion/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: firejail.bash_completion
+
+include ../common.mk
+
+firejail.bash_completion: firejail.bash_completion.in
+        gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
+        sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
+        rm $@.tmp
+
+.PHONY: clean
+clean:
+        rm -fr firejail.bash_completion
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion.in
index 09798f505..f68edf380 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -9,6 +9,17 @@ __interfaces(){
     cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
 }
 
+_profiles() {
+    if [[ -d "$1" ]] ; then
+        ls -1 $1/*.profile 2>/dev/null | sed -E 's;^.*\/;;g'
+    fi
+}
+_all_profiles() {
+    local sys_profiles=$(_profiles _SYSCONFDIR_/firejail)
+    local user_profiles=$(_profiles $HOME/.config/firejail)
+    COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur"))
+}
+
 
 _firejail()
 {
@@ -16,11 +27,11 @@ _firejail()
     _init_completion -s || return
 
     case $prev in
-        --help|--version|-debug-caps|--debug-syscalls|--list|--tree|--top|--join|--shutdown)
+        --help|--version|-debug-caps|--debug-syscalls|--debug-syscalls32|--list|--tree|--top|--join|--shutdown)
             return 0
             ;;
         --profile)
-            _filedir
+            _all_profiles
             return 0
             ;;
         --hosts-file)
@@ -79,10 +90,6 @@ _firejail()
             _filedir
             return 0
             ;;
-        --audit)
-            _filedir
-            return 0
-            ;;
          --net)
                 comps=$(__interfaces)
             COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
diff --git a/src/common.mk.in b/src/common.mk.in
new file mode 100644
index 000000000..d117433dc
--- /dev/null
+++ b/src/common.mk.in
@@ -0,0 +1,53 @@
+# common definitions for all makefiles
+
+CC=@CC@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+bindir=@bindir@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+HAVE_GCOV=@HAVE_GCOV@
+HAVE_SELINUX=@HAVE_SELINUX@
+ifeq (@HAVE_SUID@, yes)
+HAVE_SUID=-DHAVE_SUID
+else
+HAVE_SUID=
+endif
+HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
+HAVE_USERTMPFS=@HAVE_USERTMPFS@
+HAVE_OUTPUT=@HAVE_OUTPUT@
+HAVE_LTS=@HAVE_LTS@
+HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
+
+H_FILE_LIST       = $(sort $(wildcard *.h))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+
+CFLAGS = @CFLAGS@
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
+CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'   -DVARDIR='"/var/lib/firejail"'
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+CFLAGS += $(MANFLAGS)
+CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+ifdef NO_EXTRA_CFLAGS
+else
+EXTRA_CFLAGS +=@EXTRA_CFLAGS@
+endif
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
deleted file mode 100644
index a3b505c39..000000000
--- a/src/faudit/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-all: faudit
-
-CC=@CC@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
-
-%.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-faudit: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS)
-
-clean:; rm -f *.o faudit
-
-distclean: clean
-        rm -fr Makefile
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
deleted file mode 100644
index d4a98676c..000000000
--- a/src/faudit/caps.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-
-#include "faudit.h"
-#include <linux/capability.h>
-
-#define MAXBUF 4098
-static int extract_caps(uint64_t *val) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp)
-                return 1;
-
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
-                        char *ptr = buf + 8;
-                        unsigned long long tmp;
-                        sscanf(ptr, "%llx", &tmp);
-                        *val = tmp;
-                        fclose(fp);
-                        return 0;
-                }
-        }
-
-        fclose(fp);
-        return 1;
-}
-
-// return 1 if the capability is in tbe map
-static int check_capability(uint64_t map, int cap) {
-        int i;
-        uint64_t mask = 1ULL;
-
-        for (i = 0; i < 64; i++, mask <<= 1) {
-                if ((i == cap) && (mask & map))
-                        return 1;
-        }
-
-        return 0;
-}
-
-void caps_test(void) {
-        uint64_t caps_val;
-
-        if (extract_caps(&caps_val)) {
-                printf("SKIP: cannot extract capabilities on this platform.\n");
-                return;
-        }
-
-        if (caps_val) {
-                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
-                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
-
-                if (check_capability(caps_val, CAP_SYS_ADMIN))
-                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
-                if (check_capability(caps_val, CAP_SYS_BOOT))
-                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
-        }
-        else
-                printf("GOOD: all capabilities are disabled.\n");
-}
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
deleted file mode 100644
index 54300c9b8..000000000
--- a/src/faudit/dbus.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <sys/un.h>
-
-// return 0 if the connection is possible
-int check_unix(const char *sockfile) {
-        assert(sockfile);
-        int rv = -1;
-
-        // open socket
-        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (sock == -1)
-                return rv;
-
-        // connect
-        struct sockaddr_un remote;
-        memset(&remote, 0, sizeof(struct sockaddr_un));
-        remote.sun_family = AF_UNIX;
-        strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path));
-        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
-        if (*sockfile == '@')
-                remote.sun_path[0] = '\0';
-        if (connect(sock, (struct sockaddr *)&remote, len) == 0)
-                rv = 0;
-
-        close(sock);
-        return rv;
-}
-
-void dbus_test(void) {
-        // check the session bus
-        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
-        if (str) {
-                int rv = 0;
-                char *bus = strdup(str);
-                if (!bus)
-                        errExit("strdup");
-                char *sockfile;
-                if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
-                        sockfile += 13;
-                        *sockfile = '@';
-                        char *ptr = strchr(sockfile, ',');
-                        if (ptr)
-                                *ptr = '\0';
-                        rv = check_unix(sockfile);
-                        *sockfile = '@';
-                        if (rv == 0)
-                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-                        else if (rv == -1)
-                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
-                }
-                else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
-                        sockfile += 10;
-                        char *ptr = strchr(sockfile, ',');
-                        if (ptr)
-                                *ptr = '\0';
-                        rv = check_unix(sockfile);
-                        if (rv == 0)
-                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-                        else if (rv == -1)
-                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
-                }
-                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
-                        printf("UGLY: session bus configured for TCP communication.\n");
-                else
-                        printf("GOOD: cannot find a D-Bus socket\n");
-
-
-                free(bus);
-        }
-        else
-                printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
-}
diff --git a/src/faudit/files.c b/src/faudit/files.c
deleted file mode 100644
index aa5b3aafb..000000000
--- a/src/faudit/files.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <fcntl.h>
-#include <pwd.h>
-
-static char *username = NULL;
-static char *homedir = NULL;
-
-static void check_home_file(const char *name) {
-        assert(homedir);
-
-        char *fname;
-        if (asprintf(&fname, "%s/%s", homedir, name) ==  -1)
-                errExit("asprintf");
-
-        if (access(fname, R_OK) == 0) {
-                printf("UGLY: I can access files in %s directory. ", fname);
-                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
-        }
-        else
-                printf("GOOD: I cannot access files in %s directory.\n", fname);
-
-        free(fname);
-}
-
-void files_test(void) {
-        struct passwd *pw = getpwuid(getuid());
-        if (!pw) {
-                fprintf(stderr, "Error: cannot retrieve user account information\n");
-                return;
-        }
-
-        username = strdup(pw->pw_name);
-        if (!username)
-                errExit("strdup");
-        homedir = strdup(pw->pw_dir);
-        if (!homedir)
-                errExit("strdup");
-
-        // check access to .ssh directory
-        check_home_file(".ssh");
-
-        // check access to .gnupg directory
-        check_home_file(".gnupg");
-
-        // check access to Firefox browser directory
-        check_home_file(".mozilla");
-
-        // check access to Chromium browser directory
-        check_home_file(".config/chromium");
-
-        // check access to Debian Icedove directory
-        check_home_file(".icedove");
-
-        // check access to Thunderbird directory
-        check_home_file(".thunderbird");
-}
diff --git a/src/faudit/main.c b/src/faudit/main.c
deleted file mode 100644
index 57c709767..000000000
--- a/src/faudit/main.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-char *prog;
-
-int main(int argc, char **argv) {
-        // make test-arguments helper
-        if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
-                printf("Arguments:\n");
-
-                int i;
-                for (i = 0; i < argc; i++) {
-                        printf("#%s#\n", argv[i]);
-                }
-
-                return 0;
-        }
-
-
-        if (argc != 1) {
-                int i;
-
-                for (i = 1; i < argc; i++) {
-                        if (strcmp(argv[i], "syscall") == 0) {
-                                syscall_helper(argc, argv);
-                                return 0;
-                        }
-                }
-                return 1;
-        }
-
-        printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
-
-        // extract program name
-        prog = realpath(argv[0], NULL);
-        if (prog == NULL) {
-                prog = strdup("faudit");
-                if (!prog)
-                        errExit("strdup");
-        }
-        printf("INFO: starting %s.\n", prog);
-
-
-        // check pid namespace
-        pid_test();
-        printf("\n");
-
-        // check seccomp
-        seccomp_test();
-        printf("\n");
-
-        // check capabilities
-        caps_test();
-        printf("\n");
-
-        // check some well-known problematic files and directories
-        files_test();
-        printf("\n");
-
-        // network
-        network_test();
-        printf("\n");
-
-        // dbus
-        dbus_test();
-        printf("\n");
-
-        // x11 test
-        x11_test();
-        printf("\n");
-
-        // /dev test
-        dev_test();
-        printf("\n");
-
-
-        free(prog);
-        printf("--------------------------------------------------------------------------------\n");
-
-        return 0;
-}
diff --git a/src/faudit/network.c b/src/faudit/network.c
deleted file mode 100644
index 797c15ba8..000000000
--- a/src/faudit/network.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-
-static void check_ssh(void) {
-        // open socket
-        int sock = socket(AF_INET, SOCK_STREAM, 0);
-        if (sock == -1) {
-                printf("GOOD: SSH server not available on localhost.\n");
-                return;
-        }
-
-        // connect to localhost
-        struct sockaddr_in server;
-        server.sin_addr.s_addr = inet_addr("127.0.0.1");
-        server.sin_family = AF_INET;
-        server.sin_port = htons(22);
-
-        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: SSH server not available on localhost.\n");
-        else {
-                printf("MAYBE: an SSH server is accessible on localhost. ");
-                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }
-
-        close(sock);
-}
-
-static void check_http(void) {
-        // open socket
-        int sock = socket(AF_INET, SOCK_STREAM, 0);
-        if (sock == -1) {
-                printf("GOOD: HTTP server not available on localhost.\n");
-                return;
-        }
-
-        // connect to localhost
-        struct sockaddr_in server;
-        server.sin_addr.s_addr = inet_addr("127.0.0.1");
-        server.sin_family = AF_INET;
-        server.sin_port = htons(80);
-
-        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: HTTP server not available on localhost.\n");
-        else {
-                printf("MAYBE: an HTTP server is accessible on localhost. ");
-                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }
-
-        close(sock);
-}
-
-void check_netlink(void) {
-        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
-        if (sock == -1) {
-                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
-                return;
-        }
-
-        struct sockaddr_nl local;
-        memset(&local, 0, sizeof(local));
-        local.nl_family = AF_NETLINK;
-        local.nl_groups = 0; //subscriptions;
-
-        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
-                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
-                close(sock);
-                return;
-        }
-
-        close(sock);
-        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
-        printf("You can use \"--protocol\" to disable the socket.\n");
-}
-
-void network_test(void) {
-        check_ssh();
-        check_http();
-        check_netlink();
-}
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
deleted file mode 100644
index 0aa2ddd44..000000000
--- a/src/faudit/pid.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-
-void pid_test(void) {
-        char *kern_proc[] = {
-                "kthreadd",
-                "ksoftirqd",
-                "kworker",
-                "rcu_sched",
-                "rcu_bh",
-                NULL    // NULL terminated list
-        };
-        int i;
-
-        // look at the first 10 processes
-        int not_visible = 1;
-        for (i = 1; i <= 10; i++) {
-                struct stat s;
-                char *fname;
-                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
-                        errExit("asprintf");
-                if (stat(fname, &s) == -1) {
-                        free(fname);
-                        continue;
-                }
-
-                // open file
-                /* coverity[toctou] */
-                FILE *fp = fopen(fname, "r");
-                if (!fp) {
-                        free(fname);
-                        continue;
-                }
-
-                // read file
-                char buf[100];
-                if (fgets(buf, 10, fp) == NULL) {
-                        fclose(fp);
-                        free(fname);
-                        continue;
-                }
-                not_visible = 0;
-
-                // clean /n
-                char *ptr;
-                if ((ptr = strchr(buf, '\n')) != NULL)
-                        *ptr = '\0';
-
-                // check process name against the kernel list
-                int j = 0;
-                while (kern_proc[j] != NULL) {
-                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
-                                fclose(fp);
-                                free(fname);
-                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
-                                printf("Are you sure you're running in a sandbox?\n");
-                                return;
-                        }
-                        j++;
-                }
-
-                fclose(fp);
-                free(fname);
-        }
-
-        pid_t pid = getpid();
-        if (not_visible && pid > 100)
-                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
-        else
-                printf("GOOD: process %d is running in a PID namespace.\n", pid);
-
-        // try to guess the type of container/sandbox
-        char *str = getenv("container");
-        if (str)
-                printf("INFO: container/sandbox %s.\n", str);
-        else {
-                str = getenv("SNAP");
-                if (str)
-                        printf("INFO: this is a snap package\n");
-        }
-}
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
deleted file mode 100644
index 2e9665fd9..000000000
--- a/src/faudit/seccomp.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-
-#define MAXBUF 4098
-static int extract_seccomp(int *val) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp)
-                return 1;
-
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "Seccomp:\t", 8) == 0) {
-                        char *ptr = buf + 8;
-                        int tmp;
-                        sscanf(ptr, "%d", &tmp);
-                        *val = tmp;
-                        fclose(fp);
-                        return 0;
-                }
-        }
-
-        fclose(fp);
-        return 1;
-}
-
-void seccomp_test(void) {
-        int seccomp_status;
-        int rv = extract_seccomp(&seccomp_status);
-
-        if (rv) {
-                printf("INFO: cannot extract seccomp configuration on this platform.\n");
-                return;
-        }
-
-        if (seccomp_status == 0) {
-                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
-        }
-        else if (seccomp_status == 1)
-                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowed.\n");
-        else if (seccomp_status == 2) {
-                printf("GOOD: seccomp BPF enabled.\n");
-
-                printf("checking syscalls: "); fflush(0);
-                printf("mount... "); fflush(0);
-                syscall_run("mount");
-
-                printf("umount2... "); fflush(0);
-                syscall_run("umount2");
-
-                printf("ptrace... "); fflush(0);
-                syscall_run("ptrace");
-
-                printf("swapon... "); fflush(0);
-                syscall_run("swapon");
-
-                printf("swapoff... "); fflush(0);
-                syscall_run("swapoff");
-
-                printf("init_module... "); fflush(0);
-                syscall_run("init_module");
-
-                printf("delete_module... "); fflush(0);
-                syscall_run("delete_module");
-
-                printf("chroot... "); fflush(0);
-                syscall_run("chroot");
-
-                printf("pivot_root... "); fflush(0);
-                syscall_run("pivot_root");
-
-#if defined(__i386__) || defined(__x86_64__)
-                printf("iopl... "); fflush(0);
-                syscall_run("iopl");
-
-                printf("ioperm... "); fflush(0);
-                syscall_run("ioperm");
-#endif
-                printf("\n");
-        }
-        else
-                fprintf(stderr, "Error: unrecognized seccomp mode\n");
-
-}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
deleted file mode 100644
index 9661f81e6..000000000
--- a/src/faudit/syscall.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/ptrace.h>
-#include <sys/swap.h>
-#if defined(__i386__) || defined(__x86_64__)
-#include <sys/io.h>
-#endif
-#include <sys/wait.h>
-extern int init_module(void *module_image, unsigned long len,
-                       const char *param_values);
-extern int finit_module(int fd, const char *param_values,
-                        int flags);
-extern int delete_module(const char *name, int flags);
-extern int pivot_root(const char *new_root, const char *put_old);
-
-void syscall_helper(int argc, char **argv) {
-        (void) argc;
-
-        if (argc < 3)
-                return;
-
-        if (strcmp(argv[2], "mount") == 0) {
-                int rv = mount(NULL, NULL, NULL, 0, NULL);
-                (void) rv;
-                printf("\nUGLY: mount syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "umount2") == 0) {
-                umount2(NULL, 0);
-                printf("\nUGLY: umount2 syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "ptrace") == 0) {
-                ptrace(0, 0, NULL, NULL);
-                printf("\nUGLY: ptrace syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "swapon") == 0) {
-                swapon(NULL, 0);
-                printf("\nUGLY: swapon syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "swapoff") == 0) {
-                swapoff(NULL);
-                printf("\nUGLY: swapoff syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "init_module") == 0) {
-                init_module(NULL, 0, NULL);
-                printf("\nUGLY: init_module syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "delete_module") == 0) {
-                delete_module(NULL, 0);
-                printf("\nUGLY: delete_module syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "chroot") == 0) {
-                int rv = chroot("/blablabla-57281292");
-                (void) rv;
-                printf("\nUGLY: chroot syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "pivot_root") == 0) {
-                pivot_root(NULL, NULL);
-                printf("\nUGLY: pivot_root syscall permitted.\n");
-        }
-#if defined(__i386__) || defined(__x86_64__)
-        else if (strcmp(argv[2], "iopl") == 0) {
-                iopl(0L);
-                printf("\nUGLY: iopl syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "ioperm") == 0) {
-                ioperm(0, 0, 0);
-                printf("\nUGLY: ioperm syscall permitted.\n");
-        }
-#endif
-        exit(0);
-}
-
-void syscall_run(const char *name) {
-        assert(prog);
-
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                execl(prog, prog, "syscall", name, NULL);
-                perror("execl");
-                _exit(1);
-        }
-
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-}
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
deleted file mode 100644
index f0cc0eed4..000000000
--- a/src/faudit/x11.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <dirent.h>
-
-
-void x11_test(void) {
-        // check regular display 0 sockets
-        if (check_unix("/tmp/.X11-unix/X0") == 0)
-                printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
-
-        if (check_unix("@/tmp/.X11-unix/X0") == 0)
-                printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
-
-        // check all unix sockets in /tmp/.X11-unix directory
-        DIR *dir;
-        if (!(dir = opendir("/tmp/.X11-unix"))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir("/tmp/.X11-unix"))) {
-                        ;
-                }
-        }
-
-        if (dir == NULL)
-                printf("GOOD: cannot open /tmp/.X11-unix directory\n");
-        else {
-                struct dirent *entry;
-                while ((entry = readdir(dir)) != NULL) {
-                        if (strcmp(entry->d_name, "X0") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, ".") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, "..") == 0)
-                                continue;
-                        char *name;
-                        if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
-                                errExit("asprintf");
-                        if (check_unix(name) == 0)
-                                printf("MAYBE: X11 socket %s is available\n", name);
-                        free(name);
-                }
-                closedir(dir);
-        }
-}
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in
index dd8e2ce6e..6eaee284b 100644
--- a/src/fbuilder/Makefile.in
+++ b/src/fbuilder/Makefile.in
@@ -1,45 +1,17 @@
+.PHONY: all
 all: fbuilder
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
-
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+include ../common.mk
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 fbuilder: $(OBJS)
         $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
 
-clean:; rm -f *.o fbuilder *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 31b6ba8e8..9577042c4 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,21 +23,21 @@ static FileDB *bin_out = NULL;
 
 static void process_bin(const char *fname) {
         assert(fname);
-        
+
         // process trace file
         FILE *fp = fopen(fname, "r");
         if (!fp) {
                 fprintf(stderr, "Error: cannot open %s\n", fname);
                 exit(1);
         }
-        
+
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
                 // remove \n
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-        
+
                 // parse line: 4:galculator:access /etc/fonts/conf.d:0
                 // number followed by :
                 ptr = buf;
@@ -71,7 +71,7 @@ static void process_bin(const char *fname) {
                 else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0)
                         ptr += 16;
                 else if (strncmp(ptr, "/usr/games/", 11) == 0)
-                        ptr += 12;
+                        ptr += 11;
                 else if (strncmp(ptr, "/usr/local/games/", 17) == 0)
                         ptr += 17;
                 else
@@ -83,24 +83,22 @@ static void process_bin(const char *fname) {
                         continue;
                 *ptr2 = '\0';
 
-                // skip strace
-                if (strcmp(ptr, "strace") == 0)
-                        continue;
-
-                bin_out = filedb_add(bin_out, ptr);
+                // skip strace and firejail (in case we hit a symlink in /usr/local/bin)
+                if (strcmp(ptr, "strace") && strcmp(ptr, "firejail"))
+                        bin_out = filedb_add(bin_out, ptr);
         }
-        
+
         fclose(fp);
 }
 
 
 // process fname, fname.1, fname.2, fname.3, fname.4, fname.5
-void build_bin(const char *fname) {
+void build_bin(const char *fname, FILE *fp) {
         assert(fname);
-        
+
         // run fname
         process_bin(fname);
-        
+
         // run all the rest
         struct stat s;
         int i;
@@ -114,12 +112,12 @@ void build_bin(const char *fname) {
         }
 
         if (bin_out) {
-                printf("# private-bin ");
+                fprintf(fp, "private-bin ");
                 FileDB *ptr = bin_out;
                 while (ptr) {
-                        printf("%s,", ptr->fname);
+                        fprintf(fp, "%s,", ptr->fname);
                         ptr = ptr->next;
                 }
-                printf("\n");
+                fprintf(fp, "\n");
         }
 }
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index dcd86e069..019c3ac5a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,23 +25,23 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch
         assert(fname);
         assert(dir);
         assert(callback);
-        
+
         int dir_len = strlen(dir);
-        
+
         // process trace file
         FILE *fp = fopen(fname, "r");
         if (!fp) {
                 fprintf(stderr, "Error: cannot open %s\n", fname);
                 exit(1);
         }
-        
+
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
                 // remove \n
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-        
+
                 // parse line: 4:galculator:access /etc/fonts/conf.d:0
                 // number followed by :
                 ptr = buf;
@@ -78,10 +78,10 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch
                 if (!ptr2)
                         continue;
                 *ptr2 = '\0';
-                
+
                 callback(ptr);
         }
-        
+
         fclose(fp);
 }
 
@@ -90,10 +90,10 @@ static void process_files(const char *fname, const char *dir, void (*callback)(c
         assert(fname);
         assert(dir);
         assert(callback);
-        
+
         // run fname
         process_file(fname, dir, callback);
-        
+
         // run all the rest
         struct stat s;
         int i;
@@ -125,50 +125,110 @@ static void etc_callback(char *ptr) {
         etc_out = filedb_add(etc_out, ptr);
 }
 
-void build_etc(const char *fname) {
+void build_etc(const char *fname, FILE *fp) {
         assert(fname);
-        
+
         process_files(fname, "/etc", etc_callback);
-        
-        printf("private-etc ");
+
+        fprintf(fp, "private-etc ");
         if (etc_out == NULL)
-                printf("none\n");
+                fprintf(fp, "none\n");
         else {
                 FileDB *ptr = etc_out;
                 while (ptr) {
-                        printf("%s,", ptr->fname);
+                        fprintf(fp, "%s,", ptr->fname);
                         ptr = ptr->next;
                 }
-                printf("\n");
-        }       
+                fprintf(fp, "\n");
+        }
 }
 
 //*******************************************
 // var directory
 //*******************************************
+#if 0
+// todo: load the list from whitelist-var-common.inc
+static char *var_skip[] = {
+        "/var/lib/ca-certificates",
+        "/var/lib/dbus",
+        "/var/lib/menu-xdg",
+        "/var/lib/uim",
+        "/var/cache/fontconfig",
+        "/var/tmp",
+        "/var/run",
+        "/var/lock",
+        NULL
+};
+#endif
 static FileDB *var_out = NULL;
+static FileDB *var_skip = NULL;
 static void var_callback(char *ptr) {
-        if (strcmp(ptr, "/var/lib") == 0)
-                ;
-        else if (strcmp(ptr, "/var/cache") == 0)
-                ;
-        else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0)
-                var_out = filedb_add(var_out, "/var/lib/menu-xdg");
-        else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0)
-                var_out = filedb_add(var_out, "/var/cache/fontconfig");
-        else
-                var_out = filedb_add(var_out, ptr);
+        // extract the directory:
+        assert(strncmp(ptr, "/var", 4) == 0);
+        char *p1 = ptr + 4;
+        if (*p1 != '/')
+                return;
+        p1++;
+
+        if (*p1 == '/') // double '/'
+                p1++;
+        if (*p1 == '\0')
+                return;
+
+        if (!filedb_find(var_skip, p1))
+                var_out = filedb_add(var_out, p1);
 }
 
-void build_var(const char *fname) {
+void build_var(const char *fname, FILE *fp) {
         assert(fname);
 
+        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/");
         process_files(fname, "/var", var_callback);
-        
-        if (var_out == NULL)
-                printf("blacklist /var\n");
-        else
-                filedb_print(var_out, "whitelist ");
+
+        // always whitelist /var
+        if (var_out)
+                filedb_print(var_out, "allow /var/", fp);
+        fprintf(fp, "include whitelist-var-common.inc\n");
+}
+
+
+//*******************************************
+// usr/share directory
+//*******************************************
+static FileDB *share_out = NULL;
+static FileDB *share_skip = NULL;
+static void share_callback(char *ptr) {
+        // extract the directory:
+        assert(strncmp(ptr, "/usr/share", 10) == 0);
+        char *p1 = ptr + 10;
+        if (*p1 != '/')
+                return;
+        p1++;
+        if (*p1 == '/') // double '/'
+                p1++;
+        if (*p1 == '\0')
+                return;
+
+        // "/usr/share/bash-completion/bash_completion"  becomes "/usr/share/bash-completion"
+        char *p2 = strchr(p1, '/');
+        if (p2)
+                *p2 = '\0';
+
+
+        if (!filedb_find(share_skip, p1))
+                share_out = filedb_add(share_out, p1);
+}
+
+void build_share(const char *fname, FILE *fp) {
+        assert(fname);
+
+        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/");
+        process_files(fname, "/usr/share", share_callback);
+
+        // always whitelist /usr/share
+        if (share_out)
+                filedb_print(share_out, "allow /usr/share/", fp);
+        fprintf(fp, "include whitelist-usr-share-common.inc\n");
 }
 
 //*******************************************
@@ -176,24 +236,31 @@ void build_var(const char *fname) {
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
-        filedb_add(tmp_out, ptr);
+        // skip strace file
+        if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
+                return;
+        if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
+                return;
+        if (strcmp(ptr, "/tmp") == 0)
+                return;
+
+        tmp_out = filedb_add(tmp_out, ptr);
 }
 
-void build_tmp(const char *fname) {
+void build_tmp(const char *fname, FILE *fp) {
         assert(fname);
-        
+
         process_files(fname, "/tmp", tmp_callback);
-        
+
         if (tmp_out == NULL)
-                printf("private-tmp\n");
+                fprintf(fp, "private-tmp\n");
         else {
-                printf("\n");
-                printf("# private-tmp\n");
-                printf("# File accessed in /tmp directory:\n");
-                printf("# ");
+                fprintf(fp, "#private-tmp\n");
+                fprintf(fp, "# File accessed in /tmp directory:\n");
+                fprintf(fp, "# ");
                 FileDB *ptr = tmp_out;
                 while (ptr) {
-                        printf("%s,", ptr->fname);
+                        fprintf(fp, "%s,", ptr->fname);
                         ptr = ptr->next;
                 }
                 printf("\n");
@@ -204,40 +271,37 @@ void build_tmp(const char *fname) {
 // dev directory
 //*******************************************
 static char *dev_skip[] = {
+        "/dev/stdin",
+        "/dev/stdout",
+        "/dev/stderr",
         "/dev/zero",
         "/dev/null",
         "/dev/full",
         "/dev/random",
+        "/dev/srandom",
         "/dev/urandom",
+        "/dev/sr0",
+        "/dev/cdrom",
+        "/dev/cdrw",
+        "/dev/dvd",
+        "/dev/dvdrw",
+        "/dev/fd",
+        "/dev/pts",
+        "/dev/ptmx",
+        "/dev/log",
+
+        "/dev/aload",   // old ALSA devices, not covered in private-dev
+        "/dev/dsp",             // old OSS device, deprecated
+
         "/dev/tty",
-        "/dev/snd", 
+        "/dev/snd",
         "/dev/dri",
-        "/dev/pts",
-        "/dev/nvidia0",
-        "/dev/nvidia1",
-        "/dev/nvidia2",
-        "/dev/nvidia3",
-        "/dev/nvidia4",
-        "/dev/nvidia5",
-        "/dev/nvidia6",
-        "/dev/nvidia7",
-        "/dev/nvidia8",
-        "/dev/nvidia9",
-        "/dev/nvidiactl",
-        "/dev/nvidia-modeset",
-        "/dev/nvidia-uvm",
-        "/dev/video0",
-        "/dev/video1",
-        "/dev/video2",
-        "/dev/video3",
-        "/dev/video4",
-        "/dev/video5",
-        "/dev/video6",
-        "/dev/video7",
-        "/dev/video8",
-        "/dev/video9",
+        "/dev/nvidia",
+        "/dev/video",
         "/dev/dvb",
-        "/dev/sr0",
+        "/dev/hidraw",
+        "/dev/usb",
+        "/dev/input",
         NULL
 };
 
@@ -247,34 +311,32 @@ static void dev_callback(char *ptr) {
         int i = 0;
         int found = 0;
         while (dev_skip[i]) {
-                if (strcmp(ptr, dev_skip[i]) == 0) {
+                if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) {
                         found = 1;
                         break;
                 }
                 i++;
         }
         if (!found)
-                filedb_add(dev_out, ptr);
+                dev_out = filedb_add(dev_out, ptr);
 }
 
-void build_dev(const char *fname) {
+void build_dev(const char *fname, FILE *fp) {
         assert(fname);
-        
-        process_files(fname, "/tmp", tmp_callback);
-        
+
+        process_files(fname, "/dev", dev_callback);
+
         if (dev_out == NULL)
-                printf("private-dev\n");
+                fprintf(fp, "private-dev\n");
         else {
-                printf("\n");
-                printf("# private-dev\n");
-                printf("# This is the list of devices accessed (on top of regular private-dev devices:\n");
-                printf("# ");
+                fprintf(fp, "#private-dev\n");
+                fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n");
+                fprintf(fp, "# ");
                 FileDB *ptr = dev_out;
                 while (ptr) {
-                        printf("%s,", ptr->fname);
+                        fprintf(fp, "%s,", ptr->fname);
                         ptr = ptr->next;
                 }
-                printf("\n");
+                fprintf(fp, "\n");
         }
 }
-
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 947f172d8..c85474779 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,49 +23,25 @@
 static FileDB *db_skip = NULL;
 static FileDB *db_out = NULL;
 
-static void load_whitelist_common(void) {
-        FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
-                exit(1);
-        }
-        
-        char buf[MAX_BUF];
-        while (fgets(buf, MAX_BUF, fp)) {
-                if (strncmp(buf, "whitelist ~/", 12) != 0)
-                        continue;
-                char *fn = buf + 12;
-                char *ptr = strchr(buf, '\n');
-                if (!ptr)
-                        continue;
-                *ptr = '\0';
-                
-                // add the file to skip list
-                db_skip = filedb_add(db_skip, fn);
-        }
-        
-        fclose(fp);     
-}
-
 void process_home(const char *fname, char *home, int home_len) {
         assert(fname);
         assert(home);
         assert(home_len);
-        
+
         // process trace file
         FILE *fp = fopen(fname, "r");
         if (!fp) {
                 fprintf(stderr, "Error: cannot open %s\n", fname);
                 exit(1);
         }
-        
+
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
                 // remove \n
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-        
+
                 // parse line: 4:galculator:access /etc/fonts/conf.d:0
                 // number followed by :
                 ptr = buf;
@@ -92,6 +68,8 @@ void process_home(const char *fname, char *home, int home_len) {
                         ptr += 7;
                 else if (strncmp(ptr, "open /home", 10) == 0)
                         ptr += 5;
+                else if (strncmp(ptr, "opendir /home", 13) == 0)
+                        ptr += 8;
                 else
                         continue;
 
@@ -107,17 +85,17 @@ void process_home(const char *fname, char *home, int home_len) {
                 if (strcmp(ptr, home) == 0)
                         continue;
                 ptr += home_len + 1;
-                
-                // skip files handled automatically by firejail 
+
+                // skip files handled automatically by firejail
                 if (strcmp(ptr, ".Xauthority") == 0 ||
                     strcmp(ptr, ".Xdefaults-debian") == 0 ||
-                    strncmp(ptr, ".config/pulse/", 13) == 0 ||
+                    strncmp(ptr, ".config/pulse/", 14) == 0 ||
                     strncmp(ptr, ".pulse/", 7) == 0 ||
                     strncmp(ptr, ".bash_hist", 10) == 0 ||
                     strcmp(ptr, ".bashrc") == 0)
                         continue;
-                
-                
+
+
                 // try to find the relevant directory for this file
                 char *dir = extract_dir(ptr);
                 char *toadd = (dir)? dir: ptr;
@@ -141,7 +119,7 @@ void process_home(const char *fname, char *home, int home_len) {
                 }
 
                 // skip files and directories in whitelist-common.inc
-                if (filedb_find(db_skip, toadd)) {
+                if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) {
                         if (dir)
                                 free(dir);
                         continue;
@@ -158,11 +136,11 @@ void process_home(const char *fname, char *home, int home_len) {
 
 
 // process fname, fname.1, fname.2, fname.3, fname.4, fname.5
-void build_home(const char *fname) {
+void build_home(const char *fname, FILE *fp) {
         assert(fname);
-                
+
         // load whitelist common
-        load_whitelist_common();
+        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/");
 
         // find user home directory
         struct passwd *pw = getpwuid(getuid());
@@ -172,10 +150,10 @@ void build_home(const char *fname) {
         if (!home)
                 errExit("getpwuid");
         int home_len = strlen(home);
-        
+
         // run fname
         process_home(fname, home, home_len);
-        
+
         // run all the rest
         struct stat s;
         int i;
@@ -187,13 +165,13 @@ void build_home(const char *fname) {
                         process_home(newname, home, home_len);
                 free(newname);
         }
-        
+
         // print the out list if any
         if (db_out) {
-                filedb_print(db_out, "whitelist ~/");
-                printf("include /etc/firejail/whitelist-common.inc\n");
+                filedb_print(db_out, "allow ${HOME}/", fp);
+                fprintf(fp, "include whitelist-common.inc\n");
         }
         else
-                printf("private\n");
+                fprintf(fp, "private\n");
 
-}
\ No newline at end of file
+}
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 0f71fe7ad..0b9a99739 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,72 +20,48 @@
 
 #include "fbuilder.h"
 #include <sys/wait.h>
-#include <fcntl.h>
-
-#define TRACE_OUTPUT "/tmp/firejail-trace"
-#define STRACE_OUTPUT "/tmp/firejail-strace"
-
-static char *cmdlist[] = {
-        "/usr/bin/firejail",
-        "--quiet",
-        "--output=" TRACE_OUTPUT,
-        "--noprofile",
-        "--caps.drop=all",
-        "--nonewprivs",
-        "--trace",
-        "--shell=none",
-        "/usr/bin/strace", // also used as a marker in build_profile()
-        "-c",
-        "-f",
-        "-o" STRACE_OUTPUT,
-};
-
-static void clear_tmp_files(void) {
-        unlink(STRACE_OUTPUT);
-        unlink(TRACE_OUTPUT);
-        
-        // run all the rest
-        int i;
-        for (i = 1; i <= 5; i++) {
-                char *newname;
-                if (asprintf(&newname, "%s.%d", TRACE_OUTPUT, i) == -1)
-                        errExit("asprintf");
-                unlink(newname);
-                free(newname);
-        }
 
-}
+#define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
+#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
 
-void build_profile(int argc, char **argv, int index) {
+void build_profile(int argc, char **argv, int index, FILE *fp) {
         // next index is the application name
         if (index >= argc) {
                 fprintf(stderr, "Error: application name missing\n");
                 exit(1);
         }
-        
-        // clean /tmp files
-        clear_tmp_files();
-        
-        // detect strace
-        int have_strace = 0;
-        if (access("/usr/bin/strace", X_OK) == 0)
-                have_strace = 1;
-        
+
+        char trace_output[] = "/tmp/firejail-trace.XXXXXX";
+        int tfile = mkstemp(trace_output);
+        if(tfile == -1)
+                errExit("mkstemp");
+        close(tfile);
+
+        char *output;
+        if(asprintf(&output,"--trace=%s",trace_output) == -1)
+                errExit("asprintf");
+
+        char *cmdlist[] = {
+          BINDIR "/firejail",
+          "--quiet",
+          "--noprofile",
+          "--caps.drop=all",
+          "--seccomp",
+          output,
+          "--shell=none",
+        };
+
         // calculate command length
-        int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
+        unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
         if (arg_debug)
                 printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
         char *cmd[len];
-        cmd[0] = cmdlist[0];    // explicit assignemnt to clean scan-build error
-        
+        cmd[0] = cmdlist[0];    // explicit assignment to clean scan-build error
+
         // build command
-        int i = 0;
-        for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
-                // skip strace if not installed
-                if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
-                        break;
+        unsigned i = 0;
+        for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++)
                 cmd[i] = cmdlist[i];
-        }
 
         int i2 = index;
         for (; i < (len - 1); i++, i2++)
@@ -95,9 +71,9 @@ void build_profile(int argc, char **argv, int index) {
 
         if (arg_debug) {
                 for (i = 0; i < len; i++)
-                        printf("\t%s\n", cmd[i]);
+                        printf("%s%s\n", (i)?"\t":"", cmd[i]);
         }
-        
+
         // fork and execute
         pid_t child = fork();
         if (child == -1)
@@ -108,59 +84,88 @@ void build_profile(int argc, char **argv, int index) {
                 (void) rv;
                 errExit("execv");
         }
-        
+
         // wait for all processes to finish
         int status;
         if (waitpid(child, &status, 0) != child)
                 errExit("waitpid");
 
         if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
-                printf("\n\n\n");
-                printf("############################################\n");
-                printf("# %s profile\n", argv[index]);
-                printf("############################################\n");
-                printf("# Persistent global definitions\n");
-                printf("# include /etc/firejail/globals.local\n");
-                printf("\n");
-                
-                printf("### basic blacklisting\n");
-                printf("include /etc/firejail/disable-common.inc\n");
-                printf("# include /etc/firejail/disable-devel.inc\n");
-                printf("include /etc/firejail/disable-passwdmgr.inc\n");
-                printf("# include /etc/firejail/disable-programs.inc\n");
-                printf("\n");
-                
-                printf("### home directory whitelisting\n");
-                build_home(TRACE_OUTPUT);
-                printf("\n");
-                
-                printf("### filesystem\n");
-                build_tmp(TRACE_OUTPUT);
-                build_dev(TRACE_OUTPUT);
-                build_etc(TRACE_OUTPUT);
-                build_var(TRACE_OUTPUT);
-                build_bin(TRACE_OUTPUT);
-                printf("\n");
-
-                printf("### security filters\n");
-                printf("caps.drop all\n");
-                printf("nonewprivs\n");
-                printf("seccomp\n");
-                if (have_strace)
-                        build_seccomp(STRACE_OUTPUT);
-                else {
-                        printf("# If you install strace on your system, Firejail will also create a\n");
-                        printf("# whitelisted seccomp filter.\n");
-                }
-                printf("\n");
-
-                printf("### network\n");
-                build_protocol(TRACE_OUTPUT);
-                printf("\n");
-                
-                printf("### environment\n");
-                printf("shell none\n");
+                if (fp == stdout)
+                        printf("--- Built profile beings after this line ---\n");
+                fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
+                fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
+                fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
+                fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n");
+                fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n");
+
+                fprintf(fp, "# Firejail profile for %s\n", argv[index]);
+                fprintf(fp, "# Persistent local customizations\n");
+                fprintf(fp, "#include %s.local\n", argv[index]);
+                fprintf(fp, "# Persistent global definitions\n");
+                fprintf(fp, "#include globals.local\n");
+                fprintf(fp, "\n");
+
+                fprintf(fp, "### Basic Blacklisting ###\n");
+                fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
+                fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
+                fprintf(fp, "### and /tmp directories non-executable.\n");
+                fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n");
+                fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n");
+                fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n");
+                fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n");
+                fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n");
+                fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n");
+                fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n");
+                fprintf(fp, "\n");
+
+                fprintf(fp, "### Home Directory Whitelisting ###\n");
+                fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n");
+                fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n");
+                build_home(trace_output, fp);
+                fprintf(fp, "\n");
+
+                fprintf(fp, "### Filesystem Whitelisting ###\n");
+                build_share(trace_output, fp);
+                //todo: include whitelist-runuser-common.inc
+                build_var(trace_output, fp);
+                fprintf(fp, "\n");
+
+                fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n");
+                fprintf(fp, "caps.drop all\n");
+                fprintf(fp, "ipc-namespace\n");
+                fprintf(fp, "netfilter\n");
+                fprintf(fp, "#no3d\t# disable 3D acceleration\n");
+                fprintf(fp, "#nodvd\t# disable DVD and CD devices\n");
+                fprintf(fp, "#nogroups\t# disable supplementary user groups\n");
+                fprintf(fp, "#noinput\t# disable input devices\n");
+                fprintf(fp, "nonewprivs\n");
+                fprintf(fp, "noroot\n");
+                fprintf(fp, "#notv\t# disable DVB TV devices\n");
+                fprintf(fp, "#nou2f\t# disable U2F devices\n");
+                fprintf(fp, "#novideo\t# disable video capture devices\n");
+                build_protocol(trace_output, fp);
+                fprintf(fp, "seccomp\n");
+                fprintf(fp, "shell none\n");
+                fprintf(fp, "tracelog\n");
+                fprintf(fp, "\n");
+
+                fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n");
+                build_bin(trace_output, fp);
+                fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n");
+                build_dev(trace_output, fp);
+                build_etc(trace_output, fp);
+                fprintf(fp, "#private-lib\n");
+                build_tmp(trace_output, fp);
+                fprintf(fp, "\n");
+
+                fprintf(fp, "#dbus-user none\n");
+                fprintf(fp, "#dbus-system none\n");
+                fprintf(fp, "\n");
+                fprintf(fp, "#memory-deny-write-execute\n");
 
+                if (!arg_debug)
+                        unlink(trace_output);
         }
         else {
                 fprintf(stderr, "Error: cannot run the sandbox\n");
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index 18a767518..daf8d63ac 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,25 +20,27 @@
 
 #include "fbuilder.h"
 
-void build_seccomp(const char *fname) {
+#if 0
+void build_seccomp(const char *fname, FILE *fp) {
         assert(fname);
-        
-        FILE *fp = fopen(fname, "r");
-        if (!fp) {
+        assert(fp);
+
+        FILE *fp2 = fopen(fname, "r");
+        if (!fp2) {
                 fprintf(stderr, "Error: cannot open %s\n", fname);
                 exit(1);
         }
-        
+
         char buf[MAX_BUF];
         int line = 1;
         int position = 0;
         int cnt = 0;
-        while (fgets(buf, MAX_BUF, fp)) {
+        while (fgets(buf, MAX_BUF, fp2)) {
                 // remove \n
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-                
+
                 // first line:
                 //% time     seconds  usecs/call     calls    errors syscall
                 if (line == 1) {
@@ -60,49 +62,51 @@ void build_seccomp(const char *fname) {
                         // get out on the next "----" line
                         if (*buf == '-')
                                 break;
-                        
+
                         if (line == 3)
-                                printf("# seccomp.keep %s", buf + position);
+                                fprintf(fp, "# seccomp.keep %s", buf + position);
                         else
-                                printf(",%s", buf + position);
+                                fprintf(fp, ",%s", buf + position);
                         cnt++;
                 }
                 line++;
         }
-        printf("\n");
-        printf("# %d syscalls total\n", cnt);
-        printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n");
-        printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n");
-        printf("# running your sandbox.\n");
+        fprintf(fp, "\n");
+        fprintf(fp, "# %d syscalls total\n", cnt);
+        fprintf(fp, "# Probably you will need to add more syscalls to seccomp.keep. Look for\n");
+        fprintf(fp, "# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n");
+        fprintf(fp, "# running your sandbox.\n");
 
-        fclose(fp);
+        fclose(fp2);
 }
+#endif
 
 //***************************************
 // protocol
 //***************************************
-int unix_s = 0;
-int inet = 0;
-int inet6 = 0;
-int netlink = 0;
-int packet = 0;
+static int unix_s = 0;
+static int inet = 0;
+static int inet6 = 0;
+static int netlink = 0;
+static int packet = 0;
+static int bluetooth = 0;
 static void process_protocol(const char *fname) {
         assert(fname);
-        
+
         // process trace file
         FILE *fp = fopen(fname, "r");
         if (!fp) {
                 fprintf(stderr, "Error: cannot open %s\n", fname);
                 exit(1);
         }
-        
+
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
                 // remove \n
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-        
+
                 // parse line: 4:galculator:access /etc/fonts/conf.d:0
                 // number followed by :
                 ptr = buf;
@@ -130,23 +134,25 @@ static void process_protocol(const char *fname) {
                         inet = 1;
                 else if (strncmp(ptr, "AF_INET6 ", 9) == 0)
                         inet6 = 1;
-                else if (strncmp(ptr, "AF_NETLINK ", 9) == 0)
+                else if (strncmp(ptr, "AF_NETLINK ", 11) == 0)
                         netlink = 1;
-                else if (strncmp(ptr, "AF_PACKET ", 9) == 0)
+                else if (strncmp(ptr, "AF_PACKET ", 10) == 0)
                         packet = 1;
+                else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0)
+                        bluetooth = 1;
         }
-        
+
         fclose(fp);
 }
 
 
 // process fname, fname.1, fname.2, fname.3, fname.4, fname.5
-void build_protocol(const char *fname) {
+void build_protocol(const char *fname, FILE *fp) {
         assert(fname);
-        
+
         // run fname
         process_protocol(fname);
-        
+
         // run all the rest
         struct stat s;
         int i;
@@ -158,34 +164,33 @@ void build_protocol(const char *fname) {
                         process_protocol(newname);
                 free(newname);
         }
-        
+
         int net = 0;
-        if (unix_s || inet || inet6 || netlink || packet) {
-                printf("protocol ");
+        if (unix_s || inet || inet6 || netlink || packet || bluetooth) {
+                fprintf(fp, "protocol ");
                 if (unix_s)
-                        printf("unix,");
-                if (inet) {
-                        printf("inet,");
-                        net = 1;
-                }
-                if (inet6) {
-                        printf("inet6,");
+                        fprintf(fp, "unix,");
+                if (inet || inet6) {
+                        fprintf(fp, "inet,inet6,");
                         net = 1;
                 }
                 if (netlink)
-                        printf("netlink,");
+                        fprintf(fp, "netlink,");
                 if (packet) {
-                        printf("packet");
+                        fprintf(fp, "packet,");
                         net = 1;
                 }
-                printf("\n");
+                if (bluetooth) {
+                        fprintf(fp, "bluetooth");
+                        net = 1;
+                }
+                fprintf(fp, "\n");
         }
 
         if (net == 0)
-                printf("net none\n");
+                fprintf(fp, "net none\n");
         else {
-                printf("# net eth0\n");
-                printf("netfilter\n");
+                fprintf(fp, "# net eth0\n");
+                fprintf(fp, "netfilter\n");
         }
 }
-
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index c448f3e06..08dd35e10 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,30 +25,32 @@
 #include <pwd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
- 
+#include <fcntl.h>
+
 
 #define MAX_BUF 4096
 // main.c
 extern int arg_debug;
 
 // build_profile.c
-void build_profile(int argc, char **argv, int index);
+void build_profile(int argc, char **argv, int index, FILE *fp);
 
 // build_seccomp.c
-void build_seccomp(const char *fname);
-void build_protocol(const char *fname);
+void build_seccomp(const char *fname, FILE *fp);
+void build_protocol(const char *fname, FILE *fp);
 
 // build_fs.c
-void build_etc(const char *fname);
-void build_var(const char *fname);
-void build_tmp(const char *fname);
-void build_dev(const char *fname);
+void build_etc(const char *fname, FILE *fp);
+void build_var(const char *fname, FILE *fp);
+void build_tmp(const char *fname, FILE *fp);
+void build_dev(const char *fname, FILE *fp);
+void build_share(const char *fname, FILE *fp);
 
 // build_bin.c
-void build_bin(const char *fname);
+void build_bin(const char *fname, FILE *fp);
 
 // build_home.c
-void build_home(const char *fname);
+void build_home(const char *fname, FILE *fp);
 
 // utils.c
 int is_dir(const char *fname);
@@ -63,6 +65,7 @@ typedef struct filedb_t {
 
 FileDB *filedb_add(FileDB *head, const char *fname);
 FileDB *filedb_find(FileDB *head, const char *fname);
-void filedb_print(FileDB *head, const char *prefix);
+void filedb_print(FileDB *head, const char *prefix, FILE *fp);
+FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index a76fbc961..94a226cb7 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,18 +20,20 @@
 
 #include "fbuilder.h"
 
+// find exact name or an exact name in a parent directory
 FileDB *filedb_find(FileDB *head, const char *fname) {
+        assert(fname);
         FileDB *ptr = head;
         int found = 0;
         int len = strlen(fname);
-        
+
         while (ptr) {
                 // exact name
                 if (strcmp(fname, ptr->fname) == 0) {
                         found = 1;
                         break;
                 }
-                
+
                 // parent directory in the list
                 if (len > ptr->len &&
                     fname[ptr->len] == '/' &&
@@ -42,20 +44,22 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
 
                 ptr = ptr->next;
         }
-        
+
         if (found)
                 return ptr;
-        
+
         return NULL;
 }
 
 FileDB *filedb_add(FileDB *head, const char *fname) {
         assert(fname);
 
+        // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.*
+
         // don't add it if it is already there or if the parent directory is already in the list
         if (filedb_find(head, fname))
                 return head;
-        
+
         // add a new entry
         FileDB *entry = malloc(sizeof(FileDB));
         if (!entry)
@@ -69,11 +73,53 @@ FileDB *filedb_add(FileDB *head, const char *fname) {
         return entry;
 };
 
-void filedb_print(FileDB *head, const char *prefix) {
+void filedb_print(FileDB *head, const char *prefix, FILE *fp) {
+        assert(head);
+        assert(prefix);
+
         FileDB *ptr = head;
         while (ptr) {
-                printf("%s%s\n", prefix, ptr->fname);
+                if (fp)
+                        fprintf(fp, "%s%s\n", prefix, ptr->fname);
+                else
+                        printf("%s%s\n", prefix, ptr->fname);
                 ptr = ptr->next;
         }
 }
 
+FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) {
+        assert(fname);
+        assert(prefix);
+        int len = strlen(prefix);
+        char *f;
+        if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(f, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
+                free(f);
+                exit(1);
+        }
+
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                if (strncmp(buf, prefix, len) != 0)
+                        continue;
+
+                char *fn = buf + len;
+                char *ptr = strchr(buf, '\n');
+                if (!ptr)
+                        continue;
+                *ptr = '\0';
+
+                // add the file to skip list
+                head = filedb_add(head, fn);
+        }
+
+        fclose(fp);
+        free(f);
+//printf("***************************************************\n");
+//filedb_print(head, prefix, NULL);
+//printf("***************************************************\n");
+        return head;
+}
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index 83217ef98..6c9fc507c 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,7 +22,7 @@ int arg_debug = 0;
 
 static void usage(void) {
         printf("Firejail profile builder\n");
-        printf("Usage: firejail [--debug] --build program-and-arguments\n");
+        printf("Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n");
 }
 
 int main(int argc, char **argv) {
@@ -38,7 +38,9 @@ printf("\n");
 
         int i;
         int prog_index = 0;
-        
+        FILE *fp = stdout;
+        char *prof_file = NULL;
+
         // parse arguments and extract program index
         for (i = 1; i < argc; i++) {
                 if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) {
@@ -49,9 +51,30 @@ printf("\n");
                         arg_debug = 1;
                 else if (strcmp(argv[i], "--build") == 0)
                         ; // do nothing, this is passed down from firejail
+                else if (strncmp(argv[i], "--build=", 8) == 0) {
+                        // this option is only supported for non-root users
+                        if (getuid() == 0) {
+                                fprintf(stderr, "Error fbuild: --build=profile-name is not supported for root user.\n");
+                                exit(1);
+                        }
+
+                        // don't run if the file exists
+                        if (access(argv[i] + 8, F_OK) == 0) {
+                                fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n");
+                                exit(1);
+                        }
+
+                        // check file access
+                        fp = fopen(argv[i] + 8, "w");
+                        if (!fp) {
+                                fprintf(stderr, "Error: cannot open profile file.\n");
+                                exit(1);
+                        }
+                        prof_file = argv[i] + 8;
+                }
                 else {
                         if (*argv[i] == '-') {
-                                fprintf(stderr, "Error fbuilder: invalid program\n");
+                                fprintf(stderr, "Error: invalid program\n");
                                 usage();
                                 exit(1);
                         }
@@ -59,13 +82,20 @@ printf("\n");
                         break;
                 }
         }
-        
+
         if (prog_index == 0) {
-                fprintf(stderr, "Error fbuilder: program and arguments required\n");
+                fprintf(stderr, "Error : program and arguments required\n");
                 usage();
+                if (prof_file) {
+                        fclose(fp);
+                        int rv = unlink(prof_file);
+                        (void) rv;
+                }
                 exit(1);
         }
-        
-        build_profile(argc, argv, prog_index);
+
+        build_profile(argc, argv, prog_index, fp);
+        if (prof_file)
+                fclose(fp);
         return 0;
 }
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c
index 902290899..52493f470 100644
--- a/src/fbuilder/utils.c
+++ b/src/fbuilder/utils.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -56,17 +56,17 @@ char *extract_dir(char *fname) {
         assert(fname);
         if (is_dir(fname))
                 return NULL;
-        
+
         char *name = strdup(fname);
         if (!name)
                 errExit("strdup");
-                
+
         char *ptr = strrchr(name, '/');
         if (!ptr) {
                 free(name);
                 return NULL;
         }
         *ptr = '\0';
-        
+
         return name;
 }
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index ad08f543e..e19f5d3b5 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -1,45 +1,17 @@
+.PHONY: all
 all: fcopy
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
-
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+include ../common.mk
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fcopy: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fcopy: $(OBJS) ../lib/common.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
-clean:; rm -f *.o fcopy *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index e7b4ffa8a..31810de9a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,28 +19,97 @@
  */
 
 #include "../include/common.h"
-#include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#if HAVE_SELINUX
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
+#endif
+
 int arg_quiet = 0;
+int arg_debug = 0;
 static int arg_follow_link = 0;
 
-#define COPY_LIMIT (500 * 1024 *1024)
+static unsigned long copy_limit = 500 * 1024 * 1024; // 500 MB
+static unsigned long size_cnt = 0;
 static int size_limit_reached = 0;
 static unsigned file_cnt = 0;
-static unsigned size_cnt = 0;
 
 static char *outpath = NULL;
 static char *inpath = NULL;
 
+#if HAVE_SELINUX
+static struct selabel_handle *label_hnd = NULL;
+static int selinux_enabled = -1;
+#endif
+
+// copy from firejail/selinux.c
+static void selinux_relabel_path(const char *path, const char *inside_path) {
+        assert(path);
+        assert(inside_path);
+#if HAVE_SELINUX
+        char procfs_path[64];
+        char *fcon = NULL;
+        int fd;
+        struct stat st;
+
+        if (selinux_enabled == -1)
+                selinux_enabled = is_selinux_enabled();
+
+        if (!selinux_enabled)
+                return;
+
+        if (!label_hnd)
+                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+        if (!label_hnd)
+                errExit("selabel_open");
+
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        if (fd < 0)
+                return;
+        if (fstat(fd, &st) < 0)
+                goto close;
+
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+                sprintf(procfs_path, "/proc/self/fd/%i", fd);
+                if (arg_debug)
+                        printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
+
+                setfilecon_raw(procfs_path, fcon);
+        }
+        freecon(fcon);
+ close:
+        close(fd);
+#else
+        (void) path;
+        (void) inside_path;
+#endif
+}
+
 // modified version of the function from util.c
 static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) {
         assert(srcname);
         assert(destname);
         mode &= 07777;
 
+        // don't copy the file if it is already there
+        struct stat s;
+        if (stat(destname, &s) == 0)
+                return;
+
         // open source
         int src = open(srcname, O_RDONLY);
         if (src < 0) {
@@ -50,7 +119,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
         }
 
         // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR);
         if (dst < 0) {
                 if (!arg_quiet)
                         fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
@@ -71,7 +140,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
                         done += rv;
                 }
         }
-        fflush(0);
+        if (len < 0)
+                goto errexit;
 
         if (fchown(dst, uid, gid) == -1)
                 goto errexit;
@@ -81,6 +151,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
         close(src);
         close(dst);
 
+        selinux_relabel_path(destname, srcname);
+
         return;
 
 errexit:
@@ -108,15 +180,68 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
         }
 }
 
+static char *proc_pid_to_self(const char *target) {
+        assert(target);
+        char *use_target = 0;
+        char *proc_pid = 0;
+
+        if (!(use_target = realpath(target, NULL)))
+                goto done;
+
+        // target is under /proc/<PID>?
+        static const char proc[] = "/proc/";
+        if (strncmp(use_target, proc, sizeof(proc) - 1))
+                goto done;
+
+        int digit = use_target[sizeof(proc) - 1];
+        if (digit < '1' || digit > '9')
+                goto done;
+
+        // check where /proc/self points to
+        static const char proc_self[] = "/proc/self";
+        if (!(proc_pid = realpath(proc_self, NULL)))
+                goto done;
+
+        // redirect /proc/PID/xxx -> /proc/self/XXX
+        size_t pfix = strlen(proc_pid);
+        if (strncmp(use_target, proc_pid, pfix))
+                goto done;
+
+        if (use_target[pfix] != 0 && use_target[pfix] != '/')
+                goto done;
+
+        char *tmp;
+        if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) {
+                if (arg_debug)
+                        fprintf(stderr, "SYMLINK %s\n  -->   %s\n", use_target, tmp);
+                free(use_target);
+                use_target = tmp;
+        }
+        else
+                errExit("asprintf");
+
+done:
+        if (proc_pid)
+                free(proc_pid);
+        return use_target;
+}
 
 void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) {
         (void) mode;
         (void) uid;
         (void) gid;
-        char *rp = realpath(target, NULL);
+
+        // if the link is already there, don't create it
+        struct stat s;
+        if (lstat(linkpath, &s) == 0)
+               return;
+
+        char *rp = proc_pid_to_self(target);
         if (rp) {
-                if (symlink(rp, linkpath) == -1)
+                if (symlink(rp, linkpath) == -1) {
+                        free(rp);
                         goto errout;
+                }
                 free(rp);
         }
         else
@@ -129,6 +254,7 @@ errout:
 }
 
 
+
 static int first = 1;
 static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) {
         (void) st;
@@ -154,27 +280,24 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
                         first = 0;
                 else if (!arg_quiet)
                         fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname);
-                free(outfname);
-                return 0;
+                goto out;
         }
 
         // extract mode and ownership
         if (stat(infname, &s) != 0) {
                 if (!arg_quiet)
                         fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname);
-                free(outfname);
-                return 0;
+                goto out;
         }
         uid_t uid = s.st_uid;
         gid_t gid = s.st_gid;
         mode_t mode = s.st_mode;
 
         // recalculate size
-        if ((s.st_size + size_cnt) > COPY_LIMIT) {
-                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024);
+        if ((s.st_size + size_cnt) > copy_limit) {
+                fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024);
                 size_limit_reached = 1;
-                free(outfname);
-                return 0;
+                goto out;
         }
 
         file_cnt++;
@@ -189,7 +312,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
         else if (ftype == FTW_SL) {
                 copy_link(infname, outfname, mode, uid, gid);
         }
-
+out:
+        free(outfname);
         return(0);
 }
 
@@ -204,7 +328,7 @@ static char *check(const char *src) {
         //    /run/systemd/resolve/resolv.conf; this file is owned by systemd-resolve user
         // checking gid will fail for files with a larger group such as /usr/bin/mutt_dotlock
         uid_t user = getuid();
-        if (user == 0 && strcmp(rsrc, "/run/systemd/resolve/resolv.conf") == 0) {
+        if (user == 0 && strncmp(rsrc, "/run/systemd/resolve/", 21) == 0) {
                 // check user systemd-resolve
                 struct passwd *p = getpwnam("systemd-resolve");
                 if (!p)
@@ -222,7 +346,8 @@ static char *check(const char *src) {
                 return rsrc;                      // normal exit from the function
 
 errexit:
-        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
+        free(rsrc);
+        fprintf(stderr, "Error fcopy: invalid ownership for file %s\n", src);
         exit(1);
 }
 
@@ -316,6 +441,9 @@ int main(int argc, char **argv) {
         char *quiet = getenv("FIREJAIL_QUIET");
         if (quiet && strcmp(quiet, "yes") == 0)
                 arg_quiet = 1;
+        char *debug = getenv("FIREJAIL_DEBUG");
+        if (debug && strcmp(debug, "yes") == 0)
+                arg_debug = 1;
 
         char *src;
         char *dest;
@@ -336,25 +464,21 @@ int main(int argc, char **argv) {
                 exit(1);
         }
 
-        // trim trailing chars
-        if (src[strlen(src) - 1] == '/')
-                src[strlen(src) - 1] = '\0';
-        if (dest[strlen(dest) - 1] == '/')
-                dest[strlen(dest) - 1] = '\0';
+        warn_dumpable();
 
         // check the two files; remove ending /
-        int len = strlen(src);
-        if (src[len - 1] == '/')
-                src[len - 1] = '\0';
-        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
+        size_t len = strlen(src);
+        while (len > 1 && src[len - 1] == '/')
+                src[--len] = '\0';
+        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
                 fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
                 exit(1);
         }
 
         len = strlen(dest);
-        if (dest[len - 1] == '/')
-                dest[len - 1] = '\0';
-        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
+        while (len > 1 && dest[len - 1] == '/')
+                dest[--len] = '\0';
+        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
                 fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
                 exit(1);
         }
@@ -370,6 +494,14 @@ int main(int argc, char **argv) {
                 exit(1);
         }
 
+        // extract copy limit size from env variable, if any
+        char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
+        if (cl) {
+                copy_limit = strtoul(cl, NULL, 10) * 1024 * 1024;
+                if (arg_debug)
+                        printf("file copy limit %lu bytes\n", copy_limit);
+        }
+
         // copy files
         if ((arg_follow_link ? stat : lstat)(src, &s) == -1) {
                 fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno));
diff --git a/src/fgit/fgit-install.sh b/src/fgit/fgit-install.sh
index 1f710c688..262b6f112 100755
--- a/src/fgit/fgit-install.sh
+++ b/src/fgit/fgit-install.sh
@@ -1,4 +1,8 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+#
 # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
 #
 
diff --git a/src/fgit/fgit-uninstall.sh b/src/fgit/fgit-uninstall.sh
index bc7cc9563..d40f90320 100644
--- a/src/fgit/fgit-uninstall.sh
+++ b/src/fgit/fgit-uninstall.sh
@@ -1,4 +1,8 @@
 #!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+#
 # Purpose: Fetch, compile, and install firejail from GitHub source. Package-manager agnostic.
 #
 
diff --git a/src/fids/Makefile.in b/src/fids/Makefile.in
new file mode 100644
index 000000000..5530bcee2
--- /dev/null
+++ b/src/fids/Makefile.in
@@ -0,0 +1,18 @@
+.PHONY: all
+all: fids
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+#fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+fids: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fids/blake2b.c b/src/fids/blake2b.c
new file mode 100644
index 000000000..f2aa5ae66
--- /dev/null
+++ b/src/fids/blake2b.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/* A simple unkeyed BLAKE2b Implementation based on the official reference
+ * from https://github.com/BLAKE2/BLAKE2.
+ *
+ * The original code was released under CC0 1.0 Universal license (Creative Commons),
+ * a public domain license.
+ */
+
+#include "fids.h"
+
+// little-endian vs big-endian is irrelevant since the checksum is calculated and checked on the same computer.
+static inline uint64_t load64( const void *src ) {
+        uint64_t w;
+        memcpy( &w, src, sizeof( w ) );
+        return w;
+}
+
+// mixing function
+#define ROTR64(x, y)  (((x) >> (y)) ^ ((x) << (64 - (y))))
+#define G(a, b, c, d, x, y) {   \
+                v[a] = v[a] + v[b] + x;         \
+                v[d] = ROTR64(v[d] ^ v[a], 32); \
+                v[c] = v[c] + v[d];             \
+                v[b] = ROTR64(v[b] ^ v[c], 24); \
+                v[a] = v[a] + v[b] + y;         \
+                v[d] = ROTR64(v[d] ^ v[a], 16); \
+                v[c] = v[c] + v[d];             \
+                v[b] = ROTR64(v[b] ^ v[c], 63); }
+
+// init vector
+static const uint64_t iv[8] = {
+        0x6A09E667F3BCC908, 0xBB67AE8584CAA73B,
+        0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1,
+        0x510E527FADE682D1, 0x9B05688C2B3E6C1F,
+        0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179
+};
+
+
+const uint8_t sigma[12][16] = {
+        { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+        { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
+        { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
+        { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
+        { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
+        { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
+        { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
+        { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
+        { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
+        { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
+        { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
+        { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
+};
+
+// blake2b context
+typedef struct {
+        uint8_t b[128];                     // input buffer
+        uint64_t h[8];                      // chained state
+        uint64_t t[2];                      // total number of bytes
+        size_t c;                           // pointer for b[]
+        size_t outlen;                      // digest size
+} CTX;
+
+// compress function
+static void compress(CTX *ctx, int last) {
+        uint64_t m[16];
+        uint64_t v[16];
+        size_t i;
+
+        for (i = 0; i < 16; i++)
+                m[i] = load64(&ctx->b[8 * i]);
+
+        for (i = 0; i < 8; i++) {
+                v[i] = ctx->h[i];
+                v[i + 8] = iv[i];
+        }
+
+        v[12] ^= ctx->t[0];
+        v[13] ^= ctx->t[1];
+        if (last)
+                v[14] = ~v[14];
+
+        for (i = 0; i < 12; i++) {
+                G( 0, 4,  8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]);
+                G( 1, 5,  9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]);
+                G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]);
+                G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]);
+                G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]);
+                G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]);
+                G( 2, 7,  8, 13, m[sigma[i][12]], m[sigma[i][13]]);
+                G( 3, 4,  9, 14, m[sigma[i][14]], m[sigma[i][15]]);
+        }
+
+        for( i = 0; i < 8; ++i )
+                ctx->h[i] ^= v[i] ^ v[i + 8];
+}
+
+static int init(CTX *ctx, size_t outlen) {      // (keylen=0: no key)
+        size_t i;
+
+        if (outlen == 0 || outlen > 64)
+                return -1;
+
+        for (i = 0; i < 8; i++)
+                ctx->h[i] = iv[i];
+        ctx->h[0] ^= 0x01010000  ^ outlen;
+
+        ctx->t[0] = 0;
+        ctx->t[1] = 0;
+        ctx->c = 0;
+        ctx->outlen = outlen;
+
+        return 0;
+}
+
+static void update(CTX *ctx, const void *in, size_t inlen) {
+        size_t i;
+
+        for (i = 0; i < inlen; i++) {
+                if (ctx->c == 128) {
+                        ctx->t[0] += ctx->c;
+                        if (ctx->t[0] < ctx->c)
+                                ctx->t[1]++;
+                        compress(ctx, 0);
+                        ctx->c = 0;
+                }
+                ctx->b[ctx->c++] = ((const uint8_t *) in)[i];
+        }
+}
+
+static void final(CTX *ctx, void *out) {
+        size_t i;
+
+        ctx->t[0] += ctx->c;
+        if (ctx->t[0] < ctx->c)
+                ctx->t[1]++;
+
+        while (ctx->c < 128)
+                ctx->b[ctx->c++] = 0;
+        compress(ctx, 1);
+
+        for (i = 0; i < ctx->outlen; i++) {
+                ((uint8_t *) out)[i] =
+                        (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF;
+        }
+}
+
+// public function
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen) {
+        CTX ctx;
+
+        if (init(&ctx, outlen))
+                return -1;
+        update(&ctx, in, inlen);
+        final(&ctx, out);
+
+        return 0;
+}
diff --git a/src/fids/config b/src/fids/config
new file mode 100644
index 000000000..c18c97260
--- /dev/null
+++ b/src/fids/config
@@ -0,0 +1,16 @@
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/games
+/opt
+/usr/share/ca-certificates
+
+
+/home/netblue/.bashrc
+/home/netblue/.config/firejail
+/home/netblue/.config/autostart
+/home/netblue/Desktop/*.desktop
+/home/netblue/.ssh
+/home/netblue/.gnupg
+
diff --git a/src/fids/db.c b/src/fids/db.c
new file mode 100644
index 000000000..35caf7eeb
--- /dev/null
+++ b/src/fids/db.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+
+typedef struct db_t {
+        struct db_t *next;
+        char *fname;
+        char *checksum;
+        char *mode;
+        int checked;
+} DB;
+
+#define MAXBUF 4096
+static DB *database[HASH_MAX] = {NULL};
+
+// djb2 hash function by Dan Bernstein
+static unsigned hash(const char *str) {
+        unsigned long hash = 5381;
+        int c;
+
+        while ((c = *str++) != '\0')
+                hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
+
+        return hash & (HASH_MAX - 1);
+}
+
+#if 0
+// for testing the hash table
+static void db_print(void) {
+        int i;
+        for (i = 0; i < HASH_MAX; i++) {
+                int cnt = 0;
+                DB *ptr = database[i];
+                while (ptr) {
+                        cnt++;
+                        ptr = ptr->next;
+                }
+                printf("%d ", cnt);
+                fflush(0);
+        }
+        printf("\n");
+}
+#endif
+
+static void db_add(const char *fname, const char *checksum, const char *mode) {
+        DB *ptr = malloc(sizeof(DB));
+        if (!ptr)
+                errExit("malloc");
+        ptr->fname = strdup(fname);
+        ptr->checksum = strdup(checksum);
+        ptr->mode = strdup(mode);
+        ptr->checked = 0;
+        if (!ptr->fname || !ptr->checksum || !ptr->mode)
+                errExit("strdup");
+
+        unsigned h = hash(fname);
+        ptr->next = database[h];
+        database[h] = ptr;
+}
+
+void db_check(const char *fname, const char *checksum, const char *mode) {
+        assert(fname);
+        assert(checksum);
+        assert(mode);
+
+        unsigned h =hash(fname);
+        DB *ptr = database[h];
+        while (ptr) {
+                if (strcmp(fname, ptr->fname) == 0) {
+                        ptr->checked = 1;
+                        break;
+                }
+                ptr = ptr->next;
+        }
+
+        if (ptr ) {
+                if (strcmp(checksum, ptr->checksum)) {
+                        f_modified++;
+                        fprintf(stderr, "\nWarning: modified %s\n", fname);
+                }
+                if (strcmp(mode, ptr->mode)) {
+                        f_permissions++;
+                        fprintf(stderr, "\nWarning: permissions %s: old %s, new %s\n",
+                                fname, ptr->mode, mode);
+                }
+        }
+        else {
+                f_new++;
+                fprintf(stderr, "\nWarning: new file %s\n", fname);
+        }
+}
+
+void db_missing(void) {
+        int i;
+        for (i = 0; i < HASH_MAX; i++) {
+                DB *ptr = database[i];
+                while (ptr) {
+                        if (!ptr->checked) {
+                                f_removed++;
+                                fprintf(stderr, "Warning: removed %s\n", ptr->fname);
+                        }
+                        ptr = ptr->next;
+                }
+        }
+}
+
+// return 0 if ok, 1 if error
+int db_init(void) {
+        char buf[MAXBUF];
+        while(fgets(buf, MAXBUF, stdin)) {
+                // split - tab separated
+
+                char *mode = buf;
+                char *ptr = strchr(buf, '\t');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+
+                char *checksum = ptr + 1;
+                ptr = strchr(checksum, '\t');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+
+                char *fname = ptr + 1;
+                ptr = strchr(fname, '\n');
+                if (!ptr)
+                        goto errexit;
+                *ptr = '\0';
+
+                db_add(fname, checksum, mode);
+        }
+//      db_print();
+
+        return 0;
+
+errexit:
+        fprintf(stderr, "Error fids: database corrupted\n");
+        exit(1);
+}
+
diff --git a/src/fids/db_exclude.c b/src/fids/db_exclude.c
new file mode 100644
index 000000000..994e6f9df
--- /dev/null
+++ b/src/fids/db_exclude.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include"fids.h"
+
+typedef struct db_exclude_t {
+        struct db_exclude_t *next;
+        char *fname;
+        int len;
+} DB_EXCLUDE;
+static DB_EXCLUDE *database = NULL;
+
+void db_exclude_add(const char *fname) {
+        assert(fname);
+
+        DB_EXCLUDE *ptr = malloc(sizeof(DB_EXCLUDE));
+        if (!ptr)
+                errExit("malloc");
+
+        ptr->fname = strdup(fname);
+        if (!ptr->fname)
+                errExit("strdup");
+        ptr->len = strlen(fname);
+        ptr->next = database;
+        database = ptr;
+}
+
+int db_exclude_check(const char *fname) {
+        assert(fname);
+
+        DB_EXCLUDE *ptr = database;
+        while (ptr != NULL) {
+                if (strncmp(fname, ptr->fname, ptr->len) == 0)
+                        return 1;
+                ptr = ptr->next;
+        }
+
+        return 0;
+}
+
diff --git a/src/fids/fids.h b/src/fids/fids.h
new file mode 100644
index 000000000..a2e2886fe
--- /dev/null
+++ b/src/fids/fids.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FIDS_H
+#define FIDS_H
+
+#include "../include/common.h"
+
+// main.c
+#define MAX_DIR_LEVEL 20        // max directory tree depth
+#define MAX_INCLUDE_LEVEL 10    // max include level for config files
+extern int f_scanned;
+extern int f_modified;
+extern int f_new;
+extern int f_removed;
+extern int f_permissions;
+
+// db.c
+#define HASH_MAX 2048   // power of 2
+int db_init(void);
+void db_check(const char *fname, const char *checksum, const char *mode);
+void db_missing(void);
+
+// db_exclude.c
+void db_exclude_add(const char *fname);
+int db_exclude_check(const char *fname);
+
+
+// blake2b.c
+//#define KEY_SIZE 128 // key size in bytes
+#define KEY_SIZE 256
+//#define KEY_SIZE 512
+int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
+
+#endif
\ No newline at end of file
diff --git a/src/fids/main.c b/src/fids/main.c
new file mode 100644
index 000000000..c899b55e1
--- /dev/null
+++ b/src/fids/main.c
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fids.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <dirent.h>
+#include <glob.h>
+
+#define MAXBUF 4096
+
+static int dir_level = 1;
+static int include_level = 0;
+int arg_init = 0;
+int arg_check = 0;
+char *arg_homedir = NULL;
+char *arg_dbfile = NULL;
+
+int f_scanned = 0;
+int f_modified = 0;
+int f_new = 0;
+int f_removed = 0;
+int f_permissions = 0;
+
+
+
+static inline int is_dir(const char *fname) {
+        assert(fname);
+
+        struct stat s;
+        if (stat(fname, &s) == 0) {
+                if (S_ISDIR(s.st_mode))
+                        return 1;
+        }
+        return 0;
+}
+
+static inline int is_link(const char *fname) {
+        assert(fname);
+
+        char c;
+        ssize_t rv = readlink(fname, &c, 1);
+        return (rv != -1);
+}
+
+// mode is an array of 10 chars or more
+static inline void file_mode(const char *fname, char *mode) {
+        assert(fname);
+        assert(mode);
+
+        struct stat s;
+        if (stat(fname, &s)) {
+                *mode = '\0';
+                return;
+        }
+
+        sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-");
+        sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-");
+        sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-");
+        sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-");
+        sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-");
+        sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-");
+        sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-");
+        sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-");
+        sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-");
+}
+
+
+static void file_checksum(const char *fname) {
+        assert(fname);
+
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                return;
+
+        off_t size = lseek(fd, 0, SEEK_END);
+        if (size < 0) {
+                close(fd);
+                return;
+        }
+
+        char *content = "empty";
+        int mmapped = 0;
+        if (size == 0) {
+                // empty files don't mmap - use "empty" string as the file content
+                size = 6; // strlen("empty") + 1
+        }
+        else {
+                content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+                close(fd);
+                mmapped = 1;
+        }
+
+        unsigned char checksum[KEY_SIZE / 8];
+        blake2b(checksum, sizeof(checksum), content, size);
+        if (mmapped)
+                munmap(content, size);
+
+        // calculate blake2 checksum
+        char str_checksum[(KEY_SIZE / 8) * 2 + 1];
+        int long unsigned i;
+        char *ptr = str_checksum;
+        for (i = 0; i < sizeof(checksum); i++, ptr += 2)
+                sprintf(ptr, "%02x", (unsigned char ) checksum[i]);
+
+        // build permissions string
+        char mode[10];
+        file_mode(fname, mode);
+
+        if (arg_init)
+                printf("%s\t%s\t%s\n", mode, str_checksum, fname);
+        else if (arg_check)
+                db_check(fname, str_checksum, mode);
+        else
+                assert(0);
+
+        f_scanned++;
+        if (f_scanned % 500 == 0)
+                fprintf(stderr, "%d ", f_scanned);
+        fflush(0);
+}
+
+void list_directory(const char *fname) {
+        assert(fname);
+        if (dir_level > MAX_DIR_LEVEL) {
+                fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname);
+                return;
+        }
+
+        if (db_exclude_check(fname))
+                return;
+
+        if (is_link(fname))
+                return;
+
+        if (!is_dir(fname)) {
+                file_checksum(fname);
+                return;
+        }
+
+        DIR *dir;
+        struct dirent *entry;
+
+        if (!(dir = opendir(fname)))
+                return;
+
+        dir_level++;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                char *path;
+                if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1)
+                        errExit("asprintf");
+                list_directory(path);
+                free(path);
+        }
+        closedir(dir);
+        dir_level--;
+}
+
+void globbing(const char *fname) {
+        assert(fname);
+
+        // filter top directory
+        if (strcmp(fname, "/") == 0)
+                return;
+
+        glob_t globbuf;
+        int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname);
+                exit(1);
+        }
+
+        long unsigned i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *path = globbuf.gl_pathv[i];
+                assert(path);
+
+                list_directory(path);
+        }
+
+        globfree(&globbuf);
+}
+
+static void process_config(const char *fname) {
+        assert(fname);
+
+        if (++include_level >= MAX_INCLUDE_LEVEL) {
+                fprintf(stderr, "Error ids: maximum include level for config files exceeded\n");
+                exit(1);
+        }
+
+        // make sure the file is owned by root
+        struct stat s;
+        if (stat(fname, &s)) {
+                if (include_level == 1) {
+                        fprintf(stderr, "Error ids: config file not found\n");
+                        exit(1);
+                }
+                return;
+        }
+        if (s.st_uid || s.st_gid) {
+                fprintf(stderr, "Error ids: config file not owned by root\n");
+                exit(1);
+        }
+
+        fprintf(stderr, "Loading %s config file\n", fname);
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error fids: cannot open config file %s\n", fname);
+                exit(1);
+        }
+
+        char buf[MAXBUF];
+        int line = 0;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+
+                // trim \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                // comments
+                ptr = strchr(buf, '#');
+                if (ptr)
+                        *ptr = '\0';
+
+                // empty space
+                ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                char *start = ptr;
+
+                // empty line
+                if (*start == '\0')
+                        continue;
+
+                // trailing spaces
+                ptr = start + strlen(start);
+                ptr--;
+                while (*ptr == ' ' || *ptr == '\t')
+                        *ptr-- = '\0';
+
+                // replace ${HOME}
+                if (strncmp(start, "include", 7) == 0) {
+                        ptr = start + 7;
+                        if ((*ptr != ' ' && *ptr != '\t') || *ptr == '\0') {
+                                fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname);
+                                exit(1);
+                        }
+                        while (*ptr == ' ' || *ptr == '\t')
+                                ptr++;
+
+                        if (*ptr == '/')
+                                process_config(ptr);
+                        else {
+                                // assume the file is in /etc/firejail
+                                char *tmp;
+                                if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1)
+                                        errExit("asprintf");
+                                process_config(tmp);
+                                free(tmp);
+                        }
+                }
+                else if (*start == '!') {
+                        // exclude file or dir
+                        start++;
+                        if (strncmp(start, "${HOME}", 7))
+                                db_exclude_add(start);
+                        else {
+                                char *fname;
+                                if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+                                        errExit("asprintf");
+                                db_exclude_add(fname);
+                                free(fname);
+                        }
+                }
+                else if (strncmp(start, "${HOME}", 7))
+                        globbing(start);
+                else {
+                        char *fname;
+                        if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1)
+                                errExit("asprintf");
+                        globbing(fname);
+                        free(fname);
+                }
+        }
+
+        fclose(fp);
+        include_level--;
+}
+
+
+
+void usage(void) {
+        printf("Usage: fids [--help|-h|-?] --init|--check homedir\n");
+}
+
+int main(int argc, char **argv) {
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-h") == 0 ||
+                    strcmp(argv[i], "-?") == 0 ||
+                    strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--init") == 0)
+                        arg_init = 1;
+                else if (strcmp(argv[i], "--check") == 0)
+                        arg_check = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]);
+                        exit(1);
+                }
+        }
+
+        if (argc != 3) {
+                fprintf(stderr, "Error fids: invalid number of arguments\n");
+                exit(1);
+        }
+        arg_homedir = argv[2];
+
+        int op = arg_check + arg_init;
+        if (op == 0 || op == 2) {
+                fprintf(stderr, "Error fids: use either --init or --check\n");
+                exit(1);
+        }
+
+        if (arg_init) {
+                process_config(SYSCONFDIR"/ids.config");
+                fprintf(stderr, "\n%d files scanned\n", f_scanned);
+                fprintf(stderr, "IDS database initialized\n");
+        }
+        else if (arg_check) {
+                if (db_init()) {
+                        fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n");
+                        exit(1);
+                }
+
+                process_config(SYSCONFDIR"/ids.config");
+                fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n",
+                        f_scanned, f_modified, f_permissions, f_new, f_removed);
+                db_missing();
+        }
+        else
+                assert(0);
+
+        return 0;
+}
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index 0b2b03275..43329be46 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -1,40 +1,17 @@
+.PHONY: all
 all: firecfg
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
+include ../common.mk
 
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/firejail_user.h ../include/pid.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
+firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)  -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
-
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-firecfg: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-
-clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index c1d456147..06b0a117f 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -41,7 +41,7 @@ static int check_profile(const char *name, const char *homedir) {
                         printf("found %s\n", profname2);
                 rv = 1;
         }
-                
+
         free(profname1);
         free(profname2);
         return rv;
@@ -56,28 +56,34 @@ static int have_profile(const char *filename, const char *homedir) {
         if (arg_debug)
                 printf("checking profile for %s\n", filename);
 
-        // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop,
+        // we get strange names here, such as .org.gnome.gedit.desktop, com.uploadedlobster.peek.desktop,
         // or io.github.Pithos.desktop; extract the word before .desktop
-        
+        // TODO: implement proper fix for #2624 (names like org.gnome.Logs.desktop fall thru
+        // the 'last word' logic and don't get installed to ~/.local/share/applications
+
         char *tmpfname = strdup(filename);
         if (!tmpfname)
                 errExit("strdup");
-                
+
         // check .desktop extension
         int len = strlen(tmpfname);
-        if (len <= 8)
+        if (len <= 8) {
+                free(tmpfname);
                 return 0;
-        if (strcmp(tmpfname + len - 8, ".desktop"))
+        }
+        if (strcmp(tmpfname + len - 8, ".desktop")) {
+                free(tmpfname);
                 return 0;
+        }
         tmpfname[len - 8] = '\0';
-        
+
         // extract last word
         char *last_word = strrchr(tmpfname, '.');
         if (last_word)
                 last_word++;
         else
                 last_word = tmpfname;
-        
+
         // try lowercase
         last_word[0] = tolower(last_word[0]);
         int rv = check_profile(last_word, homedir);
@@ -85,7 +91,7 @@ static int have_profile(const char *filename, const char *homedir) {
                 free(tmpfname);
                 return rv;
         }
-        
+
         // try uppercase
         last_word[0] = toupper(last_word[0]);
         rv = check_profile(last_word, homedir);
@@ -108,12 +114,27 @@ void fix_desktop_files(char *homedir) {
         char *user_apps_dir;
         if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
                 errExit("asprintf");
+        printf("\nFixing desktop files in %s\n", user_apps_dir);
         if (stat(user_apps_dir, &sb) == -1) {
-                int rv = mkdir(user_apps_dir, 0700);
+                char *tmp;
+                if (asprintf(&tmp, "%s/.local", homedir) == -1)
+                        errExit("asprintf");
+                int rv = mkdir(tmp, 0755);
+                (void) rv;
+                free(tmp);
+
+                if (asprintf(&tmp, "%s/.local/share", homedir) == -1)
+                        errExit("asprintf");
+                rv = mkdir(tmp, 0755);
+                (void) rv;
+                free(tmp);
+
+                rv = mkdir(user_apps_dir, 0700);
                 if (rv) {
-                        fprintf(stderr, "Error: cannot create ~/.local/application directory\n");
                         perror("mkdir");
-                        exit(1);
+                        fprintf(stderr, "Warning: cannot create ~/.local/share/application directory, desktop files fixing skipped...\n");
+                        free(user_apps_dir);
+                        return;
                 }
                 rv = chmod(user_apps_dir, 0700);
                 (void) rv;
@@ -121,16 +142,15 @@ void fix_desktop_files(char *homedir) {
 
         // source
         DIR *dir = opendir("/usr/share/applications");
-        if (!dir) {
-                perror("Error: cannot open /usr/share/applications directory");
-                exit(1);
-        }
-        if (chdir("/usr/share/applications")) {
-                perror("Error: cannot chdir to /usr/share/applications");
-                exit(1);
+        if (!dir || chdir("/usr/share/applications")) {
+                perror("opendir");
+                fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n");
+                free(user_apps_dir);
+                if (dir)
+                        closedir(dir);
+                return;
         }
 
-        printf("\nFixing desktop files in %s\n", user_apps_dir);
         // copy
         struct dirent *entry;
         while ((entry = readdir(dir)) != NULL) {
@@ -151,8 +171,6 @@ void fix_desktop_files(char *homedir) {
                 // skip links
                 if (is_link(filename))
                         continue;
-                if (stat(filename, &sb) == -1)
-                        errExit("stat");
 
                 // no profile in /etc/firejail, no desktop file fixing
                 if (!have_profile(filename, homedir))
@@ -161,23 +179,35 @@ void fix_desktop_files(char *homedir) {
                 //****************************************************
                 // load the file in memory and do some basic checking
                 //****************************************************
-                /* coverity[toctou] */
-                int fd = open(filename, O_RDONLY);
-                if (fd == -1) {
-                        fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
+                FILE *fp = fopen(filename, "r");
+                if (!fp) {
+                        fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
                         continue;
                 }
 
-                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-                if (buf == MAP_FAILED)
-                        errExit("mmap");
-                close(fd);
+                fseek(fp, 0, SEEK_END);
+                long size = ftell(fp);
+                if (size == -1)
+                        errExit("ftell");
+                fseek(fp, 0, SEEK_SET);
+                char *buf = malloc(size + 1);
+                if (!buf)
+                        errExit("malloc");
+
+                size_t loaded = fread(buf, size, 1, fp);
+                fclose(fp);
+                if (loaded != 1) {
+                        fprintf(stderr, "Warning: cannot read /usr/share/applications/%s\n", filename);
+                        free(buf);
+                        continue;
+                }
+                buf[size] = '\0';
 
                 // check format
                 if (strstr(buf, "[Desktop Entry]\n") == NULL) {
                         if (arg_debug)
                                 printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                         continue;
                 }
 
@@ -186,7 +216,7 @@ void fix_desktop_files(char *homedir) {
                 if (!ptr || strlen(ptr) < 7) {
                         if (arg_debug)
                                 printf("   %s - skipped: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                         continue;
                 }
 
@@ -195,11 +225,11 @@ void fix_desktop_files(char *homedir) {
                 if (execname[0] == '"') {
                         if (arg_debug)
                                 printf("   %s - skipped: path quoting unsupported\n", filename);
-                        munmap(buf, sb.st_size + 1);
+                        free(buf);
                         continue;
                 }
 
-                // try to decide if we need to covert this file
+                // try to decide if we need to convert this file
                 char *change_exec = NULL;
                 int change_dbus = 0;
 
@@ -228,13 +258,10 @@ void fix_desktop_files(char *homedir) {
                                 }
                         }
                 }
-                
-                if (change_exec == NULL && change_dbus == 0) {
-                        munmap(buf, sb.st_size + 1);
+
+                free(buf);
+                if (change_exec == NULL && change_dbus == 0)
                         continue;
-                }
-                
-                munmap(buf, sb.st_size + 1);
 
                 //****************************************************
                 // generate output file
@@ -245,19 +272,25 @@ void fix_desktop_files(char *homedir) {
 
                 if (stat(outname, &sb) == 0) {
                         printf("   %s skipped: file exists\n", filename);
+                        if (change_exec)
+                                free(change_exec);
                         continue;
                 }
-                
+
                 FILE *fpin = fopen(filename, "r");
                 if (!fpin) {
-                        fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
+                        fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
+                        if (change_exec)
+                                free(change_exec);
                         continue;
                 }
-                
+
                 FILE *fpout = fopen(outname, "w");
                 if (!fpout) {
-                        fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname);
+                        fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
                         fclose(fpin);
+                        if (change_exec)
+                                free(change_exec);
                         continue;
                 }
                 fprintf(fpout, "# converted by firecfg\n");
@@ -277,9 +310,9 @@ void fix_desktop_files(char *homedir) {
                                         fprintf(fpout, "Exec=%s\n", change_exec);
                         }
                         else
-                                fprintf(fpout, "%s", fbuf);     
+                                fprintf(fpout, "%s", fbuf);
                 }
-                
+
                 if (change_exec)
                         free(change_exec);
                 fclose(fpin);
@@ -291,5 +324,3 @@ void fix_desktop_files(char *homedir) {
         closedir(dir);
         free(user_apps_dir);
 }
-
-
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 9baa6a6e4..698630180 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,161 +1,377 @@
 # /usr/lib/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
-# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this
 #qemu-system-x86_64
 0ad
 2048-qt
+Books
+Builder
+Cheese
+Cryptocat
 Cyberfox
+Discord
+DiscordCanary
+Documents
 FossaMail
+Fritzing
+Gitter
+JDownloader
+Logs
+Maelstrom
+Maps
 Mathematica
 Natron
+PCSX2
+PPSSPPQt
+PPSSPPSDL
+QMediathekView
+QOwnNotes
+Screenshot
 Telegram
 Viber
 VirtualBox
-Wire
+XMind
 Xephyr
+ZeGrapher
+abiword
 abrowser
+akonadi_control
 akregator
+alacarte
+alpine
+alpinef
 amarok
 amule
+amuled
 android-studio
+anydesk
 apktool
+apostrophe
+# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
+archaudit-report
 ardour4
 ardour5
 arduino
+aria2c
 ark
 arm
-atom
-atom-beta
-atool
+artha
+assogiate
+asunder
+# atom
+# atom-beta
+# atool - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 atril
+atril-previewer
+atril-thumbnailer
 audacious
 audacity
+audio-recorder
+authenticator
+authenticator-rs
+autokey-gtk
+autokey-qt
+autokey-run
+autokey-shell
+avidemux3_qt5
 aweather
+ballbuster
 baloo_file
+baloo_filemetadata_temp_extractor
+balsa
 baobab
+barrier
+basilisk
+bcompare
+beaker
 bibletime
+bijiben
+bitcoin-qt
 bitlbee
+bitwarden
 bleachbit
 blender
+blender-2.8
 bless
+blobby
+blobwars
 bluefish
+bnox
 brackets
 brasero
 brave
+brave-browser
+brave-browser-beta
+brave-browser-dev
+brave-browser-nightly
+brave-browser-stable
+# bunzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+bzflag
+# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 calibre
 calligra
 calligraauthor
 calligraconverter
 calligraflow
+calligragemini
 calligraplan
 calligraplanwork
 calligrasheets
 calligrastage
 calligrawords
+cameramonitor
+cantata
 catfish
+cawbird
+celluloid
+checkbashisms
+cheese
 cherrytree
 chromium
 chromium-browser
+chromium-browser-privacy
+chromium-freeworld
 cin
 cinelerra
 clamdscan
 clamdtop
 clamscan
+clamtk
 claws-mail
+clawsker
 clementine
+clion
+clion-eap
+clipgrab
 clipit
 cliqz
+clocks
 cmus
+code
+code-oss
+cola
+colorful
+com.github.bleakgrey.tootle
+com.github.dahenson.agenda
+com.github.johnfactotum.Foliate
+com.github.phase1geo.minder
+com.gitlab.newsflash
 conkeror
 conky
+conplay
 corebird
+coyim
+crawl
+crawl-tiles
+crow
+cryptocat
 cvlc
 cyberfox
+d-feet
 darktable
+dconf-editor
+ddgr
+ddgtk
 deadbeef
 deluge
+desktopeditors
+devhelp
 dex2jar
 dia
+dig
 digikam
 dillo
 dino
+dino-im
+discord
+discord-canary
 display
+display-im6.q16
+dnox
 dnscrypt-proxy
 dnsmasq
-dolphin
+dolphin-emu
 dooble
 dooble-qt4
 dosbox
 dragon
+drawio
+drill
 dropbox
+easystroke
+ebook-convert
+ebook-edit
+ebook-meta
+ebook-polish
 ebook-viewer
+electron-mail
+electrum
+element-desktop
 elinks
 empathy
+enchant
+enchant-2
+enchant-lsmod
+enchant-lsmod-2
+engrampa
+enox
+enpass
 eog
 eom
-epiphany
+ephemeral
+#epiphany - see #2995
+equalx
+et
 etr
 evince
-evolution
+evince-previewer
+evince-thumbnailer
+#evolution - see #3647
+exfalso
 exiftool
+falkon
 fbreader
+feedreader
 feh
-ffmpeg
+ferdi
+#ffmpeg
+ffmpegthumbnailer
+ffplay
+ffprobe
 file-roller
 filezilla
+firedragon
 firefox
+firefox-beta
+firefox-developer-edition
 firefox-esr
 firefox-nightly
+firefox-wayland
+firefox-x11
+five-or-more
+flacsplt
+flameshot
 flashpeak-slimjet
 flowblade
+font-manager
 fontforge
+fossamail
+four-in-a-row
+fractal
 franz
 freecad
 freecadcmd
+freeciv
+freeciv-gtk3
+freeciv-mp-gtk3
+freecol
+freemind
+freeoffice-planmaker
+freeoffice-presentations
+freeoffice-textmaker
+freetube
 freshclam
+frogatto
 frozen-bubble
+funnyboat
 gajim
+gajim-history-manager
 galculator
+gallery-dl
+gapplication
+gcalccmd
+gcloud
+gconf-editor
 geany
 geary
 gedit
+geekbench
 geeqie
+gfeeds
 ghb
+ghostwriter
 gimp
+gimp-2.10
 gimp-2.8
+gist
+gist-paste
+git-cola
 gitg
+github-desktop
 gitter
-gjs
+# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
+gl-117
+glaxium
 globaltime
+gmpc
 gnome-2048
 gnome-books
+gnome-builder
 gnome-calculator
+gnome-calendar
+gnome-character-map
+gnome-characters
 gnome-chess
 gnome-clocks
 gnome-contacts
 gnome-documents
 gnome-font-viewer
+gnome-hexgl
+gnome-klotski
+gnome-latex
+gnome-logs
+gnome-mahjongg
 gnome-maps
+gnome-mines
 gnome-mplayer
+gnome-mpv
 gnome-music
+gnome-nettool
+gnome-nibbles
+gnome-passwordsafe
 gnome-photos
+gnome-pomodoro
+gnome-recipes
+gnome-robots
+gnome-schedule
+gnome-screenshot
+gnome-sound-recorder
+gnome-sudoku
+gnome-system-log
+gnome-taquin
+gnome-tetravex
+gnome-todo
 gnome-twitch
 gnome-weather
+gnote
+gnubik
+godot
 goobox
 google-chrome
 google-chrome-beta
 google-chrome-stable
 google-chrome-unstable
 google-earth
+google-earth-pro
 google-play-music-desktop-player
+googler
 gpa
 gpicview
 gpredict
+gradio
+gramps
+gravity-beams-and-evaporating-stars
 gthumb
+gtk-pipe-viewer
+gtk-straw-viewer
+gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
+gummi
 gwenview
 handbrake
 handbrake-gtk
@@ -163,43 +379,92 @@ hashcat
 hedgewars
 hexchat
 highlight
+hitori
+homebank
+host
 hugin
+hyperrogue
+iagno
 icecat
 icedove
 iceweasel
+idea
 idea.sh
+ideaIC
 imagej
 img2txt
+impressive
 inkscape
+inkview
 inox
+io.github.lainsce.Notejot
+ipcalc
+ipcalc-ng
 iridium
 iridium-browser
 jd-gui
+jdownloader
+jerry
 jitsi
+jitsi-meet-desktop
+jumpnbump
+jumpnbump-menu
 k3b
+kaffeine
+kalgebra
+kalgebramobile
 karbon
 kate
+kazam
 kcalc
+# kdeinit4
 kdenlive
+kdiff3
 keepass
 keepass2
 keepassx
 keepassx2
 keepassxc
+keepassxc-cli
+keepassxc-proxy
+# kfind
+kget
+kid3
+kid3-cli
+kid3-qt
 kino
+kiwix-desktop
+klatexformula
+klatexformula_cmdl
+klavaro
 kmail
+kmplayer
 knotes
 kodi
 konversation
+kopete
 krita
+# krunner
 ktorrent
+ktouch
+kube
+# kwin_x11
 kwrite
 leafpad
-less
+# less - breaks man
+librecad
 libreoffice
+librewolf
+librewolf-nightly
+lifeograph
 liferea
+lightsoff
+lincity-ng
+links
+links2
 linphone
 lmms
+lobase
 localc
 lodraw
 loffice
@@ -209,121 +474,365 @@ lollypop
 lomath
 loweb
 lowriter
+# lrunzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# lrz - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# lrzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 luminance-hdr
 lximage-qt
 lxmusic
 lynx
+lyx
 macrofusion
+magicor
+man
+manaplus
+marker
+masterpdfeditor
+masterpdfeditor4
+masterpdfeditor5
 mate-calc
 mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
+mattermost-desktop
 mcabber
+mcomix
 mediainfo
 mediathekview
+megaglest
+megaglest_editor
 meld
+mencoder
+mendeleydesktop
+menulibre
+meteo-qt
+microsoft-edge
+microsoft-edge-beta
+microsoft-edge-dev
 midori
+min
+mindless
+minecraft-launcher
 minetest
+minitube
+mirage
+mirrormagic
+mocp
 mousepad
+mp3splt
+mp3splt-gtk
+mp3wrap
+mpDris2
+mpg123
+mpg123-alsa
+mpg123-id3dump
+mpg123-jack
+mpg123-nas
+mpg123-openal
+mpg123-oss
+mpg123-portaudio
+mpg123-pulse
+mpg123-strip
+mpg123.bin
 mplayer
+mpsyt
 mpv
+mrrescue
+ms-excel
+ms-office
+ms-onenote
+ms-outlook
+ms-powerpoint
+ms-skype
+ms-word
+mtpaint
+multimc
 multimc5
 mumble
 mupdf
+mupdf-gl
+mupdf-x11
+mupdf-x11-curl
 mupen64plus
+muraster
 musescore
+musictube
+musixmatch
+mutool
 mutt
+mypaint
+mypaint-ora-thumbnailer
 natron
-nautilus
+ncdu
+ncdu2
+neochat
+neomutt
+netactview
+nethack
 netsurf
 neverball
+neverputt
+newsbeuter
+newsboat
+newsflash
+nextcloud
+nextcloud-desktop
+nheko
+nicotine
+nitroshare
+nitroshare-cli
+nitroshare-nmh
+nitroshare-send
+nitroshare-ui
+nomacs
+nslookup
+nuclear
 nylas
+nyx
 obs
+ocenaudio
 odt2txt
+oggsplt
 okular
+onboard
+onionshare-gui
+ooffice
+ooviewdoc
 open-invaders
+openarena
+openarena_ded
+opencity
+openclonk
+openmw
+openmw-launcher
+openoffice.org
 openshot
 openshot-qt
+openttd
 opera
 opera-beta
 orage
+ostrichriders
+otter-browser
+out123
 palemoon
+#pandoc
 parole
+patch
+pavucontrol
+pavucontrol-qt
+pcsxr
+pdfchain
 pdfmod
 pdfsam
 pdftotext
 peek
+penguin-command
+photoflare
 picard
 pidgin
+pinball
+#ping - disabled until we fix  #1912
 pingus
 pinta
+pioneer
+pipe-viewer
 pithos
+pitivi
 pix
+planmaker18
+planmaker18free
+playonlinux
 pluma
+plv
+pngquant
 polari
+ppsspp
+pragha
+presentations18
+presentations18free
+profanity
+psi
 psi-plus
+pybitmessage
+# pycharm-community - FB note: may enable later
+# pycharm-professional
+# pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
+qcomicbook
 qemu-launcher
+qgis
 qlipper
+qmmp
+qnapi
 qpdfview
+qt-faststart
 qtox
+quadrapassel
 quassel
+quaternion
 quiterss
 qupzilla
 qutebrowser
 rambox
-ranger
+redeclipse
+rednotebook
+redshift
+regextester
 remmina
 rhythmbox
+rhythmbox-client
 ricochet
+riot-desktop
 riot-web
+ripperx
 ristretto
 rocketchat
 rtorrent
+runenpass.sh
+sayonara
+scallion
+scorched3d
+scorchwentbonkers
 scribus
 sdat2img
+seahorse
+seahorse-adventures
+seahorse-daemon
+seahorse-tool
 seamonkey
 seamonkey-bin
+secret-tool
+shellcheck
+shortwave
 shotcut
+shotwell
+signal-cli
+signal-desktop
 silentarmy
 simple-scan
+simplescreenrecorder
 simutrans
 skanlite
-skype
 skypeforlinux
 slack
+slashem
 smplayer
+smtube
+smuxi-frontend-gnome
+snox
 soffice
+sol
+sound-juicer
 soundconverter
+spectacle
+spectral
 spotify
 sqlitebrowser
 ssh
 # ssh-agent - problems on Arch with Fish shell (#1568)
+standardnotes-desktop
 start-tor-browser
 steam
+steam-native
+steam-runtime
 stellarium
+straw-viewer
+strawberry
 strings
+studio.sh
+subdownloader
 supertux2
+supertuxkart
+surf
+sushi
+swell-foop
+sylpheed
 synfigstudio
+sysprof
+sysprof-cli
+tb-starter-wrapper
+teams
+teams-for-linux
 teamspeak3
+teeworlds
 telegram
 telegram-desktop
 terasology
+textmaker18
+textmaker18free
 thunderbird
+thunderbird-beta
+thunderbird-wayland
+tilp
+tor-browser
+tor-browser-ar
+tor-browser-ca
+tor-browser-cs
+tor-browser-da
+tor-browser-de
+tor-browser-el
 tor-browser-en
+tor-browser-en-us
+tor-browser-es
+tor-browser-es-es
+tor-browser-fa
+tor-browser-fr
+tor-browser-ga-ie
+tor-browser-he
+tor-browser-hu
+tor-browser-id
+tor-browser-is
+tor-browser-it
+tor-browser-ja
+tor-browser-ka
+tor-browser-ko
+tor-browser-nb
+tor-browser-nl
+tor-browser-pl
+tor-browser-pt-br
+tor-browser-ru
+tor-browser-sv-se
+tor-browser-tr
+tor-browser-vi
+tor-browser-zh-cn
+tor-browser-zh-tw
+torbrowser-launcher
+torcs
 totem
 tracker
+transgui
 transmission-cli
+transmission-create
+transmission-daemon
+transmission-edit
 transmission-gtk
 transmission-qt
+transmission-remote
+transmission-remote-cli
+transmission-remote-gtk
 transmission-show
+tremulous
+trojita
 truecraft
+tshark
+tutanota-desktop
 tuxguitar
+tvbrowser
+twitch
+udiskie
 uefitool
 uget-gtk
 unbound
+unf
 unknown-horizons
+# unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+utox
 uudeview
 uzbl-browser
 viewnior
@@ -331,39 +840,88 @@ viking
 virtualbox
 vivaldi
 vivaldi-beta
+vivaldi-snapshot
 vivaldi-stable
 vlc
+vmware
+vmware-player
+vmware-workstation
+vscodium
+vulturesclaw
+vultureseye
 vym
 w3m
+warmux
+warsow
 warzone2100
 waterfox
+waterfox-classic
+waterfox-current
+webstorm
 weechat
 weechat-curses
 wesnoth
 wget
+whalebird
+whois
+widelands
 wine
-wire
+wire-desktop
 wireshark
 wireshark-gtk
 wireshark-qt
+wordwarvi
+wpp
+wps
+wpspdf
+x2goclient
+xbill
+xcalc
 xchat
 xed
 xfburn
 xfce4-dict
+xfce4-mixer
 xfce4-notes
+xfce4-screenshooter
 xiphos
+xlinks
+xlinks2
 xmms
-xmr-stak-cpu
+xmr-stak
 xonotic
 xonotic-glx
 xonotic-sdl
+xournal
+xournalpp
 xpdf
 xplayer
+xplayer-audio-preview
+xplayer-video-thumbnailer
 xpra
 xreader
+xreader-previewer
+xreader-thumbnailer
 xviewer
 yandex-browser
+yelp
+youtube
 youtube-dl
+youtube-dl-gui
+youtube-viewer
+youtubemusic-nativefier
+yt-dlp
+ytmdesktop
+zaproxy
 zart
 zathura
+zeal
+zim
 zoom
+# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# zstdcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# zstdgrep - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# zstdless - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+# zstdmt - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
+zulip
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index c4640feb8..15826cf37 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,6 +17,8 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef FIRECFG_H
+#define FIRECFG_H
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <sys/types.h>
@@ -49,3 +51,4 @@ void sound(void);
 // desktop_files.c
 void fix_desktop_files(char *homedir);
 
+#endif
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 1cdd39c1f..363000e15 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,47 +19,55 @@
 */
 
 #include "firecfg.h"
+#include "../include/firejail_user.h"
 int arg_debug = 0;
+char *arg_bindir = "/usr/local/bin";
+
+static char *usage_str =
+        "Firecfg is the desktop configuration utility for Firejail software. The utility\n"
+        "creates several symbolic links to firejail executable. This allows the user to\n"
+        "sandbox applications automatically, just by clicking on a regular desktop\n"
+        "menus and icons.\n\n"
+        "The symbolic links are placed in /usr/local/bin. For more information, see\n"
+        "DESKTOP INTEGRATION section in man 1 firejail.\n\n"
+        "Usage: firecfg [OPTIONS]\n\n"
+        "   --add-users user [user] - add the users to Firejail user access database.\n\n"
+        "   --bindir=directory - install in directory instead of /usr/local/bin.\n\n"
+        "   --clean - remove all firejail symbolic links.\n\n"
+        "   --debug - print debug messages.\n\n"
+        "   --fix - fix .desktop files.\n\n"
+        "   --fix-sound - create ~/.config/pulse/client.conf file.\n\n"
+        "   --help, -? - this help screen.\n\n"
+        "   --list - list all firejail symbolic links.\n\n"
+        "   --version - print program version and exit.\n\n"
+        "Example:\n\n"
+        "   $ sudo firecfg\n"
+        "   /usr/local/bin/firefox created\n"
+        "   /usr/local/bin/vlc created\n"
+        "   [...]\n"
+        "   $ firecfg --list\n"
+        "   /usr/local/bin/firefox\n"
+        "   /usr/local/bin/vlc\n"
+        "   [...]\n"
+        "   $ sudo firecfg --clean\n"
+        "   /usr/local/bin/firefox removed\n"
+        "   /usr/local/bin/vlc removed\n"
+        "   [...]\n"
+        "\n"
+        "License GPL version 2 or later\n"
+        "Homepage: https://firejail.wordpress.com\n\n";
 
 static void usage(void) {
         printf("firecfg - version %s\n\n", VERSION);
-        printf("Firecfg is the desktop configuration utility for Firejail software. The utility\n");
-        printf("creates several symbolic links to firejail executable. This allows the user to\n");
-        printf("sandbox applications automatically, just by clicking on a regular desktop\n");
-        printf("menus and icons.\n\n");
-        printf("The symbolic links are placed in /usr/local/bin. For more information, see\n");
-        printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n");
-        printf("Usage: firecfg [OPTIONS]\n\n");
-        printf("   --clean - remove all firejail symbolic links.\n\n");
-        printf("   --debug - print debug messages.\n\n");
-        printf("   --fix - fix .desktop files.\n\n");
-        printf("   --fix-sound - create ~/.config/pulse/client.conf file.\n\n");
-        printf("   --help, -? - this help screen.\n\n");
-        printf("   --list - list all firejail symbolic links.\n\n");
-        printf("   --version - print program version and exit.\n\n");
-        printf("Example:\n\n");
-        printf("   $ sudo firecfg\n");
-        printf("   /usr/local/bin/firefox created\n");
-        printf("   /usr/local/bin/vlc created\n");
-        printf("   [...]\n");
-        printf("   $ firecfg --list\n");
-        printf("   /usr/local/bin/firefox\n");
-        printf("   /usr/local/bin/vlc\n");
-        printf("   [...]\n");
-        printf("   $ sudo firecfg --clean\n");
-        printf("   /usr/local/bin/firefox removed\n");
-        printf("   /usr/local/bin/vlc removed\n");
-        printf("   [...]\n");
-        printf("\n");
-        printf("License GPL version 2 or later\n");
-        printf("Homepage: http://firejail.wordpress.com\n\n");
+        puts(usage_str);
 }
 
 
 static void list(void) {
-        DIR *dir = opendir("/usr/local/bin");
+        DIR *dir = opendir(arg_bindir);
         if (!dir) {
-                fprintf(stderr, "Error: cannot open /usr/local/bin directory\n");
+                perror("opendir");
+                fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir);
                 exit(1);
         }
 
@@ -73,7 +81,7 @@ static void list(void) {
                         continue;
 
                 char *fullname;
-                if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1)
+                if (asprintf(&fullname, "%s/%s", arg_bindir, entry->d_name) == -1)
                         errExit("asprintf");
 
                 if (is_link(fullname)) {
@@ -91,15 +99,13 @@ static void list(void) {
         free(firejail_exec);
 }
 
-static void clear(void) {
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to run this command\n");
-                exit(1);
-        }
+static void clean(void) {
+        printf("Removing all firejail symlinks:\n");
 
-        DIR *dir = opendir("/usr/local/bin");
+        DIR *dir = opendir(arg_bindir);
         if (!dir) {
-                fprintf(stderr, "Error: cannot open /usr/local/bin directory\n");
+                perror("opendir");
+                fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir);
                 exit(1);
         }
 
@@ -113,15 +119,21 @@ static void clear(void) {
                         continue;
 
                 char *fullname;
-                if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1)
+                if (asprintf(&fullname, "%s/%s", arg_bindir, entry->d_name) == -1)
                         errExit("asprintf");
 
                 if (is_link(fullname)) {
                         char* fname = realpath(fullname, NULL);
                         if (fname) {
                                 if (strcmp(fname, firejail_exec) == 0) {
-                                        printf("%s removed\n", fullname);
-                                        unlink(fullname);
+                                        char *ptr = strrchr(fullname, '/');
+                                        assert(ptr);
+                                        ptr++;
+                                        int rv = unlink(fullname);
+                                        if (rv)
+                                                fprintf(stderr, "Warning: cannot remove %s\n", fullname);
+                                        else
+                                                printf("   %s removed\n", ptr);
                                 }
                                 free(fname);
                         }
@@ -131,6 +143,7 @@ static void clear(void) {
 
         closedir(dir);
         free(firejail_exec);
+        printf("\n");
 }
 
 static void set_file(const char *name, const char *firejail_exec) {
@@ -138,7 +151,7 @@ static void set_file(const char *name, const char *firejail_exec) {
                 return;
 
         char *fname;
-        if (asprintf(&fname, "/usr/local/bin/%s", name) == -1)
+        if (asprintf(&fname, "%s/%s", arg_bindir, name) == -1)
                 errExit("asprintf");
 
         struct stat s;
@@ -151,6 +164,9 @@ static void set_file(const char *name, const char *firejail_exec) {
                 else
                         printf("   %s created\n", name);
         }
+        else {
+          fprintf(stderr, "Warning: cannot create %s - already exists! Skipping...\n", fname);
+        }
 
         free(fname);
 }
@@ -168,10 +184,11 @@ static void set_links_firecfg(void) {
         // parse /usr/lib/firejail/firecfg.cfg file
         FILE *fp = fopen(cfgfile, "r");
         if (!fp) {
+                perror("fopen");
                 fprintf(stderr, "Error: cannot open %s\n", cfgfile);
                 exit(1);
         }
-        printf("Configuring symlinks in /usr/local/bin based on firecfg.config\n");
+        printf("Configuring symlinks in %s based on firecfg.config\n", arg_bindir);
 
         char buf[MAX_BUF];
         int lineno = 0;
@@ -229,11 +246,12 @@ static void set_links_homedir(const char *homedir) {
                 errExit("asprintf");
 
         // parse ~/.config/firejail/ directory
-        printf("\nConfiguring symlinks in /usr/local/bin based on local firejail config directory\n");
+        printf("\nConfiguring symlinks in %s based on local firejail config directory\n", arg_bindir);
 
         DIR *dir = opendir(dirname);
         if (!dir) {
-                fprintf(stderr, "Error: cannot open ~/.config/firejail directory\n");
+                perror("opendir");
+                fprintf(stderr, "Error: cannot open %s directory\n", dirname);
                 free(dirname);
                 return;
         }
@@ -265,9 +283,74 @@ static void set_links_homedir(const char *homedir) {
         free(firejail_exec);
 }
 
+static char *get_user(void) {
+        char *user = getenv("SUDO_USER");
+        if (!user) {
+                user = getpwuid(getuid())->pw_name;
+                if (!user) {
+                        fprintf(stderr, "Error: cannot detect login user\n");
+                        exit(1);
+                }
+        }
+
+        return user;
+}
+
+static char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
+        // find home directory
+        struct passwd *pw = getpwnam(user);
+        if (!pw)
+                goto errexit;
+
+        char *home = pw->pw_dir;
+        if (!home)
+                goto errexit;
+
+        *uid = pw->pw_uid;
+        *gid = pw->pw_gid;
+
+        return home;
+
+errexit:
+        fprintf(stderr, "Error: cannot find home directory for user %s\n", user);
+        exit(1);
+}
 
 int main(int argc, char **argv) {
         int i;
+        int bindir_set = 0;
+
+        // user setup
+        char *user = get_user();
+        assert(user);
+        uid_t uid;
+        gid_t gid;
+        char *home = get_homedir(user, &uid, &gid);
+
+
+        // check for --bindir
+        for (i = 1; i < argc; i++) {
+                if (strncmp(argv[i], "--bindir=", 9) == 0) {
+                        if (strncmp(argv[i] + 9, "~/", 2) == 0) {
+                                if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1)
+                                        errExit("asprintf");
+                        }
+                        else
+                                arg_bindir = argv[i] + 9;
+                        bindir_set = 1;
+
+                        // exit if the directory does not exist, or if we don't have access to it
+                        if (access(arg_bindir, R_OK | W_OK | X_OK)) {
+                                if (errno == EACCES)
+                                        fprintf(stderr, "Error: firecfg needs full permissions on directory %s\n", arg_bindir);
+                                else {
+                                        perror("access");
+                                        fprintf(stderr, "Error: cannot access directory %s\n", arg_bindir);
+                                }
+                                exit(1);
+                        }
+                }
+        }
 
         for (i = 1; i < argc; i++) {
                 // default options
@@ -283,19 +366,10 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strcmp(argv[i], "--clean") == 0) {
-                        clear();
+                        clean();
                         return 0;
                 }
                 else if (strcmp(argv[i], "--fix") == 0) {
-                        // find home directory
-                        struct passwd *pw = getpwuid(getuid());
-                        if (!pw) {
-                                goto errexit;
-                        }
-                        char *home = pw->pw_dir;
-                        if (!home) {
-                                goto errexit;
-                        }
                         fix_desktop_files(home);
                         return 0;
                 }
@@ -307,21 +381,42 @@ int main(int argc, char **argv) {
                         sound();
                         return 0;
                 }
+                else if (strcmp(argv[i], "--add-users") == 0) {
+                        int j;
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: you need to be root to use this option\n");
+                                exit(1);
+                        }
+
+                        // set umask, access database must be world-readable
+                        umask(022);
+                        for (j = i + 1; j < argc; j++) {
+                                printf("Adding user %s to Firejail access database in %s/firejail.users\n", argv[j], SYSCONFDIR);
+                                firejail_user_add(argv[j]);
+                        }
+                        return 0;
+                }
                 else {
-                        fprintf(stderr, "Error: invalid command line option\n");
-                        usage();
-                        return 1;
+                        if (strncmp(argv[i], "--bindir=", 9) != 0) { // already handled
+                                fprintf(stderr, "Error: invalid command line option\n");
+                                usage();
+                                return 1;
+                        }
                 }
         }
 
+        if (arg_debug)
+                printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
+
         // set symlinks in /usr/local/bin
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n");
+        if (bindir_set == 0 && getuid() != 0) {
+                fprintf(stderr, "Error: cannot set the symbolic links in %s\n", arg_bindir);
                 fprintf(stderr, "The proper way to run this command is \"sudo firecfg\".\n");
                 return 1;
         }
-        else {
+        else if (bindir_set == 0) {
                 // create /usr/local directory if it doesn't exist (Solus distro)
+                mode_t orig_umask = umask(022); // temporarily set the umask
                 struct stat s;
                 if (stat("/usr/local", &s) != 0) {
                         printf("Creating /usr/local directory\n");
@@ -331,58 +426,69 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
-                if (stat("/usr/local/bin", &s) != 0) {
-                        printf("Creating /usr/local directory\n");
-                        int rv = mkdir("/usr/local/bin", 0755);
+                if (stat(arg_bindir, &s) != 0) {
+                        printf("Creating %s directory\n", arg_bindir);
+                        int rv = mkdir(arg_bindir, 0755);
                         if (rv != 0) {
-                                fprintf(stderr, "Error: cannot create /usr/local/bin directory\n");
+                                fprintf(stderr, "Error: cannot create %s directory\n", arg_bindir);
                                 return 1;
                         }
                 }
+                umask(orig_umask);
         }
-        set_links_firecfg();
 
+        // clear all symlinks
+        clean();
 
+        // set new symlinks based on /usr/lib/firejail/firecfg.cfg
+        set_links_firecfg();
 
-        // switch to the local user, and fix desktop files
-        char *user = getlogin();
-        if (!user) {
-                user = getenv("SUDO_USER");
-                if (!user) {
-                        goto errexit;
+        if (getuid() == 0) {
+                // add user to firejail access database - only for root
+                printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
+                // temporarily set the umask, access database must be world-readable
+                mode_t orig_umask = umask(022);
+                firejail_user_add(user);
+                umask(orig_umask);
+
+#ifdef HAVE_APPARMOR
+                // enable firejail apparmor profile
+                struct stat s;
+                if (stat("/sbin/apparmor_parser", &s) == 0) {
+                        char *cmd;
+
+                        // SYSCONFDIR points to /etc/firejail, we have to go on level up (..)
+                        printf("\nLoading AppArmor profile\n");
+                        if (asprintf(&cmd, "/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default %s/../apparmor.d/firejail-default", SYSCONFDIR) == -1)
+                                errExit("asprintf");
+                        int rv = system(cmd);
+                        (void) rv;
+                        free(cmd);
                 }
+#endif
         }
 
-        if (user) {
-                // find home directory
-                struct passwd *pw = getpwnam(user);
-                if (!pw) {
-                        goto errexit;
-                }
-                char *home = pw->pw_dir;
-                if (!home) {
-                        goto errexit;
-                }
 
-                // running as root
-                set_links_homedir(home);
 
-                // drop permissions
+        // set new symlinks based on ~/.config/firejail directory
+        set_links_homedir(home);
+
+        // drop permissions
+        if (getuid() == 0) {
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
-                // set uid/gid
-                if (setgid(pw->pw_gid) < 0)
+                if (setgid(gid) < 0)
                         errExit("setgid");
-                if (setuid(pw->pw_uid) < 0)
+                if (setuid(uid) < 0)
                         errExit("setuid");
-                if (arg_debug)
-                        printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
-                fix_desktop_files(home);
         }
 
-        return 0;
+        if (arg_debug)
+                printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
 
-errexit:
-        fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n");
-        return 1;
+        // if runs as regular user, fix .desktop files in ~/.local/share/applications directory
+        if (getuid() != 0)
+                fix_desktop_files(home);
+
+        return 0;
 }
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c
index 9dfb305cd..e3fcdbd83 100644
--- a/src/firecfg/sound.c
+++ b/src/firecfg/sound.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -41,10 +41,13 @@ void sound(void) {
         char *fname;
         if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1)
                 errExit("asprintf");
+        printf("Writing file %s\n", fname);
         FILE *fpout = fopen(fname, "w");
-        free(fname);
-        if (!fpout)
+        if (!fpout) {
+                perror("fopen");
                 goto errexit;
+        }
+        free(fname);
 
         // copy default config
         char buf[MAX_BUF];
@@ -62,4 +65,3 @@ errexit:
         fprintf(stderr, "Error: cannot configure sound file\n");
         exit(1);
 }
-
diff --git a/src/firecfg/util.c b/src/firecfg/util.c
index 4520e75e8..14d90b549 100644
--- a/src/firecfg/util.c
+++ b/src/firecfg/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -58,9 +58,15 @@ int which(const char *program) {
                 // use path2 to count the entries
                 char *ptr = strtok(path2, ":");
                 while (ptr) {
-                        if (find(program, ptr)) {
-                                free(path2);
-                                return 1;
+                        // Ubuntu 18.04 is adding  /snap/bin to PATH;
+                        // they populate /snap/bin with symbolic links to /usr/bin/ programs;
+                        // most symlinked programs are not installed by default.
+                        // Removing /snap/bin from our search
+                        if (strcmp(ptr, "/snap/bin") != 0) {
+                                if (find(program, ptr)) {
+                                        free(path2);
+                                        return 1;
+                                }
                         }
                         ptr = strtok(NULL, ":");
                 }
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 146bf8242..793d2cdd1 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -1,45 +1,17 @@
+.PHONY: all
 all: firejail
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
+include ../common.mk
 
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-HAVE_GCOV=@HAVE_GCOV@
-HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall_i386.h ../include/syscall_x86_64.h ../include/firejail_user.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"'  $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
-
-clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 0f7ab40ff..2266fa499 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,10 +17,11 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-// http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844
+// https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844
 // sudo mount -o loop krita-3.0-x86_64.appimage mnt
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -29,7 +30,8 @@
 #include <errno.h>
 
 static char *devloop = NULL;    // device file
-static char *mntdir = NULL;     // mount point in /tmp directory
+static long unsigned size = 0;  // offset into appimage file
+#define MAXBUF 4096
 
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
@@ -38,36 +40,66 @@ static void err_loop(void) {
 }
 #endif
 
+// return 1 if found
+int appimage_find_profile(const char *archive) {
+        assert(archive);
+        assert(strlen(archive));
+
+        // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config
+        FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config");
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (*buf == '#')
+                        continue;
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                if (strcasestr(archive, buf)) {
+                        fclose(fp);
+                        return profile_find_firejail(buf, 1);
+                }
+        }
+
+        fclose(fp);
+        return 0;
+
+}
+
+
 void appimage_set(const char *appimage) {
         assert(appimage);
         assert(devloop == NULL);        // don't call this twice!
         EUID_ASSERT();
 
 #ifdef LOOP_CTL_GET_FREE
-        // check appimage file
-        invalid_filename(appimage);
-        if (access(appimage, R_OK) == -1) {
-                fprintf(stderr, "Error: cannot access AppImage file\n");
+        // open appimage file
+        invalid_filename(appimage, 0); // no globbing
+        int ffd = open(appimage, O_RDONLY|O_CLOEXEC);
+        if (ffd == -1) {
+                fprintf(stderr, "Error: cannot read AppImage file\n");
+                exit(1);
+        }
+        struct stat s;
+        if (fstat(ffd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                fprintf(stderr, "Error: invalid AppImage file\n");
                 exit(1);
         }
 
         // get appimage type and ELF size
         // a value of 0 means we are dealing with a type1 appimage
-        long unsigned int size = appimage2_size(appimage);
+        size = appimage2_size(ffd);
         if (arg_debug)
                 printf("AppImage ELF size %lu\n", size);
 
-        // open appimage file
-        /* coverity[toctou] */
-        int ffd = open(appimage, O_RDONLY|O_CLOEXEC);
-        if (ffd == -1) {
-                fprintf(stderr, "Error: cannot open AppImage file\n");
-                exit(1);
-        }
-
         // find or allocate a free loop device to use
         EUID_ROOT();
-        int cfd = open("/dev/loop-control", O_RDWR);
+        int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC);
         if (cfd == -1)
                 err_loop();
         int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
@@ -77,7 +109,8 @@ void appimage_set(const char *appimage) {
         if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
                 errExit("asprintf");
 
-        int lfd = open(devloop, O_RDONLY);
+        // associate loop device with appimage
+        int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
         if (lfd == -1)
                 err_loop();
         if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
@@ -90,96 +123,64 @@ void appimage_set(const char *appimage) {
                 if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
                         err_loop();
         }
-
         close(lfd);
         close(ffd);
         EUID_USER();
 
-        // creates appimage mount point perms 0700
-        if (asprintf(&mntdir, "%s/.appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
-                errExit("asprintf");
-        EUID_ROOT();
-        mkdir_attr(mntdir, 0700, getuid(), getgid());
-        EUID_USER();
-
-        // mount
-        char *mode;
-        if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
-                errExit("asprintf");
-        EUID_ROOT();
-
-        if (size == 0) {
-                if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
-                        errExit("mounting appimage");
-        }
-        else {
-                if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
-                        errExit("mounting appimage");
-        }
+        // set environment
+        char* abspath = realpath(appimage, NULL);
+        if (abspath == NULL)
+                errExit("Failed to obtain absolute path");
+        env_store_name_val("APPIMAGE", abspath, SETENV);
+        free(abspath);
 
-        if (arg_debug)
-                printf("appimage mounted on %s\n", mntdir);
-        EUID_USER();
+        env_store_name_val("APPDIR", RUN_FIREJAIL_APPIMAGE_DIR, SETENV);
 
-        // set environment
-        if (setenv("APPIMAGE", appimage, 1) < 0)
-                errExit("setenv");
-        if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
-                errExit("setenv");
+        if (size != 0)
+                env_store_name_val("ARGV0", appimage, SETENV);
 
-        // build new command line
-        if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
-                errExit("asprintf");
+        if (cfg.cwd)
+                env_store_name_val("OWD", cfg.cwd, SETENV);
 
-        free(mode);
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
 #else
         fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
         exit(1);
 #endif
 }
 
-void appimage_clear(void) {
-        int rv;
+// mount appimage into sandbox file system
+void appimage_mount(void) {
+        if (!devloop)
+                return;
 
-        EUID_ROOT();
-        if (mntdir) {
-                int i;
-                int rv = 0;
-                for (i = 0; i < 5; i++) {
-                        rv = umount2(mntdir, MNT_FORCE);
-                        if (rv == 0) {
-                                if (!arg_quiet)
-                                        printf("AppImage unmounted\n");
-
-                                break;
-                        }
-                        if (rv == -1 && errno == EBUSY) {
-                                fwarning("EBUSY error trying to unmount %s\n", mntdir);
-                                sleep(2);
-                                continue;
-                        }
-
-                        // rv = -1
-                        if (!arg_quiet) {
-                                fwarning("error trying to unmount %s\n", mntdir);
-                                perror("umount");
-                        }
-                }
+        unsigned long flags = MS_MGC_VAL|MS_RDONLY;
+        if (getuid())
+                flags |= MS_NODEV|MS_NOSUID;
 
-                if (rv == 0) {
-                        rmdir(mntdir);
-                        free(mntdir);
-                }
+        if (size == 0) {
+                fmessage("Mounting appimage type 1\n");
+                char *mode;
+                if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
+                        errExit("asprintf");
+                if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "iso9660", flags, mode) < 0)
+                        errExit("mounting appimage");
+                free(mode);
         }
+        else {
+                fmessage("Mounting appimage type 2\n");
+                if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "squashfs", flags, NULL) < 0)
+                        errExit("mounting appimage");
+        }
+}
 
+void appimage_clear(void) {
+        EUID_ROOT();
         if (devloop) {
-                int lfd = open(devloop, O_RDONLY);
+                int lfd = open(devloop, O_RDONLY|O_CLOEXEC);
                 if (lfd != -1) {
-                        rv = ioctl(lfd, LOOP_CLR_FD, 0);
-                        (void) rv;
+                        if (ioctl(lfd, LOOP_CLR_FD, 0) != -1)
+                                fmessage("AppImage detached\n");
                         close(lfd);
                 }
         }
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
index c750f9028..43ca501da 100644
--- a/src/firejail/appimage_size.c
+++ b/src/firejail/appimage_size.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,9 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 /*
+    This code borrows heavily from src/libappimage_shared/elf.c in libappimage
+ */
+/*
 Compile with:
 gcc elfsize.c -o elfsize
 Example:
@@ -74,7 +77,10 @@ static uint64_t file64_to_cpu(uint64_t val) {
 // return 0 if error
 static long unsigned int read_elf32(int fd) {
         Elf32_Ehdr ehdr32;
+        Elf32_Shdr shdr32;
+        off_t last_shdr_offset;
         ssize_t ret;
+        unsigned long sht_end, last_section_end;
 
         ret = pread(fd, &ehdr32, sizeof(ehdr32), 0);
         if (ret < 0 || (size_t)ret != sizeof(ehdr))
@@ -84,14 +90,25 @@ static long unsigned int read_elf32(int fd) {
         ehdr.e_shentsize        = file16_to_cpu(ehdr32.e_shentsize);
         ehdr.e_shnum            = file16_to_cpu(ehdr32.e_shnum);
 
-        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+        last_shdr_offset = ehdr.e_shoff + (ehdr.e_shentsize * (ehdr.e_shnum - 1));
+        ret = pread(fd, &shdr32, sizeof(shdr32), last_shdr_offset);
+        if (ret < 0 || (size_t)ret != sizeof(shdr32))
+                return 0;
+
+        /* ELF ends either with the table of section headers (SHT) or with a section. */
+        sht_end = ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum);
+        last_section_end = file64_to_cpu(shdr32.sh_offset) + file64_to_cpu(shdr32.sh_size);
+        return sht_end > last_section_end ? sht_end : last_section_end;
 }
 
 
 // return 0 if error
 static long unsigned int read_elf64(int fd) {
         Elf64_Ehdr ehdr64;
+        Elf64_Shdr shdr64;
+        off_t last_shdr_offset;
         ssize_t ret;
+        unsigned long sht_end, last_section_end;
 
         ret = pread(fd, &ehdr64, sizeof(ehdr64), 0);
         if (ret < 0 || (size_t)ret != sizeof(ehdr))
@@ -101,33 +118,34 @@ static long unsigned int read_elf64(int fd) {
         ehdr.e_shentsize        = file16_to_cpu(ehdr64.e_shentsize);
         ehdr.e_shnum            = file16_to_cpu(ehdr64.e_shnum);
 
-        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+        last_shdr_offset = ehdr.e_shoff + (ehdr.e_shentsize * (ehdr.e_shnum - 1));
+        ret = pread(fd, &shdr64, sizeof(shdr64), last_shdr_offset);
+        if (ret < 0 || (size_t)ret != sizeof(shdr64))
+                return 0;
+
+        /* ELF ends either with the table of section headers (SHT) or with a section. */
+        sht_end = ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum);
+        last_section_end = file64_to_cpu(shdr64.sh_offset) + file64_to_cpu(shdr64.sh_size);
+        return sht_end > last_section_end ? sht_end : last_section_end;
 }
 
 
 // return 0 if error
 // return 0 if this is not an appimgage2 file
-long unsigned int appimage2_size(const char *fname) {
-/* TODO, FIXME: This assumes that the section header table (SHT) is
-the last part of the ELF. This is usually the case but
-it could also be that the last section is the last part
-of the ELF. This should be checked for.
-*/
+long unsigned int appimage2_size(int fd) {
         ssize_t ret;
-        int fd;
         long unsigned int size = 0;
 
-        fd = open(fname, O_RDONLY);
         if (fd < 0)
                 return 0;
 
         ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0);
         if (ret != EI_NIDENT)
-                goto getout;
+                return 0;
 
         if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) &&
              (ehdr.e_ident[EI_DATA] != ELFDATA2MSB))
-                goto getout;
+                return 0;
 
         if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) {
                 size = read_elf32(fd);
@@ -136,23 +154,19 @@ of the ELF. This should be checked for.
                 size = read_elf64(fd);
         }
         else {
-                goto getout;
+                return 0;
         }
         if (size == 0)
-                goto getout;
+                return 0;
 
 
         // look for a LZMA header at this location
         unsigned char buf[4];
         ret = pread(fd, buf, 4, size);
-        if (ret != 4) {
-                size = 0;
-                goto getout;
-        }
+        if (ret != 4)
+                return 0;
         if (memcmp(buf, "hsqs", 4) != 0)
-                size = 0;
+                return 0;
 
-getout:
-        close(fd);
         return size;
 }
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt
deleted file mode 100644
index cfed454f8..000000000
--- a/src/firejail/arg-checking.txt
+++ /dev/null
@@ -1,84 +0,0 @@
-arg checking:
-
-1. --output=filename
-        - not supported in profiles
-        - checking no "..",
-        - checking no link,
-        - checking no dir,
-        - checking same permissions,
-        - checking no hard links
-        - unit test
-
-2. --chroot=dirname
-        - not supported in profiles
-        - expand "~"
-        - checking no "..",
-        - checking is dir,
-        - checking no link
-        - checking directory structure
-        - unit test
-
-3. --bind=dirname1,dirname2, --bind=filename1,filenam2
-        - supported in profiles
-        - accepted only when running as root
-        - checking string chars
-        - checking no ".."
-        - unit test non root
-
-4. --tmpfs=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-
-5. --blacklist=filename, --blacklist=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-
-6. --read-only=filename, --read-only=dirname
-        - supported in profiles
-        - checking string chars
-        - checking no ".."
-        - unit test
-
-7. --profile=filename
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
-
-8. --private=dirname
-        - supported in profiles
-        - expand "~"
-        - check is dir
-        - check no link
-        - checking no ".."
-        - check same owner
-        - unit test
-
-9. --private-home=filelist
-        - supported in profiles
-        - checking no ".."
-        - checking file found
-        - checking same owner
-        - checking no link
-        - unit test
-
-10. --netfilter=filename
-        - supported in profiles
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
-
-11. --shell=filename
-        - not supported in profiles
-        - check access as real GID/UID
-        - checking no dir
-        - checking no link
-        - checking no ".."
-        - unit test
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index ffbc56841..c259fc0ad 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <sys/socket.h>
 #include <sys/ioctl.h>
+#include <sys/time.h>
 #include <linux/if_ether.h>                       //TCP/IP Protocol Suite for Linux
 #include <net/if.h>
 #include <netinet/in.h>
@@ -45,7 +46,7 @@ typedef struct arp_hdr_t {
 void arp_announce(const char *dev, Bridge *br) {
         // RFC 5227 - using a source and destination IP address of the interface
         uint32_t srcaddr = br->ipsandbox;
-        uint32_t destaddr = br->ipsandbox;
+        uint32_t destaddr = srcaddr;
 
         if (strlen(dev) > IFNAMSIZ) {
                 fprintf(stderr, "Error: invalid network device name %s\n", dev);
@@ -66,7 +67,7 @@ void arp_announce(const char *dev, Bridge *br) {
         // Find interface MAC address
         struct ifreq ifr;
         memset(&ifr, 0, sizeof (ifr));
-        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+        strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1);
         if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
                 errExit("ioctl");
         close(sock);
@@ -78,7 +79,7 @@ void arp_announce(const char *dev, Bridge *br) {
                 errExit("if_nametoindex");
         addr.sll_family = AF_PACKET;
         memcpy (addr.sll_addr, ifr.ifr_hwaddr.sa_data, 6);
-        addr.sll_halen = htons(6);
+        addr.sll_halen = ETH_ALEN;
 
         // build the arp packet header
         ArpHdr hdr;
@@ -105,8 +106,7 @@ void arp_announce(const char *dev, Bridge *br) {
         if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
                 errExit("socket");
 
-        int len;
-        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                 errExit("send");
         fflush(0);
         close(sock);
@@ -138,7 +138,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
         // Find interface MAC address
         struct ifreq ifr;
         memset(&ifr, 0, sizeof (ifr));
-        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+        strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1);
         if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
                 errExit("ioctl");
         close(sock);
@@ -150,7 +150,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
                 errExit("if_nametoindex");
         addr.sll_family = AF_PACKET;
         memcpy (addr.sll_addr, ifr.ifr_hwaddr.sa_data, 6);
-        addr.sll_halen = htons(6);
+        addr.sll_halen = ETH_ALEN;
 
         // build the arp packet header
         ArpHdr hdr;
@@ -177,8 +177,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
         if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
                 errExit("socket");
 
-        int len;
-        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                 errExit("send");
         fflush(0);
 
@@ -190,9 +189,14 @@ int arp_check(const char *dev, uint32_t destaddr) {
         FD_SET(sock, &fds);
         int maxfd = sock;
         struct timeval ts;
-        ts.tv_sec = 0; // 0.5 seconds wait time
-        ts.tv_usec = 500000;
+        gettimeofday(&ts, NULL);
+        double timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5;
         while (1) {
+                gettimeofday(&ts, NULL);
+                double now = ts.tv_sec + ts.tv_usec / 1000000.0;
+                double timeout = timerend - now;
+                ts.tv_sec = timeout;
+                ts.tv_usec = (timeout - ts.tv_sec) * 1000000;
                 int nready = select(maxfd + 1,  &fds, (fd_set *) 0, (fd_set *) 0, &ts);
                 if (nready < 0)
                         errExit("select");
@@ -201,10 +205,10 @@ int arp_check(const char *dev, uint32_t destaddr) {
                                 close(sock);
                                 return 0;
                         }
-                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+                        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                                 errExit("send");
-                        ts.tv_sec = 0; // 0.5 seconds wait time
-                        ts.tv_usec = 500000;
+                        gettimeofday(&ts, NULL);
+                        timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5;
                         fflush(0);
                 }
                 else {
@@ -239,9 +243,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
                 }
         }
 
-        // it will never get here!
-        close(sock);
-        return -1;
+        __builtin_unreachable();
 }
 
 // assign a random IP address and check it
@@ -281,7 +283,7 @@ static uint32_t arp_random(const char *dev, Bridge *br) {
         int i = 0;
         for (i = 0; i < 10; i++) {
                 dest = start + ((uint32_t) rand()) % range;
-                if (dest == ifip)       // do not allow the interface address
+                if (dest == ifip || dest == cfg.defaultgw)      // do not allow the interface address or the default gateway
                         continue;               // try again
 
                 // if we've made it up to here, we have a valid address
@@ -329,7 +331,7 @@ static uint32_t arp_sequential(const char *dev, Bridge *br) {
 
         // loop through addresses and stop as soon as you find an unused one
         while (dest <= last) {
-                if (dest == ifip) {
+                if (dest == ifip || dest == cfg.defaultgw) {
                         dest++;
                         continue;
                 }
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 24d027d54..a085f2c27 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,6 +22,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <errno.h>
 #include <net/if.h>
 #include "firejail.h"
 
@@ -119,44 +120,21 @@ static void bandwidth_create_run_file(pid_t pid) {
         if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
-        // if the file already exists, do nothing
-        struct stat s;
-        if (stat(fname, &s) == 0) {
-                free(fname);
-                return;
-        }
-
         // create an empty file and set mod and ownership
-        /* coverity[toctou] */
-        FILE *fp = fopen(fname, "w");
-        if (fp) {
-                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                fclose(fp);
-        }
-        else {
+        // if the file already exists, do nothing
+        FILE *fp = fopen(fname, "wxe");
+        free(fname);
+        if (!fp) {
+                if (errno == EEXIST)
+                        return;
                 fprintf(stderr, "Error: cannot create bandwidth file\n");
                 exit(1);
         }
 
-        free(fname);
-}
-
-// delete bandwidth file
-void bandwidth_del_run_file(pid_t pid) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
-                errExit("asprintf");
-        unlink(fname);
-        free(fname);
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+        fclose(fp);
 }
 
-void network_del_run_file(pid_t pid) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
-                errExit("asprintf");
-        unlink(fname);
-        free(fname);
-}
 
 void network_set_run_file(pid_t pid) {
         char *fname;
@@ -164,7 +142,7 @@ void network_set_run_file(pid_t pid) {
                 errExit("asprintf");
 
         // create an empty file and set mod and ownership
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(fname, "we");
         if (fp) {
                 if (cfg.bridge0.configured)
                         fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox);
@@ -194,7 +172,7 @@ static void read_bandwidth_file(pid_t pid) {
         if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp) {
                 char buf[1024];
                 while (fgets(buf, 1024,fp)) {
@@ -230,7 +208,7 @@ static void write_bandwidth_file(pid_t pid) {
         if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
                 errExit("asprintf");
 
-        FILE *fp = fopen(fname, "w");
+        FILE *fp = fopen(fname, "we");
         if (fp) {
                 IFBW *ptr = ifbw;
                 while (ptr) {
@@ -268,9 +246,8 @@ void bandwidth_remove(pid_t pid, const char *dev) {
         }
 
         // remove the file if there are no entries in the list
-        if (ifbw == NULL) {
-                 bandwidth_del_run_file(pid);
-        }
+        if (ifbw == NULL)
+                 delete_bandwidth_run_file(pid);
 }
 
 // add interface to run file
@@ -313,54 +290,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
 //***********************************
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) {
         EUID_ASSERT();
-        //************************
-        // verify sandbox
-        //************************
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (!comm) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-
-        // check for firejail sandbox
-        if (strcmp(comm, "firejail") != 0) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-        free(comm);
-
-        // check network namespace
-        char *name;
-        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
-                exit(1);
-        }
-
-        //************************
-        // join the network namespace
-        //************************
-        pid_t child;
-        if (find_child(pid, &child) == -1) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-
-        EUID_ROOT();
-        if (join_namespace(child, "net")) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-
-        // set run file
-        if (strcmp(command, "set") == 0)
-                bandwidth_set(pid, dev, down, up);
-        else if (strcmp(command, "clear") == 0)
-                bandwidth_remove(pid, dev);
+        enter_network_namespace(pid);
 
         //************************
         // build command
@@ -371,7 +301,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                 char *fname;
                 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
                         errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 if (!fp) {
                         fprintf(stderr, "Error: cannot read network map file %s\n", fname);
                         exit(1);
@@ -391,6 +321,15 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                                 devname = strdup(buf + len + 1);
                                 if (!devname)
                                         errExit("strdup");
+                                // double-check device name
+                                size_t i;
+                                for (i = 0; devname[i]; i++) {
+                                        if (isalnum((unsigned char) devname[i]) == 0 &&
+                                            devname[i] != '-') {
+                                                fprintf(stderr, "Error: name of network device is invalid\n");
+                                                exit(1);
+                                        }
+                                }
                                 // check device in namespace
                                 if (if_nametoindex(devname) == 0) {
                                         fprintf(stderr, "Error: cannot find network device %s\n", devname);
@@ -403,6 +342,23 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
                 fclose(fp);
         }
 
+        // set run file
+        if (strcmp(command, "set") == 0) {
+                if (devname == NULL) {
+                        fprintf(stderr, "Error: cannot find a %s interface inside the sandbox\n", dev);
+                        exit(1);
+                }
+                bandwidth_set(pid, devname, down, up);
+        }
+        else if (strcmp(command, "clear") == 0) {
+                if (devname == NULL) {
+                        fprintf(stderr, "Error: cannot find a %s interface inside the sandbox\n", dev);
+                        exit(1);
+                }
+                bandwidth_remove(pid, devname);
+        }
+        else assert(strcmp(command, "status") == 0);
+
         // build fshaper.sh command
         char *cmd = NULL;
         if (devname) {
@@ -423,26 +379,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
         }
         assert(cmd);
 
-        // wipe out environment variables
-        environ = NULL;
-
         //************************
         // build command
         //************************
-        // elevate privileges
-        if (setreuid(0, 0))
-                errExit("setreuid");
-        if (setregid(0, 0))
-                errExit("setregid");
-
         char *arg[4];
         arg[0] = "/bin/sh";
         arg[1] = "-c";
         arg[2] = cmd;
         arg[3] = NULL;
         clearenv();
-        execvp(arg[0], arg);
+        sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
 
-        // it will never get here
-        errExit("execvp");
+        // it will never get here!!
 }
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 14f981a86..5e02b99c2 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -162,6 +162,21 @@ static CapsEntry capslist[] = {
 #else
         {"audit_read", 37 },
 #endif
+#ifdef CAP_PERFMON
+        {"perfmon", CAP_PERFMON },
+#else
+        {"perfmon", 38 },
+#endif
+#ifdef CAP_BPF
+        {"bpf", CAP_BPF },
+#else
+        {"bpf", 39 },
+#endif
+#ifdef CAP_CHECKPOINT_RESTORE
+        {"checkpoint_restore", CAP_CHECKPOINT_RESTORE },
+#else
+        {"checkpoint_restore", 40 },
+#endif
 
 //
 // end of generated code
@@ -374,7 +389,7 @@ static uint64_t extract_caps(int pid) {
                 errExit("asprintf");
 
         EUID_ROOT();    // grsecurity
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         EUID_USER();    // grsecurity
         if (!fp)
                 goto errexit;
@@ -401,29 +416,11 @@ errexit:
 void caps_print_filter(pid_t pid) {
         EUID_ASSERT();
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();    // grsecurity
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();    // grsecurity
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         uint64_t caps = extract_caps(pid);
         int i;
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 70f07dd23..e7ffbca36 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -26,7 +26,7 @@ void save_cgroup(void) {
         if (cfg.cgroup == NULL)
                 return;
 
-        FILE *fp = fopen(RUN_CGROUP_CFG, "w");
+        FILE *fp = fopen(RUN_CGROUP_CFG, "wxe");
         if (fp) {
                 fprintf(fp, "%s", cfg.cgroup);
                 fflush(0);
@@ -48,7 +48,7 @@ void load_cgroup(const char *fname) {
         if (!fname)
                 return;
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp) {
                 char buf[MAXBUF];
                 if (fgets(buf, MAXBUF, fp)) {
@@ -72,7 +72,7 @@ errout:
 void set_cgroup(const char *path) {
         EUID_ASSERT();
 
-        invalid_filename(path);
+        invalid_filename(path, 0); // no globbing
 
         // path starts with /sys/fs/cgroup
         if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
@@ -91,19 +91,19 @@ void set_cgroup(const char *path) {
                 goto errout;
 
         // tasks file exists
-        struct stat s;
-        if (stat(path, &s) == -1)
+        FILE *fp = fopen(path, "ae");
+        if (!fp)
                 goto errout;
-
         // task file belongs to the user running the sandbox
+        int fd = fileno(fp);
+        if (fd == -1)
+                errExit("fileno");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
         if (s.st_uid != getuid() && s.st_gid != getgid())
                 goto errout2;
-
         // add the task to cgroup
-        /* coverity[toctou] */
-        FILE *fp = fopen(path,  "a");
-        if (!fp)
-                goto errout;
         pid_t pid = getpid();
         int rv = fprintf(fp, "%d\n", pid);
         (void) rv;
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7f371b299..06e6f0ccb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,8 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/seccomp.h"
+#include "../include/syscall.h"
 #include <sys/stat.h>
 #include <linux/loop.h>
 
@@ -31,6 +33,10 @@ char *xpra_extra_params = "";
 char *xvfb_screen = "800x600x24";
 char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
+unsigned long join_timeout = 5000000; // microseconds
+char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
+char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
         assert(val < CFG_MAX);
@@ -47,14 +53,15 @@ int checkcfg(int val) {
                 cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
                 cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
                 cfg_val[CFG_FIREJAIL_PROMPT] = 0;
-                cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
                 cfg_val[CFG_DISABLE_MNT] = 0;
                 cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
                 cfg_val[CFG_XPRA_ATTACH] = 0;
+                cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
+                cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
-                fp = fopen(fname, "r");
+                fp = fopen(fname, "re");
                 if (!fp) {
 #ifdef HAVE_GLOBALCFG
                         fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
@@ -72,137 +79,51 @@ int checkcfg(int val) {
                         if (*buf == '#' || *buf == '\n')
                                 continue;
 
+#define PARSE_YESNO(key, string) \
+                        else if (strncmp(ptr, string " ", strlen(string)+1) == 0) { \
+                                if (strcmp(ptr + strlen(string) + 1, "yes") == 0) \
+                                        cfg_val[key] = 1; \
+                                else if (strcmp(ptr + strlen(string) + 1, "no") == 0) \
+                                        cfg_val[key] = 0; \
+                                else \
+                                        goto errout; \
+                        }
+
                         // parse line
                         ptr = line_remove_spaces(buf);
                         if (!ptr)
                                 continue;
+                        PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer")
+                        PARSE_YESNO(CFG_DBUS, "dbus")
+                        PARSE_YESNO(CFG_JOIN, "join")
+                        PARSE_YESNO(CFG_X11, "x11")
+                        PARSE_YESNO(CFG_APPARMOR, "apparmor")
+                        PARSE_YESNO(CFG_BIND, "bind")
+                        PARSE_YESNO(CFG_CGROUP, "cgroup")
+                        PARSE_YESNO(CFG_NAME_CHANGE, "name-change")
+                        PARSE_YESNO(CFG_USERNS, "userns")
+                        PARSE_YESNO(CFG_CHROOT, "chroot")
+                        PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
+                        PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
+                        PARSE_YESNO(CFG_SECCOMP, "seccomp")
+                        PARSE_YESNO(CFG_NETWORK, "network")
+                        PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
+                        PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
+                        PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
+                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
+                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
+                        PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
+                        PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
+                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
+                        PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
+                        PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
+                        PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
+                        PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
+                        PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
+                        PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
+                        PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+#undef PARSE_YESNO
 
-                        // file transfer
-                        else if (strncmp(ptr, "file-transfer ", 14) == 0) {
-                                if (strcmp(ptr + 14, "yes") == 0)
-                                        cfg_val[CFG_FILE_TRANSFER] = 1;
-                                else if (strcmp(ptr + 14, "no") == 0)
-                                        cfg_val[CFG_FILE_TRANSFER] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // join
-                        else if (strncmp(ptr, "join ", 5) == 0) {
-                                if (strcmp(ptr + 5, "yes") == 0)
-                                        cfg_val[CFG_JOIN] = 1;
-                                else if (strcmp(ptr + 5, "no") == 0)
-                                        cfg_val[CFG_JOIN] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // x11
-                        else if (strncmp(ptr, "x11 ", 4) == 0) {
-                                if (strcmp(ptr + 4, "yes") == 0)
-                                        cfg_val[CFG_X11] = 1;
-                                else if (strcmp(ptr + 4, "no") == 0)
-                                        cfg_val[CFG_X11] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // bind
-                        else if (strncmp(ptr, "bind ", 5) == 0) {
-                                if (strcmp(ptr + 5, "yes") == 0)
-                                        cfg_val[CFG_BIND] = 1;
-                                else if (strcmp(ptr + 5, "no") == 0)
-                                        cfg_val[CFG_BIND] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // user namespace
-                        else if (strncmp(ptr, "userns ", 7) == 0) {
-                                if (strcmp(ptr + 7, "yes") == 0)
-                                        cfg_val[CFG_USERNS] = 1;
-                                else if (strcmp(ptr + 7, "no") == 0)
-                                        cfg_val[CFG_USERNS] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // chroot
-                        else if (strncmp(ptr, "chroot ", 7) == 0) {
-                                if (strcmp(ptr + 7, "yes") == 0)
-                                        cfg_val[CFG_CHROOT] = 1;
-                                else if (strcmp(ptr + 7, "no") == 0)
-                                        cfg_val[CFG_CHROOT] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // prompt
-                        else if (strncmp(ptr, "firejail-prompt ", 16) == 0) {
-                                if (strcmp(ptr + 16, "yes") == 0)
-                                        cfg_val[CFG_FIREJAIL_PROMPT] = 1;
-                                else if (strcmp(ptr + 16, "no") == 0)
-                                        cfg_val[CFG_FIREJAIL_PROMPT] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // follow symlink as user
-                        else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) {
-                                if (strcmp(ptr + 23, "yes") == 0)
-                                        cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1;
-                                else if (strcmp(ptr + 23, "no") == 0)
-                                        cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // follow symlink in private-bin command
-                        else if (strncmp(ptr, "follow-symlink-private-bin ", 27) == 0) {
-                                if (strcmp(ptr + 27, "yes") == 0)
-                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 1;
-                                else if (strcmp(ptr + 27, "no") == 0)
-                                        cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // nonewprivs
-                        else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) {
-                                if (strcmp(ptr + 17, "yes") == 0)
-                                        cfg_val[CFG_FORCE_NONEWPRIVS] = 1;
-                                else if (strcmp(ptr + 17, "no") == 0)
-                                        cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // seccomp
-                        else if (strncmp(ptr, "seccomp ", 8) == 0) {
-                                if (strcmp(ptr + 8, "yes") == 0)
-                                        cfg_val[CFG_SECCOMP] = 1;
-                                else if (strcmp(ptr + 8, "no") == 0)
-                                        cfg_val[CFG_SECCOMP] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // whitelist
-                        else if (strncmp(ptr, "whitelist ", 10) == 0) {
-                                if (strcmp(ptr + 10, "yes") == 0)
-                                        cfg_val[CFG_WHITELIST] = 1;
-                                else if (strcmp(ptr + 10, "no") == 0)
-                                        cfg_val[CFG_WHITELIST] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // network
-                        else if (strncmp(ptr, "network ", 8) == 0) {
-                                if (strcmp(ptr + 8, "yes") == 0)
-                                        cfg_val[CFG_NETWORK] = 1;
-                                else if (strcmp(ptr + 8, "no") == 0)
-                                        cfg_val[CFG_NETWORK] = 0;
-                                else
-                                        goto errout;
-                        }
-                        // network
-                        else if (strncmp(ptr, "restricted-network ", 19) == 0) {
-                                if (strcmp(ptr + 19, "yes") == 0)
-                                        cfg_val[CFG_RESTRICTED_NETWORK] = 1;
-                                else if (strcmp(ptr + 19, "no") == 0)
-                                        cfg_val[CFG_RESTRICTED_NETWORK] = 0;
-                                else
-                                        goto errout;
-                        }
                         // netfilter
                         else if (strncmp(ptr, "netfilter-default ", 18) == 0) {
                                 char *fname = ptr + 18;
@@ -213,8 +134,7 @@ int checkcfg(int val) {
                                         *end = '\0';
 
                                 // is the file present?
-                                struct stat s;
-                                if (stat(fname, &s) == -1) {
+                                if (access(fname, F_OK) == -1) {
                                         fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
                                         exit(1);
                                 }
@@ -240,16 +160,6 @@ int checkcfg(int val) {
                                         errExit("asprintf");
                         }
 
-                        // xephyr window title
-                        else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) {
-                                if (strcmp(ptr + 20, "yes") == 0)
-                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1;
-                                else if (strcmp(ptr + 20, "no") == 0)
-                                        cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0;
-                                else
-                                        goto errout;
-                        }
-
                         // Xephyr command extra parameters
                         else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) {
                                 if (*xephyr_extra_params != '\0')
@@ -269,7 +179,7 @@ int checkcfg(int val) {
                         }
 
                         // Xvfb screen size
-                                else if (strncmp(ptr, "xvfb-screen ", 12) == 0) {
+                        else if (strncmp(ptr, "xvfb-screen ", 12) == 0) {
                                 // expecting three numbers separated by x's
                                 unsigned int n1;
                                 unsigned int n2;
@@ -299,63 +209,6 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
-                        // remount /proc and /sys
-                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
-                                if (strcmp(ptr + 17, "yes") == 0)
-                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 1;
-                                else if (strcmp(ptr + 17, "no") == 0)
-                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "overlayfs ", 10) == 0) {
-                                if (strcmp(ptr + 10, "yes") == 0)
-                                        cfg_val[CFG_OVERLAYFS] = 1;
-                                else if (strcmp(ptr + 10, "no") == 0)
-                                        cfg_val[CFG_OVERLAYFS] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "private-home ", 13) == 0) {
-                                if (strcmp(ptr + 13, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_HOME] = 1;
-                                else if (strcmp(ptr + 13, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_HOME] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "private-lib ", 12) == 0) {
-                                if (strcmp(ptr + 12, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_LIB] = 1;
-                                else if (strcmp(ptr + 12, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_LIB] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
-                                if (strcmp(ptr + 15, "yes") == 0)
-                                        cfg_val[CFG_CHROOT_DESKTOP] = 1;
-                                else if (strcmp(ptr + 15, "no") == 0)
-                                        cfg_val[CFG_CHROOT_DESKTOP] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) {
-                                if (strcmp(ptr + 21, "yes") == 0)
-                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1;
-                                else if (strcmp(ptr + 21, "no") == 0)
-                                        cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
-                                else
-                                        goto errout;
-                        }
-                        else if (strncmp(ptr, "disable-mnt ", 12) == 0) {
-                                if (strcmp(ptr + 12, "yes") == 0)
-                                        cfg_val[CFG_DISABLE_MNT] = 1;
-                                else if (strcmp(ptr + 12, "no") == 0)
-                                        cfg_val[CFG_DISABLE_MNT] = 0;
-                                else
-                                        goto errout;
-                        }
                         // arp probes
                         else if (strncmp(ptr, "arp-probes ", 11) == 0) {
                                 int arp_probes = atoi(ptr + 11);
@@ -363,18 +216,63 @@ int checkcfg(int val) {
                                         goto errout;
                                 cfg_val[CFG_ARP_PROBES] = arp_probes;
                         }
-                        // xpra-attach
-                        else if (strncmp(ptr, "xpra-attach ", 12) == 0) {
-                                if (strcmp(ptr + 12, "yes") == 0)
-                                        cfg_val[CFG_XPRA_ATTACH] = 1;
-                                else if (strcmp(ptr + 12, "no") == 0)
-                                        cfg_val[CFG_XPRA_ATTACH] = 0;
-                                else
-                                        goto errout;
+
+                        // file copy limit
+                        else if (strncmp(ptr, "file-copy-limit ", 16) == 0)
+                                env_store_name_val("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, SETENV);
+
+                        // timeout for join option
+                        else if (strncmp(ptr, "join-timeout ", 13) == 0)
+                                join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
+
+                        // add rules to default seccomp filter
+                        else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+                                config_seccomp_filter_add = seccomp_check_list(ptr + 19);
+
+                        // seccomp error action
+                        else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
+                                if (strcmp(ptr + 21, "kill") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
+                                else {
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
+                                        if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)
+                                                errExit("seccomp-error-action: unknown errno");
+                                }
+                                config_seccomp_error_action_str = strdup(ptr + 21);
+                                if (!config_seccomp_error_action_str)
+                                        errExit("strdup");
+                        }
+
+                        else if (strncmp(ptr, "whitelist-disable-topdir ", 25) == 0) {
+                                char *str = strdup(ptr + 25);
+                                if (!str)
+                                        errExit("strdup");
+
+                                size_t cnt = 0;
+                                size_t sz = 4;
+                                whitelist_reject_topdirs = malloc(sz * sizeof(char *));
+                                if (!whitelist_reject_topdirs)
+                                        errExit("malloc");
+
+                                char *tok = strtok(str, ",");
+                                while (tok) {
+                                        whitelist_reject_topdirs[cnt++] = tok;
+                                        if (cnt >= sz) {
+                                                sz *= 2;
+                                                whitelist_reject_topdirs = realloc(whitelist_reject_topdirs, sz * sizeof(char *));
+                                                if (!whitelist_reject_topdirs)
+                                                        errExit("realloc");
+                                        }
+                                        tok = strtok(NULL, ",");
+                                }
+                                whitelist_reject_topdirs[cnt] = NULL;
                         }
+
                         else
                                 goto errout;
-                        
+
                         free(ptr);
                 }
 
@@ -382,6 +280,13 @@ int checkcfg(int val) {
                 initialized = 1;
         }
 
+
+        // merge CFG_RESTRICTED_NETWORK into CFG_NETWORK
+        if (val == CFG_NETWORK) {
+                if (cfg_val[CFG_RESTRICTED_NETWORK] && getuid() != 0)
+                        return 0;
+        }
+
         return cfg_val[val];
 
 errout:
@@ -396,24 +301,24 @@ errout:
 
 void print_compiletime_support(void) {
         printf("Compile time support:\n");
-        printf("\t- AppArmor support is %s\n",
-#ifdef HAVE_APPARMOR
+        printf("\t- always force nonewprivs support is %s\n",
+#ifdef HAVE_FORCE_NONEWPRIVS
                 "enabled"
 #else
                 "disabled"
 #endif
                 );
 
-        printf("\t- AppImage support is %s\n",
-#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
+        printf("\t- AppArmor support is %s\n",
+#ifdef HAVE_APPARMOR
                 "enabled"
 #else
                 "disabled"
 #endif
                 );
 
-        printf("\t- bind support is %s\n",
-#ifdef HAVE_BIND
+        printf("\t- AppImage support is %s\n",
+#ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
                 "enabled"
 #else
                 "disabled"
@@ -428,8 +333,8 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- file and directory whitelisting support is %s\n",
-#ifdef HAVE_WHITELIST
+        printf("\t- D-BUS proxy support is %s\n",
+#ifdef HAVE_DBUSPROXY
                 "enabled"
 #else
                 "disabled"
@@ -444,8 +349,8 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- git install support is %s\n",
-#ifdef HAVE_GIT_INSTALL
+        printf("\t- firetunnel support is %s\n",
+#ifdef HAVE_FIRETUNNEL
                 "enabled"
 #else
                 "disabled"
@@ -460,10 +365,13 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-#ifdef HAVE_NETWORK_RESTRICTED
-        printf("\t- networking features are available only to root user\n");
+        printf("\t- output logging is %s\n",
+#ifdef HAVE_OUTPUT
+                "enabled"
+#else
+                "disabled"
 #endif
-
+                );
         printf("\t- overlayfs support is %s\n",
 #ifdef HAVE_OVERLAYFS
                 "enabled"
@@ -480,8 +388,16 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- seccomp-bpf support is %s\n",
-#ifdef HAVE_SECCOMP
+        printf("\t- private-cache and tmpfs as user %s\n",
+#ifdef HAVE_USERTMPFS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+
+        printf("\t- SELinux support is %s\n",
+#ifdef HAVE_SELINUX
                 "enabled"
 #else
                 "disabled"
@@ -504,4 +420,5 @@ void print_compiletime_support(void) {
 #endif
                 );
 
+
 }
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
new file mode 100644
index 000000000..37ec22117
--- /dev/null
+++ b/src/firejail/chroot.c
@@ -0,0 +1,310 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifdef HAVE_CHROOT
+#include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include <sys/mount.h>
+#include <sys/sendfile.h>
+#include <errno.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+// exit if error
+void fs_check_chroot_dir(void) {
+        EUID_ASSERT();
+        assert(cfg.chrootdir);
+        if (strstr(cfg.chrootdir, "..") ||
+            is_link(cfg.chrootdir))
+                goto errout;
+
+        // check chroot dirname exists, chrooting into the root directory is not allowed
+        char *rpath = realpath(cfg.chrootdir, NULL);
+        if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0)
+                goto errout;
+
+        char *overlay;
+        if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (strncmp(rpath, overlay, strlen(overlay)) == 0) {
+                fprintf(stderr, "Error: invalid chroot directory: no directories in %s are allowed\n", overlay);
+                exit(1);
+        }
+        free(overlay);
+
+        cfg.chrootdir = rpath;
+        return;
+
+errout:
+        fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir);
+        exit(1);
+}
+
+// copy /etc/resolv.conf or /etc/machine-id in chroot directory
+static void update_file(int parentfd, const char *relpath) {
+        assert(relpath && relpath[0] && relpath[0] != '/');
+
+        char *abspath;
+        if (asprintf(&abspath, "/%s", relpath) == -1)
+                errExit("asprintf");
+        int in = open(abspath, O_RDONLY|O_CLOEXEC);
+        free(abspath);
+        if (in == -1)
+                goto errout;
+
+        struct stat src;
+        if (fstat(in, &src) == -1)
+                errExit("fstat");
+        // try to detect if file has been bind mounted into the chroot
+        struct stat dst;
+        if (fstatat(parentfd, relpath, &dst, 0) == 0) {
+                if (src.st_dev == dst.st_dev && src.st_ino == dst.st_ino) {
+                        close(in);
+                        return;
+                }
+        }
+        if (arg_debug)
+                printf("Updating chroot /%s\n", relpath);
+        unlinkat(parentfd, relpath, 0);
+        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        if (out == -1) {
+                close(in);
+                goto errout;
+        }
+        if (sendfile(out, in, NULL, src.st_size) == -1)
+                errExit("sendfile");
+        close(in);
+        close(out);
+        return;
+
+errout:
+        fwarning("chroot /%s not initialized\n", relpath);
+}
+
+// exit if error
+static void check_subdir(int parentfd, const char *subdir, int check_writable) {
+        assert(subdir && subdir[0] && subdir[0] != '/');
+        struct stat s;
+        if (fstatat(parentfd, subdir, &s, AT_SYMLINK_NOFOLLOW) != 0) {
+                fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir);
+                exit(1);
+        }
+        if (!S_ISDIR(s.st_mode)) {
+                if (S_ISLNK(s.st_mode))
+                        fprintf(stderr, "Error: chroot /%s is a symbolic link\n", subdir);
+                else
+                        fprintf(stderr, "Error: chroot /%s is not a directory\n", subdir);
+                exit(1);
+        }
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /%s should be owned by root\n", subdir);
+                exit(1);
+        }
+        if (check_writable && ((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
+                fprintf(stderr, "Error: only root user should be given write permission on chroot /%s\n", subdir);
+                exit(1);
+        }
+}
+
+// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
+void fs_chroot(const char *rootdir) {
+        assert(rootdir);
+
+        // fails if there is any symlink or if rootdir is not a directory
+        int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (parentfd == -1)
+                errExit("safer_openat");
+        // rootdir has to be owned by root and is not allowed to be generally writable,
+        // this also excludes /tmp and friends
+        struct stat s;
+        if (fstat(parentfd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot directory should be owned by root\n");
+                exit(1);
+        }
+        if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
+                fprintf(stderr, "Error: only root user should be given write permission on chroot directory\n");
+                exit(1);
+        }
+        // check chroot subdirectories; /tmp/.X11-unix and /run are treated separately
+        check_subdir(parentfd, "dev", 0);
+        check_subdir(parentfd, "etc", 1);
+        check_subdir(parentfd, "proc", 0);
+        check_subdir(parentfd, "tmp", 0);
+        check_subdir(parentfd, "var", 1);
+        check_subdir(parentfd, "var/tmp", 0);
+
+        // mount-bind a /dev in rootdir
+        if (arg_debug)
+                printf("Mounting /dev on chroot /dev\n");
+        // open chroot /dev to get a file descriptor,
+        // then use this descriptor as a mount target
+        int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("open");
+        if (bind_mount_path_to_fd("/dev", fd))
+                errExit("mounting /dev");
+        close(fd);
+
+#ifdef HAVE_X11
+        // if users want this mount, they should set FIREJAIL_CHROOT_X11
+        if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) {
+                if (arg_debug)
+                        printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");
+                struct stat s1, s2;
+                if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2))
+                        errExit("mounting /tmp/.X11-unix");
+                if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
+                        fprintf(stderr, "Error: sticky bit not set on /tmp directory\n");
+                        exit(1);
+                }
+                if (s2.st_uid != 0) {
+                        fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n");
+                        exit(1);
+                }
+
+                check_subdir(parentfd, "tmp/.X11-unix", 0);
+                fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1)
+                        errExit("open");
+                if (bind_mount_path_to_fd("/tmp/.X11-unix", fd))
+                        errExit("mounting /tmp/.X11-unix");
+                close(fd);
+        }
+#endif // HAVE_X11
+
+        // some older distros don't have a /run directory, create one by default
+        if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST)
+                errExit("mkdir");
+        check_subdir(parentfd, "run", 1);
+
+        // pulseaudio; only support for default directory /run/user/$UID/pulse
+        if (env_get("FIREJAIL_CHROOT_PULSE")) {
+                char *pulse;
+                if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1)
+                        errExit("asprintf");
+                char *orig_pulse = pulse + strlen(cfg.chrootdir);
+
+                if (arg_debug)
+                        printf("Mounting %s on chroot %s\n", orig_pulse, orig_pulse);
+                int src = safer_openat(-1, orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (src == -1) {
+                        fprintf(stderr, "Error: cannot open %s\n", orig_pulse);
+                        exit(1);
+                }
+                int dst = safer_openat(-1, pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (dst == -1) {
+                        fprintf(stderr, "Error: cannot open %s\n", pulse);
+                        exit(1);
+                }
+                if (bind_mount_by_fd(src, dst))
+                        errExit("mounting pulseaudio");
+                close(src);
+                close(dst);
+                free(pulse);
+
+                // update /etc/machine-id in chroot
+                update_file(parentfd, "etc/machine-id");
+        }
+
+        // create /run/firejail directory in chroot
+        if (mkdirat(parentfd, &RUN_FIREJAIL_DIR[1], 0755) == -1 && errno != EEXIST)
+                errExit("mkdir");
+        check_subdir(parentfd, &RUN_FIREJAIL_DIR[1], 1);
+
+        // create /run/firejail/lib directory in chroot
+        if (mkdirat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 0755) == -1 && errno != EEXIST)
+                errExit("mkdir");
+        check_subdir(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 1);
+        // mount lib directory into the chroot
+        fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("open");
+        if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd))
+                errExit("mount bind");
+        close(fd);
+
+        // create /run/firejail/mnt directory in chroot
+        if (mkdirat(parentfd, &RUN_MNT_DIR[1], 0755) == -1 && errno != EEXIST)
+                errExit("mkdir");
+        check_subdir(parentfd, &RUN_MNT_DIR[1], 1);
+        // mount the current mnt directory into the chroot
+        fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("open");
+        if (bind_mount_path_to_fd(RUN_MNT_DIR, fd))
+                errExit("mount bind");
+        close(fd);
+
+        // update chroot resolv.conf
+        update_file(parentfd, "etc/resolv.conf");
+
+        __gcov_flush();
+
+        // create /run/firejail/mnt/oroot
+        char *oroot = RUN_OVERLAY_ROOT;
+        if (mkdir(oroot, 0755) == -1)
+                errExit("mkdir");
+        // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
+        if (bind_mount_fd_to_path(parentfd, oroot))
+                errExit("mounting rootdir oroot");
+        close(parentfd);
+        // chroot into the new directory
+        if (arg_debug)
+                printf("Chrooting into %s\n", rootdir);
+        if (chroot(oroot) < 0)
+                errExit("chroot");
+
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc filesystem representing the PID namespace\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
+        // create all other /run/firejail files and directories
+        preproc_build_firejail_dir();
+
+        // update /var directory in order to support multiple sandboxes running on the same root directory
+        //      if (!arg_private_dev)
+        //              fs_dev_shm();
+        fs_var_lock();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
+        if (!arg_writable_var_log)
+                fs_var_log();
+
+        fs_var_lib();
+        fs_var_cache();
+        fs_var_utmp();
+        fs_machineid();
+
+        // don't leak user information
+        restrict_users();
+
+        // when starting as root, firejail config is not disabled;
+        if (getuid() != 0)
+                disable_config();
+}
+
+#endif // HAVE_CHROOT
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index 114173b6a..2fa68a55d 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -26,7 +26,7 @@
 #include <assert.h>
 #include <errno.h>
 
-static int cmdline_length(int argc, char **argv, int index) {
+static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -46,10 +46,11 @@ static int cmdline_length(int argc, char **argv, int index) {
                                         len += 3;
                                 in_quotes = false;
                         } else {
-                                if (!in_quotes)
+                                if (!in_quotes && want_extra_quotes)
                                         len++;
                                 len++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 if (in_quotes) {
@@ -64,7 +65,7 @@ static int cmdline_length(int argc, char **argv, int index) {
         return len;
 }
 
-static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -77,7 +78,7 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
 
                 // enclose args by single quotes,
                 // and since single quote can't be represented in single quoted text
-                // each occurence of it should be enclosed by double quotes
+                // each occurrence of it should be enclosed by double quotes
                 in_quotes = false;
                 for (j = 0; j < strlen(argv[i + index]); j++) {
                         // single quote
@@ -103,14 +104,15 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
                         // anything other
                         else
                         {
-                                if (!in_quotes) {
+                                if (!in_quotes && want_extra_quotes) {
                                         // open quotes
                                         ptr1[0] = '\'';
                                         ptr1++;
                                 }
                                 ptr1[0] = argv[i + index][j];
                                 ptr1++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 // close quotes
@@ -134,12 +136,12 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
         assert((unsigned) len == strlen(command_line));
 }
 
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
-        int len = cmdline_length(argc, argv, index);
+        int len = cmdline_length(argc, argv, index, want_extra_quotes);
         if (len > ARG_MAX) {
                 errno = E2BIG;
                 errExit("cmdline_length");
@@ -152,7 +154,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         if (!*window_title)
                         errExit("malloc");
 
-        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes);
 
         if (arg_debug)
                 printf("Building quoted command line: %s\n", *command_line);
@@ -161,30 +163,23 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         assert(*window_title);
 }
 
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) {
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
-        if (arg_debug)
-                printf("Building AppImage command line: %s\n", *command_line);
-
+        char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun";
 
-        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
-        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
-        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun
-        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+        int len1 = cmdline_length(argc, argv, index, want_extra_quotes);  // length of argv w/o changes
+        int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage
+        int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun
+        int len4 = (len1 - len2 + len3) + 1;                              // apptest.AppImage is replaced by /path/to/AppRun
 
         if (len4 > ARG_MAX) {
                 errno = E2BIG;
                 errExit("cmdline_length");
         }
 
-        // save created apprun in cfg.command_line
-        char *tmp1 = strdup(*command_line);
-        if (!tmp1)
-                errExit("strdup");
-
         // TODO: deal with extra allocated memory.
         char *command_line_tmp = malloc(len1 + len3 + 1);
         if (!command_line_tmp)
@@ -194,18 +189,18 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
                         errExit("malloc");
 
         // run default quote_cmdline
-        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes);
 
         assert(command_line_tmp);
         assert(*window_title);
 
         // 'fix' command_line now
-        if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1)
+        if (asprintf(command_line, "'%s' %s", apprun_path, command_line_tmp + len2) == -1)
                 errExit("asprintf");
 
         if (arg_debug)
                 printf("AppImage quoted command line: %s\n", *command_line);
 
         // free strdup
-        free(tmp1);
+        free(command_line_tmp);
 }
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 6b3fc063d..fe7258fb0 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -75,7 +75,7 @@ void save_cpu(void) {
         if (cfg.cpus == 0)
                 return;
 
-        FILE *fp = fopen(RUN_CPU_CFG, "w");
+        FILE *fp = fopen(RUN_CPU_CFG, "wxe");
         if (fp) {
                 fprintf(fp, "%x\n", cfg.cpus);
                 SET_PERMS_STREAM(fp, 0, 0, 0600);
@@ -91,7 +91,7 @@ void load_cpu(const char *fname) {
         if (!fname)
                 return;
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp) {
                 unsigned tmp;
                 int rv = fscanf(fp, "%x", &tmp);
@@ -139,7 +139,7 @@ static void print_cpu(int pid) {
         }
 
         EUID_ROOT();    // grsecurity
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         EUID_USER();    // grsecurity
         if (!fp) {
                 printf("  Error: cannot open %s\n", file);
@@ -162,31 +162,17 @@ static void print_cpu(int pid) {
         free(file);
 }
 
+// allow any user to run --cpu.print
 void cpu_print_filter(pid_t pid) {
         EUID_ASSERT();
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();    // grsecurity
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();    // grsecurity
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
+        // now check if the pid belongs to a firejail sandbox
+        if (is_ready_for_join(pid) == false) {
+                fprintf(stderr, "Error: no valid sandbox\n");
+                exit(1);
         }
 
         print_cpu(pid);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
new file mode 100644
index 000000000..735ff54fa
--- /dev/null
+++ b/src/firejail/dbus.c
@@ -0,0 +1,548 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifdef HAVE_DBUSPROXY
+#include "firejail.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#define DBUS_SOCKET_PATH_PREFIX "unix:path="
+#define DBUS_USER_SOCKET_FORMAT "/run/user/%d/bus"
+#define DBUS_USER_SOCKET_FORMAT2 "/run/user/%d/dbus/user_bus_socket"
+#define DBUS_SYSTEM_SOCKET "/run/dbus/system_bus_socket"
+#define DBUS_SESSION_BUS_ADDRESS_ENV "DBUS_SESSION_BUS_ADDRESS"
+#define DBUS_SYSTEM_BUS_ADDRESS_ENV "DBUS_SYSTEM_BUS_ADDRESS"
+#define DBUS_USER_DIR_FORMAT RUN_FIREJAIL_DBUS_DIR "/%d"
+#define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"
+#define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"
+#define DBUS_MAX_NAME_LENGTH 255
+// moved to include/common.h - #define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
+
+static pid_t dbus_proxy_pid = 0;
+static int dbus_proxy_status_fd = -1;
+static char *dbus_user_proxy_socket = NULL;
+static char *dbus_system_proxy_socket = NULL;
+
+static int check_bus_or_interface_name(const char *name, int hyphens_allowed) {
+        unsigned long length = strlen(name);
+        if (length == 0 || length > DBUS_MAX_NAME_LENGTH)
+                return 0;
+        const char *p = name;
+        int segments = 1;
+        int in_segment = 0;
+        while (*p) {
+                int alpha = (*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z');
+                int digit = *p >= '0' && *p <= '9';
+                if (in_segment) {
+                        if (*p == '.') {
+                                ++segments;
+                                in_segment = 0;
+                        } else if (!alpha && !digit && *p != '_' && (!hyphens_allowed || *p != '-')) {
+                                return 0;
+                        }
+                }
+                else {
+                        if (*p == '*') {
+                                return *(p + 1) == '\0';
+                        } else if (!alpha && *p != '_' && (!hyphens_allowed || *p != '-')) {
+                                return 0;
+                        }
+                        in_segment = 1;
+                }
+                ++p;
+        }
+        return in_segment && segments >= 2;
+}
+
+static int check_object_path(const char *path) {
+        unsigned long length = strlen(path);
+        if (length == 0 || path[0] != '/')
+                return 0;
+        // The root path "/" is the only path allowed to have a trailing slash.
+        if (length == 1)
+                return 1;
+        const char *p = path + 1;
+        int segments = 1;
+        int in_segment = 0;
+        while (*p) {
+                int alpha = (*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z');
+                int digit = *p >= '0' && *p <= '9';
+                if (in_segment) {
+                        if (*p == '/') {
+                                ++segments;
+                                in_segment = 0;
+                        } else if (!alpha && !digit && *p != '_') {
+                                return 0;
+                        }
+                }
+                else {
+                        if (*p == '*') {
+                                return *(p + 1) == '\0';
+                        } else if (!alpha && *p != '_') {
+                                return 0;
+                        }
+                        in_segment = 1;
+                }
+                ++p;
+        }
+        return in_segment && segments >= 1;
+}
+
+int dbus_check_name(const char *name) {
+        return check_bus_or_interface_name(name, 1);
+}
+
+int dbus_check_call_rule(const char *rule) {
+        char buf[DBUS_MAX_NAME_LENGTH + 1];
+        char *name_end = strchr(rule, '=');
+        if (name_end == NULL)
+                return 0;
+        size_t name_length = (size_t) (name_end - rule);
+        if (name_length > DBUS_MAX_NAME_LENGTH)
+                return 0;
+        strncpy(buf, rule, (size_t) name_length);
+        buf[name_length] = '\0';
+        if (!dbus_check_name(buf))
+                return 0;
+        ++name_end;
+        char *interface_end = strchr(name_end, '@');
+        if (interface_end == NULL)
+                return check_bus_or_interface_name(name_end, 0);
+        size_t interface_length = (size_t) (interface_end - name_end);
+        if (interface_length > DBUS_MAX_NAME_LENGTH)
+                return 0;
+        if (interface_length > 0) {
+                strncpy(buf, name_end, interface_length);
+                buf[interface_length] = '\0';
+                if (!check_bus_or_interface_name(buf, 0))
+                        return 0;
+        }
+        return check_object_path(interface_end + 1);
+}
+
+static void dbus_check_bus_profile(char const *prefix, DbusPolicy *policy) {
+        if (*policy == DBUS_POLICY_FILTER) {
+                struct stat s;
+                if (stat(XDG_DBUS_PROXY_PATH, &s) == -1) {
+                        if (errno == ENOENT) {
+                                fprintf(stderr,
+                                                "Warning: " XDG_DBUS_PROXY_PATH
+                                                " was not found, downgrading %s policy to allow.\n"
+                                                "To enable DBus filtering, install the xdg-dbus-proxy "
+                                                "program.\n", prefix);
+                                *policy = DBUS_POLICY_ALLOW;
+                        } else {
+                                errExit("stat");
+                        }
+                } else {
+                        // No need to warn on profile entries.
+                        return;
+                }
+        }
+
+        size_t prefix_length = strlen(prefix);
+        ProfileEntry *it = cfg.profile;
+        int num_matches = 0;
+        const char *first_match = NULL;
+        while (it) {
+                char *data = it->data;
+                it = it->next;
+                if (strncmp(prefix, data, prefix_length) == 0) {
+                        ++num_matches;
+                        if (first_match == NULL)
+                                first_match = data;
+                }
+        }
+
+        if (num_matches > 0 && !arg_quiet) {
+                assert(first_match != NULL);
+                if (num_matches == 1) {
+                        fprintf(stderr, "Ignoring \"%s\".\n", first_match);
+                } else if (num_matches == 2) {
+                        fprintf(stderr, "Ignoring \"%s\" and 1 other %s filter rule.\n",
+                                        first_match, prefix);
+                } else {
+                        fprintf(stderr, "Ignoring \"%s\" and %d other %s filter rules.\n",
+                                        first_match, num_matches - 1, prefix);
+                }
+        }
+}
+
+void dbus_check_profile(void) {
+        dbus_check_bus_profile("dbus-user", &arg_dbus_user);
+        dbus_check_bus_profile("dbus-system", &arg_dbus_system);
+}
+
+static void write_arg(int fd, char const *format, ...) {
+        va_list ap;
+        va_start(ap, format);
+        char *arg;
+        int length = vasprintf(&arg, format, ap);
+        va_end(ap);
+        if (length == -1)
+                errExit("vasprintf");
+        length++;
+        if (arg_debug)
+                printf("xdg-dbus-proxy arg: %s\n", arg);
+        if (write(fd, arg, (size_t) length) != (ssize_t) length)
+                errExit("write");
+        free(arg);
+}
+
+static void write_profile(int fd, char const *prefix) {
+        size_t prefix_length = strlen(prefix);
+        ProfileEntry *it = cfg.profile;
+        while (it) {
+                char *data = it->data;
+                it = it->next;
+                if (strncmp(prefix, data, prefix_length) != 0)
+                        continue;
+                data += prefix_length;
+                int arg_length = 0;
+                while (data[arg_length] != '\0' && data[arg_length] != ' ')
+                        arg_length++;
+                if (data[arg_length] != ' ')
+                        continue;
+                write_arg(fd, "--%.*s=%s", arg_length, data, &data[arg_length + 1]);
+        }
+}
+
+static void dbus_create_user_dir(void) {
+        char *path;
+        if (asprintf(&path, DBUS_USER_DIR_FORMAT, (int) getuid()) == -1)
+                errExit("asprintf");
+        struct stat s;
+        mode_t mode = 0700;
+        uid_t uid = getuid();
+        gid_t gid = getgid();
+        if (stat(path, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory for DBus proxy sockets\n", path);
+                if (mkdir(path, mode) == -1 && errno != EEXIST)
+                        errExit("mkdir");
+                if (set_perms(path, uid, gid, mode))
+                        errExit("set_perms");
+                ASSERT_PERMS(path, uid, gid, mode);
+        }
+        free(path);
+}
+
+static char *find_user_socket_by_format(char *format) {
+        char *dbus_user_socket;
+        if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (lstat(dbus_user_socket, &s) == -1)
+                goto fail;
+        if (!S_ISSOCK(s.st_mode))
+                goto fail;
+        return dbus_user_socket;
+ fail:
+        free(dbus_user_socket);
+        return NULL;
+}
+
+static char *find_user_socket(void) {
+        char *socket1 = find_user_socket_by_format(DBUS_USER_SOCKET_FORMAT);
+        if (socket1 != NULL)
+                return socket1;
+        char *socket2 = find_user_socket_by_format(DBUS_USER_SOCKET_FORMAT2);
+        if (socket2 != NULL)
+                return socket2;
+        fprintf(stderr, "DBus user socket was not found.\n");
+        exit(1);
+}
+
+void dbus_proxy_start(void) {
+        dbus_create_user_dir();
+
+        EUID_USER();
+
+        int status_pipe[2];
+        if (pipe(status_pipe) == -1)
+                errExit("pipe");
+        dbus_proxy_status_fd = status_pipe[0];
+
+        int args_pipe[2];
+        if (pipe(args_pipe) == -1)
+                errExit("pipe");
+
+        dbus_proxy_pid = fork();
+        if (dbus_proxy_pid == -1)
+                errExit("fork");
+        if (dbus_proxy_pid == 0) {
+                int i;
+                for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
+                        if (i != status_pipe[1] && i != args_pipe[0])
+                                close(i); // close open files
+                }
+                if (arg_dbus_log_file != NULL) {
+                        int output_fd = creat(arg_dbus_log_file, 0666);
+                        if (output_fd < 0)
+                                errExit("creat");
+                        if (output_fd != STDOUT_FILENO) {
+                                if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
+                                        errExit("dup2");
+                                close(output_fd);
+                        }
+                }
+                close(STDIN_FILENO);
+                char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL};
+                if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1
+                        || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("starting xdg-dbus-proxy\n");
+                sbox_exec_v(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE | SBOX_KEEP_FDS, args);
+        } else {
+                if (close(status_pipe[1]) == -1 || close(args_pipe[0]) == -1)
+                        errExit("close");
+
+                if (arg_dbus_user == DBUS_POLICY_FILTER) {
+                        const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV);
+                        if (user_env == NULL) {
+                                char *dbus_user_socket = find_user_socket();
+                                write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s",
+                                                  dbus_user_socket);
+                                free(dbus_user_socket);
+                        } else {
+                                write_arg(args_pipe[1], "%s", user_env);
+                        }
+                        if (asprintf(&dbus_user_proxy_socket, DBUS_USER_PROXY_SOCKET_FORMAT,
+                                                 (int) getuid(), (int) getpid()) == -1)
+                                errExit("asprintf");
+                        write_arg(args_pipe[1], "%s", dbus_user_proxy_socket);
+                        if (arg_dbus_log_user) {
+                                write_arg(args_pipe[1], "--log");
+                        }
+                        write_arg(args_pipe[1], "--filter");
+                        write_profile(args_pipe[1], "dbus-user.");
+                }
+
+                if (arg_dbus_system == DBUS_POLICY_FILTER) {
+                        const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV);
+                        if (system_env == NULL) {
+                                write_arg(args_pipe[1],
+                                                  DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET);
+                        } else {
+                                write_arg(args_pipe[1], "%s", system_env);
+                        }
+                        if (asprintf(&dbus_system_proxy_socket, DBUS_SYSTEM_PROXY_SOCKET_FORMAT,
+                                                 (int) getuid(), (int) getpid()) == -1)
+                                errExit("asprintf");
+                        write_arg(args_pipe[1], "%s", dbus_system_proxy_socket);
+                        if (arg_dbus_log_system) {
+                                write_arg(args_pipe[1], "--log");
+                        }
+                        write_arg(args_pipe[1], "--filter");
+                        write_profile(args_pipe[1], "dbus-system.");
+                }
+
+                if (close(args_pipe[1]) == -1)
+                        errExit("close");
+                char buf[1];
+                ssize_t read_bytes = read(status_pipe[0], buf, 1);
+                switch (read_bytes) {
+                case -1:
+                        errExit("read");
+                        break;
+                case 0:
+                        fprintf(stderr, "xdg-dbus-proxy closed pipe unexpectedly\n");
+                        // Wait for the subordinate process to write any errors to stderr and exit.
+                        waitpid(dbus_proxy_pid, NULL, 0);
+                        exit(-1);
+                        break;
+                case 1:
+                        if (arg_debug)
+                                printf("xdg-dbus-proxy initialized\n");
+                        break;
+                default:
+                        assert(0);
+                }
+        }
+}
+
+void dbus_proxy_stop(void) {
+        if (dbus_proxy_pid == 0)
+                return;
+        assert(dbus_proxy_status_fd >= 0);
+        if (close(dbus_proxy_status_fd) == -1)
+                errExit("close");
+        int status;
+        if (waitpid(dbus_proxy_pid, &status, 0) == -1)
+                errExit("waitpid");
+        if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
+                fwarning("xdg-dbus-proxy returned %s\n", WEXITSTATUS(status));
+        dbus_proxy_pid = 0;
+        dbus_proxy_status_fd = -1;
+        if (dbus_user_proxy_socket != NULL) {
+                free(dbus_user_proxy_socket);
+                dbus_user_proxy_socket = NULL;
+        }
+        if (dbus_system_proxy_socket != NULL) {
+                free(dbus_system_proxy_socket);
+                dbus_system_proxy_socket = NULL;
+        }
+}
+
+static void socket_overlay(char *socket_path, char *proxy_path) {
+        int fd = safer_openat(-1, proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC);
+        if (fd == -1)
+                errExit("opening DBus proxy socket");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISSOCK(s.st_mode)) {
+                errno = ENOTSOCK;
+                errExit("mounting DBus proxy socket");
+        }
+        if (bind_mount_fd_to_path(fd, socket_path))
+                errExit("mount bind");
+        close(fd);
+}
+
+static const char *get_socket_env(const char *name) {
+        const char *value = env_get(name);
+        if (value == NULL)
+                return NULL;
+        if (strncmp(value, DBUS_SOCKET_PATH_PREFIX,
+                                strlen(DBUS_SOCKET_PATH_PREFIX)) == 0)
+                return value + strlen(DBUS_SOCKET_PATH_PREFIX);
+        return NULL;
+}
+
+void dbus_set_session_bus_env(void) {
+        env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV,
+                           DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV);
+}
+
+void dbus_set_system_bus_env(void) {
+        env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV,
+                           DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV);
+}
+
+static void disable_socket_dir(void) {
+        struct stat s;
+        if (stat(RUN_FIREJAIL_DBUS_DIR, &s) == 0)
+                disable_file_or_dir(RUN_FIREJAIL_DBUS_DIR);
+}
+
+void dbus_apply_policy(void) {
+        EUID_ROOT();
+
+        if (arg_dbus_user == DBUS_POLICY_ALLOW && arg_dbus_system == DBUS_POLICY_ALLOW) {
+                disable_socket_dir();
+                return;
+        }
+
+        if (!checkcfg(CFG_DBUS)) {
+                disable_socket_dir();
+                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
+                return;
+        }
+
+        create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
+
+        if (arg_dbus_user != DBUS_POLICY_ALLOW) {
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
+
+                if (arg_dbus_user == DBUS_POLICY_FILTER) {
+                        assert(dbus_user_proxy_socket != NULL);
+                        socket_overlay(RUN_DBUS_USER_SOCKET, dbus_user_proxy_socket);
+                        free(dbus_user_proxy_socket);
+                }
+
+                char *dbus_user_socket;
+                if (asprintf(&dbus_user_socket, DBUS_USER_SOCKET_FORMAT,
+                                         (int) getuid()) == -1)
+                        errExit("asprintf");
+                disable_file_or_dir(dbus_user_socket);
+
+                char *dbus_user_socket2;
+                if (asprintf(&dbus_user_socket2, DBUS_USER_SOCKET_FORMAT2,
+                                         (int) getuid()) == -1)
+                        errExit("asprintf");
+                disable_file_or_dir(dbus_user_socket2);
+
+                const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV);
+                if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 &&
+                        strcmp(user_env, dbus_user_socket2) != 0)
+                        disable_file_or_dir(user_env);
+
+                free(dbus_user_socket);
+                free(dbus_user_socket2);
+
+                dbus_set_session_bus_env();
+
+                // blacklist the dbus-launch user directory
+                char *path;
+                if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
+                        errExit("asprintf");
+                disable_file_or_dir(path);
+                free(path);
+        }
+
+        if (arg_dbus_system != DBUS_POLICY_ALLOW) {
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
+
+                if (arg_dbus_system == DBUS_POLICY_FILTER) {
+                        assert(dbus_system_proxy_socket != NULL);
+                        socket_overlay(RUN_DBUS_SYSTEM_SOCKET, dbus_system_proxy_socket);
+                        free(dbus_system_proxy_socket);
+                }
+
+                disable_file_or_dir(DBUS_SYSTEM_SOCKET);
+
+                const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV);
+                if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0)
+                        disable_file_or_dir(system_env);
+
+                dbus_set_system_bus_env();
+        }
+
+        // Only disable access to /run/firejail/dbus here, when the sockets have been bind-mounted.
+        disable_socket_dir();
+
+        // look for a possible abstract unix socket
+
+        // --net=none
+        if (arg_nonetwork)
+                return;
+
+        // --net=eth0
+        if (any_bridge_configured())
+                return;
+
+        // --protocol=unix
+        if (cfg.protocol && !strstr(cfg.protocol, "unix"))
+                return;
+
+        fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
+}
+#endif // HAVE_DBUSPROXY
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
new file mode 100644
index 000000000..ec482e2ea
--- /dev/null
+++ b/src/firejail/dhcp.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <string.h>
+
+pid_t dhclient4_pid = 0;
+pid_t dhclient6_pid = 0;
+
+typedef struct {
+        char *version_arg;
+        char *pid_file;
+        char *leases_file;
+        uint8_t generate_duid;
+        char *duid_leases_file;
+        pid_t *pid;
+        ptrdiff_t arg_offset;
+} Dhclient;
+
+static const Dhclient dhclient4 = {
+        .version_arg = "-4",
+        .pid_file = RUN_DHCLIENT_4_PID_FILE,
+        .leases_file = RUN_DHCLIENT_4_LEASES_FILE,
+        .generate_duid = 1,
+        .pid = &dhclient4_pid,
+        .arg_offset = offsetof(Bridge, arg_ip_dhcp)
+};
+
+static const Dhclient dhclient6 = {
+        .version_arg = "-6",
+        .pid_file = RUN_DHCLIENT_6_PID_FILE,
+        .leases_file = RUN_DHCLIENT_6_LEASES_FILE,
+        .duid_leases_file = RUN_DHCLIENT_4_LEASES_FILE,
+        .pid = &dhclient6_pid,
+        .arg_offset = offsetof(Bridge, arg_ip6_dhcp)
+};
+
+static void dhcp_run_dhclient(char *dhclient_path, const Dhclient *client) {
+        char *argv[256] = {
+                dhclient_path,
+                client->version_arg,
+                "-pf", client->pid_file,
+                "-lf", client->leases_file,
+        };
+        int i = 6;
+        if (client->generate_duid)
+                argv[i++] = "-i";
+        if (client->duid_leases_file) {
+                argv[i++] = "-df";
+                argv[i++] = client->duid_leases_file;
+        }
+        if (arg_debug)
+                argv[i++] = "-v";
+        if (*(uint8_t *)((char *)&cfg.bridge0 + client->arg_offset))
+                argv[i++] = cfg.bridge0.devsandbox;
+        if (*(uint8_t *)((char *)&cfg.bridge1 + client->arg_offset))
+                argv[i++] = cfg.bridge1.devsandbox;
+        if (*(uint8_t *)((char *)&cfg.bridge2 + client->arg_offset))
+                argv[i++] = cfg.bridge2.devsandbox;
+        if (*(uint8_t *)((char *)&cfg.bridge3 + client->arg_offset))
+                argv[i++] = cfg.bridge3.devsandbox;
+
+        sbox_run_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_CAPS_NET_SERVICE | SBOX_SECCOMP, argv);
+}
+
+static pid_t dhcp_read_pidfile(const Dhclient *client) {
+        // We have to run dhclient as a forking daemon (not pass the -d option),
+        // because we want to be notified of a successful DHCP lease by the parent process exit.
+        int tries = 0;
+        pid_t found = 0;
+        while (found == 0 && tries < 10) {
+                if (tries >= 1)
+                        usleep(100000);
+                FILE *pidfile = fopen(client->pid_file, "re");
+                if (pidfile) {
+                        long pid;
+                        if (fscanf(pidfile, "%ld", &pid) == 1)
+                                found = (pid_t) pid;
+                        fclose(pidfile);
+                }
+                ++tries;
+        }
+        if (found == 0) {
+                fprintf(stderr, "Error: Cannot get dhclient %s PID from %s\n",
+                                                client->version_arg, client->pid_file);
+                exit(1);
+        }
+        return found;
+}
+
+static void dhcp_start_dhclient(char *dhclient_path, const Dhclient *client) {
+        dhcp_run_dhclient(dhclient_path, client);
+        *(client->pid) = dhcp_read_pidfile(client);
+}
+
+static void dhcp_waitll(const char *ifname) {
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, PATH_FNET, "waitll", ifname);
+}
+
+static void dhcp_waitll_all() {
+        if (cfg.bridge0.arg_ip6_dhcp)
+                dhcp_waitll(cfg.bridge0.devsandbox);
+        if (cfg.bridge1.arg_ip6_dhcp)
+                dhcp_waitll(cfg.bridge1.devsandbox);
+        if (cfg.bridge2.arg_ip6_dhcp)
+                dhcp_waitll(cfg.bridge2.devsandbox);
+        if (cfg.bridge3.arg_ip6_dhcp)
+                dhcp_waitll(cfg.bridge3.devsandbox);
+}
+
+// Temporarily copy dhclient executable under /run/firejail/mnt and start it from there
+// in order to recognize it later in firemon and firetools
+void dhcp_store_exec(void) {
+        if (!any_dhcp())
+                return;
+
+        char *dhclient_path = "/sbin/dhclient";
+        struct stat s;
+        if (stat(dhclient_path, &s) == -1) {
+                dhclient_path = "/usr/sbin/dhclient";
+                if (stat(dhclient_path, &s) == -1) {
+                        fprintf(stderr, "Error: dhclient was not found.\n");
+                        exit(1);
+                }
+        }
+
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
+}
+
+void dhcp_start(void) {
+        if (!any_dhcp())
+                return;
+
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";
+        struct stat s;
+        if (stat(dhclient_path, &s) == -1) {
+                fprintf(stderr, "Error: %s was not found.\n", dhclient_path);
+                exit(1);
+        }
+
+        EUID_ROOT();
+        if (mkdir(RUN_DHCLIENT_DIR, 0700))
+                errExit("mkdir");
+
+        if (any_ip_dhcp()) {
+                dhcp_start_dhclient(dhclient_path, &dhclient4);
+                if (arg_debug)
+                        printf("Running dhclient -4 in the background as pid %ld\n", (long) dhclient4_pid);
+        }
+        if (any_ip6_dhcp()) {
+                dhcp_waitll_all();
+                dhcp_start_dhclient(dhclient_path, &dhclient6);
+                if (arg_debug)
+                        printf("Running dhclient -6 in the background as pid %ld\n", (long) dhclient6_pid);
+                if (dhclient4_pid == dhclient6_pid) {
+                        fprintf(stderr, "Error: dhclient -4 and -6 have the same PID: %ld\n", (long) dhclient4_pid);
+                        exit(1);
+                }
+        }
+
+        unlink(dhclient_path);
+}
diff --git a/src/firejail/env.c b/src/firejail/env.c
index b2e4c17f3..ad16de037 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,8 +25,8 @@
 
 typedef struct env_t {
         struct env_t *next;
-        char *name;
-        char *value;
+        const char *name;
+        const char *value;
         ENV_OP op;
 } Env;
 static Env *envlist = NULL;
@@ -52,17 +52,14 @@ static void env_add(Env *env) {
 
 // load IBUS env variables
 void env_ibus_load(void) {
+        EUID_ASSERT();
+
         // check ~/.config/ibus/bus directory
         char *dirname;
         if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1)
                 errExit("asprintf");
 
-        struct stat s;
-        if (stat(dirname, &s) == -1)
-                return;
-
         // find the file
-        /* coverity[toctou] */
         DIR *dir = opendir(dirname);
         if (!dir) {
                 free(dirname);
@@ -82,7 +79,7 @@ void env_ibus_load(void) {
                 char *fname;
                 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
                         errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 free(fname);
                 if (!fp)
                         continue;
@@ -101,9 +98,7 @@ void env_ibus_load(void) {
                                 *ptr = '\0';
                         if (arg_debug)
                                 printf("%s\n", buf);
-                        EUID_USER();
                         env_store(buf, SETENV);
-                        EUID_ROOT();
                 }
 
                 fclose(fp);
@@ -116,43 +111,50 @@ void env_ibus_load(void) {
 
 // default sandbox env variables
 void env_defaults(void) {
-        // fix qt 4.8
-        if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0)
-                errExit("setenv");
-//      if (setenv("MOZ_NO_REMOTE, "1", 1) < 0)
-//              errExit("setenv");
-        if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc,
-                errExit("setenv");
+        // Qt fixes
+        env_store_name_val("QT_X11_NO_MITSHM", "1", SETENV);
+        env_store_name_val("QML_DISABLE_DISK_CACHE", "1", SETENV);
+//      env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV);
+//      env_store_name_val("MOZ_NO_REMOTE, "1", SETENV);
+        env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc,
         if (!cfg.shell)
                 cfg.shell = guess_shell();
-        if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0)
-                errExit("setenv");
+        if (cfg.shell)
+                env_store_name_val("SHELL", cfg.shell, SETENV);
+
+        // spawn KIO slaves inside the sandbox
+        env_store_name_val("KDE_FORK_SLAVES", "1", SETENV);
 
         // set prompt color to green
         int set_prompt = 0;
         if (checkcfg(CFG_FIREJAIL_PROMPT))
                 set_prompt = 1;
         else { // check FIREJAIL_PROMPT="yes" environment variable
-                char *prompt = getenv("FIREJAIL_PROMPT");
+                const char *prompt = env_get("FIREJAIL_PROMPT");
                 if (prompt && strcmp(prompt, "yes") == 0)
                         set_prompt = 1;
         }
 
-        if (set_prompt) {
+        if (set_prompt)
                 //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
-                if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
-                        errExit("setenv");
-        }
+                env_store_name_val("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", SETENV);
+        else
+                // remove PROMPT_COMMAND
+                env_store_name_val("PROMPT_COMMAND", ":", SETENV); // unsetenv() will not work here, bash still picks it up from somewhere
 
         // set the window title
-        if (!arg_quiet)
+        if (!arg_quiet && isatty(STDOUT_FILENO))
                 printf("\033]0;firejail %s\007", cfg.window_title);
+
+        // pass --quiet as an environment variable, in case the command calls further firejailed commands
+        if (arg_quiet)
+                env_store_name_val("FIREJAIL_QUIET", "yes", SETENV);
+
         fflush(0);
 }
 
 // parse and store the environment setting
 void env_store(const char *str, ENV_OP op) {
-        EUID_ASSERT();
         assert(str);
 
         // some basic checking
@@ -163,8 +165,7 @@ void env_store(const char *str, ENV_OP op) {
                 if (!ptr)
                         goto errexit;
                 ptr++;
-                if (*ptr == '\0')
-                        goto errexit;
+                op = SETENV;
         }
 
         // build list entry
@@ -192,8 +193,40 @@ errexit:
         exit(1);
 }
 
+void env_store_name_val(const char *name, const char *val, ENV_OP op) {
+        assert(name);
+
+        // some basic checking
+        if (*name == '\0')
+                goto errexit;
+
+        // build list entry
+        Env *env = calloc(1, sizeof(Env));
+        if (!env)
+                errExit("calloc");
+
+        env->name = strdup(name);
+        if (env->name == NULL)
+                errExit("strdup");
+
+        if (op == SETENV) {
+                env->value = strdup(val);
+                if (env->value == NULL)
+                        errExit("strdup");
+        }
+        env->op = op;
+
+        // add entry to the list
+        env_add(env);
+        return;
+
+errexit:
+        fprintf(stderr, "Error: invalid --env setting\n");
+        exit(1);
+}
+
 // set env variables in the new sandbox process
-void env_apply(void) {
+void env_apply_all(void) {
         Env *env = envlist;
 
         while (env) {
@@ -207,3 +240,85 @@ void env_apply(void) {
                 env = env->next;
         }
 }
+
+// get env variable
+const char *env_get(const char *name) {
+        Env *env = envlist;
+        const char *r = NULL;
+
+        while (env) {
+                if (strcmp(env->name, name) == 0) {
+                        if (env->op == SETENV)
+                                r = env->value;
+                        else if (env->op == RMENV)
+                                r = NULL;
+                }
+                env = env->next;
+        }
+        return r;
+}
+
+static const char * const env_whitelist[] = {
+        "LANG",
+        "LANGUAGE",
+        "LC_MESSAGES",
+        // "PATH",
+        "DISPLAY"       // required by X11
+};
+
+static const char * const env_whitelist_sbox[] = {
+        "FIREJAIL_DEBUG",
+        "FIREJAIL_FILE_COPY_LIMIT",
+        "FIREJAIL_PLUGIN",
+        "FIREJAIL_QUIET",
+        "FIREJAIL_SECCOMP_ERROR_ACTION",
+        "FIREJAIL_TEST_ARGUMENTS",
+        "FIREJAIL_TRACEFILE"
+};
+
+static void env_apply_list(const char * const *list, unsigned int num_items) {
+        Env *env = envlist;
+
+        while (env) {
+                if (env->op == SETENV) {
+                        for (unsigned int i = 0; i < num_items; i++)
+                                if (strcmp(env->name, list[i]) == 0) {
+                                        // sanity check for whitelisted environment variables
+                                        if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) {
+                                                fprintf(stderr, "Error: too long environment variable %s, please use --rmenv\n", env->name);
+                                                exit(1);
+                                        }
+
+                                        //fprintf(stderr, "whitelisted env var %s=%s\n", env->name, env->value);
+                                        if (setenv(env->name, env->value, 1) < 0)
+                                                errExit("setenv");
+                                        break;
+                                }
+                } else if (env->op == RMENV)
+                        unsetenv(env->name);
+
+                env = env->next;
+        }
+}
+
+// Filter env variables in main firejail process. All variables will
+// be reapplied for the sandboxed app by env_apply_all().
+void env_apply_whitelist(void) {
+        int r;
+
+        r = clearenv();
+        if (r != 0)
+                errExit("clearenv");
+
+        env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
+
+        // hardcoding PATH
+        if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
+                errExit("setenv");
+}
+
+// Filter env variables for a sbox app
+void env_apply_whitelist_sbox(void) {
+        env_apply_whitelist();
+        env_apply_list(env_whitelist_sbox, ARRAY_SIZE(env_whitelist_sbox));
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bea195f36..2a7d88575 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -21,86 +21,19 @@
 #define FIREJAIL_H
 #include "../include/common.h"
 #include "../include/euid_common.h"
+#include "../include/rundefs.h"
 #include <stdarg.h>
+#include <sys/stat.h>
 
 // debug restricted shell
 //#define DEBUG_RESTRICTED_SHELL
 
-// filesystem
-#define RUN_FIREJAIL_BASEDIR    "/run"
-#define RUN_FIREJAIL_DIR        "/run/firejail"
-#define RUN_FIREJAIL_APPIMAGE_DIR       "/run/firejail/appimage"
-#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
-#define RUN_FIREJAIL_X11_DIR    "/run/firejail/x11"
-#define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
-#define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
-#define RUN_FIREJAIL_PROFILE_DIR                "/run/firejail/profile"
-#define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail.lock"
-#define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
-#define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
-#define RUN_MNT_DIR     "/run/firejail/mnt"     // a tmpfs is mounted on this directory before any of the files below are created
-#define RUN_CGROUP_CFG  "/run/firejail/mnt/cgroup"
-#define RUN_CPU_CFG     "/run/firejail/mnt/cpu"
-#define RUN_GROUPS_CFG  "/run/firejail/mnt/groups"
-#define RUN_PROTOCOL_CFG        "/run/firejail/mnt/protocol"
-#define RUN_HOME_DIR    "/run/firejail/mnt/home"
-#define RUN_ETC_DIR     "/run/firejail/mnt/etc"
-#define RUN_OPT_DIR     "/run/firejail/mnt/opt"
-#define RUN_SRV_DIR     "/run/firejail/mnt/srv"
-#define RUN_BIN_DIR     "/run/firejail/mnt/bin"
-#define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
-#define RUN_LIB_DIR     "/run/firejail/mnt/lib"
-#define RUN_LIB_FILE    "/run/firejail/mnt/libfiles"
-#define RUN_LIB_BIN     "/run/firejail/mnt/binfiles"
-
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp.protocol"    // protocol filter
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"                     // configured filter
-#define RUN_SECCOMP_64  "/run/firejail/mnt/seccomp.64"          // 64bit arch filter installed on 32bit architectures
-#define RUN_SECCOMP_32  "/run/firejail/mnt/seccomp.32"          // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp.mdwx"                // filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp.block_secondary"     // secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"            // filter for post-exec library
-#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
-#define PATH_SECCOMP_64 (LIBDIR "/firejail/seccomp.64")                 // 64bit arch filter built during make
-#define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX (LIBDIR "/firejail/seccomp.mdwx")             // filter for memory-deny-write-execute built during make
-#define PATH_SECCOMP_BLOCK_SECONDARY (LIBDIR "/firejail/seccomp.block_secondary")       // secondary arch blocking filter built during make
-
-
-#define RUN_DEV_DIR             "/run/firejail/mnt/dev"
-#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
-
-#define RUN_WHITELIST_X11_DIR   "/run/firejail/mnt/orig-x11"
-#define RUN_WHITELIST_HOME_DIR  "/run/firejail/mnt/orig-home"   // default home directory masking
-#define RUN_WHITELIST_HOME_USER_DIR     "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
-#define RUN_WHITELIST_TMP_DIR   "/run/firejail/mnt/orig-tmp"
-#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
-#define RUN_WHITELIST_MNT_DIR   "/run/firejail/mnt/orig-mnt"
-#define RUN_WHITELIST_VAR_DIR   "/run/firejail/mnt/orig-var"
-#define RUN_WHITELIST_DEV_DIR   "/run/firejail/mnt/orig-dev"
-#define RUN_WHITELIST_OPT_DIR   "/run/firejail/mnt/orig-opt"
-#define RUN_WHITELIST_SRV_DIR   "/run/firejail/mnt/orig-srv"
-
-#define RUN_XAUTHORITY_FILE     "/run/firejail/mnt/.Xauthority"
-#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
-#define RUN_ASOUNDRC_FILE       "/run/firejail/mnt/.asoundrc"
-#define RUN_HOSTNAME_FILE       "/run/firejail/mnt/hostname"
-#define RUN_HOSTS_FILE  "/run/firejail/mnt/hosts"
-#define RUN_RESOLVCONF_FILE     "/run/firejail/mnt/resolv.conf"
-#define RUN_MACHINEID   "/run/firejail/mnt/machine-id"
-#define RUN_LDPRELOAD_FILE      "/run/firejail/mnt/ld.so.preload"
-#define RUN_UTMP_FILE           "/run/firejail/mnt/utmp"
-#define RUN_PASSWD_FILE         "/run/firejail/mnt/passwd"
-#define RUN_GROUP_FILE          "/run/firejail/mnt/group"
-#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
-
 
 
 // profiles
 #define DEFAULT_USER_PROFILE    "default"
 #define DEFAULT_ROOT_PROFILE    "server"
-#define MAX_INCLUDE_LEVEL 6             // include levels in profile files
+#define MAX_INCLUDE_LEVEL 16            // include levels in profile files
 
 
 #define ASSERT_PERMS(file, uid, gid, mode) \
@@ -112,6 +45,15 @@
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
         } while (0)
+#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat_as_user(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
@@ -148,6 +90,8 @@
                 (void) rv;\
         } while (0)
 
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
 // main.c
 typedef struct bridge_t {
         // on the host
@@ -162,6 +106,7 @@ typedef struct bridge_t {
         // inside the sandbox
         char *devsandbox;       // name of the device inside the sandbox
         uint32_t ipsandbox;     // ip address inside the sandbox
+        uint32_t masksandbox;   // network mask inside the sandbox
         char *ip6sandbox;       // ipv6 address inside the sandbox
         uint8_t macsandbox[6]; // mac address inside the sandbox
         uint32_t iprange_start;// iprange arp scan start range
@@ -169,6 +114,8 @@ typedef struct bridge_t {
 
         // flags
         uint8_t arg_ip_none;    // --ip=none
+        uint8_t arg_ip_dhcp;
+        uint8_t arg_ip6_dhcp;
         uint8_t macvlan;        // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...)
         uint8_t configured;
         uint8_t scan;           // set by --scan
@@ -184,21 +131,23 @@ typedef struct interface_t {
         uint8_t configured;
 } Interface;
 
+typedef struct topdir_t {
+        char *path;
+        int fd;
+} TopDir;
+
 typedef struct profile_entry_t {
         struct profile_entry_t *next;
         char *data;     // command
 
         // whitelist command parameters
-        char *link;     // link name - set if the file is a link
-        unsigned home_dir:1;    // whitelist in /home/user directory
-        unsigned tmp_dir:1;     // whitelist in /tmp directory
-        unsigned media_dir:1;   // whitelist in /media directory
-        unsigned mnt_dir:1;     // whitelist in /mnt directory
-        unsigned var_dir:1;     // whitelist in /var directory
-        unsigned dev_dir:1;     // whitelist in /dev directory
-        unsigned opt_dir:1;     // whitelist in /opt directory
-        unsigned srv_dir:1;     // whitelist in /srv directory
-}ProfileEntry;
+        struct wparam_t {
+                char *file;             // resolved file path
+                char *link;             // link path
+                TopDir *top;    // top level directory
+        } *wparam;
+
+} ProfileEntry;
 
 typedef struct config_t {
         // user data
@@ -207,6 +156,8 @@ typedef struct config_t {
 
         // filesystem
         ProfileEntry *profile;
+        ProfileEntry *profile_rebuild_etc;      // blacklist files in /etc directory used by fs_rebuild_etc()
+
 #define MAX_PROFILE_IGNORE 32
         char *profile_ignore[MAX_PROFILE_IGNORE];
         char *chrootdir;        // chroot directory
@@ -216,10 +167,10 @@ typedef struct config_t {
         char *opt_private_keep; // keep list for private opt directory
         char *srv_private_keep; // keep list for private srv directory
         char *bin_private_keep; // keep list for private bin directory
+        char *bin_private_lib;  // executable list sent by private-bin to private-lib
         char *lib_private_keep; // keep list for private bin directory
         char *cwd;              // current working directory
         char *overlay_dir;
-        char *private_template; // template dir for tmpfs home
 
         // networking
         char *name;             // sandbox name
@@ -234,28 +185,32 @@ typedef struct config_t {
         Interface interface1;
         Interface interface2;
         Interface interface3;
-        uint32_t dns1;  // up to 3 IP addresses for dns servers
-        uint32_t dns2;
-        uint32_t dns3;
+        char *dns1;     // up to 4 IP (v4/v6) addresses for dns servers
+        char *dns2;
+        char *dns3;
+        char *dns4;
 
         // seccomp
-        char *seccomp_list;//  optional seccomp list on top of default filter
-        char *seccomp_list_drop;        // seccomp drop list
-        char *seccomp_list_keep;        // seccomp keep list
+        char *seccomp_list, *seccomp_list32;            // optional seccomp list on top of default filter
+        char *seccomp_list_drop, *seccomp_list_drop32;  // seccomp drop list
+        char *seccomp_list_keep, *seccomp_list_keep32;  // seccomp keep list
         char *protocol;                 // protocol list
+        char *seccomp_error_action;                     // error action: kill, log or errno
 
         // rlimits
+        long long unsigned rlimit_cpu;
         long long unsigned rlimit_nofile;
         long long unsigned rlimit_nproc;
         long long unsigned rlimit_fsize;
         long long unsigned rlimit_sigpending;
+        long long unsigned rlimit_as;
+        unsigned timeout;       // maximum time elapsed before killing the sandbox
 
         // cpu affinity, nice and control groups
         uint32_t cpus;
         int nice;
         char *cgroup;
 
-
         // command line
         char *command_line;
         char *window_title;
@@ -293,15 +248,31 @@ static inline int any_interface_configured(void) {
         else
                 return 0;
 }
-void clear_run_files(pid_t pid);
+
+static inline int any_ip_dhcp(void) {
+        if (cfg.bridge0.arg_ip_dhcp || cfg.bridge1.arg_ip_dhcp || cfg.bridge2.arg_ip_dhcp || cfg.bridge3.arg_ip_dhcp)
+                return 1;
+        else
+                return 0;
+}
+
+static inline int any_ip6_dhcp(void) {
+        if (cfg.bridge0.arg_ip6_dhcp || cfg.bridge1.arg_ip6_dhcp || cfg.bridge2.arg_ip6_dhcp || cfg.bridge3.arg_ip6_dhcp)
+                return 1;
+        else
+                return 0;
+}
+
+static inline int any_dhcp(void) {
+  return any_ip_dhcp() || any_ip6_dhcp();
+}
 
 extern int arg_private;         // mount private /home
-extern int arg_private_template; // private /home template
-extern int arg_allow_private_blacklist;  // blacklist things in private directories
+extern int arg_private_cache;   // private home/.cache
 extern int arg_debug;           // print debug messages
-extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
 extern int arg_debug_whitelists;        // print debug messages for whitelists
+extern int arg_debug_private_lib;       // print debug messages for private-lib
 extern int arg_nonetwork;       // --net=none
 extern int arg_command; // -c
 extern int arg_overlay;         // overlay option
@@ -309,6 +280,7 @@ extern int arg_overlay_keep;	// place overlay diff in a known directory
 extern int arg_overlay_reuse;   // allow the reuse of overlays
 
 extern int arg_seccomp; // enable default seccomp filter
+extern int arg_seccomp32;       // enable default seccomp filter for 32 bit arch
 extern int arg_seccomp_postexec;        // need postexec ld.preload library?
 extern int arg_seccomp_block_secondary; // block any secondary architectures
 
@@ -319,11 +291,14 @@ extern int arg_caps_keep;		// keep list
 extern char *arg_caps_list;             // optional caps list
 
 extern int arg_trace;           // syscall tracing support
+extern char *arg_tracefile;     // syscall tracing file
 extern int arg_tracelog;        // blacklist tracing support
+extern int arg_rlimit_cpu;      // rlimit cpu
 extern int arg_rlimit_nofile;   // rlimit nofile
 extern int arg_rlimit_nproc;    // rlimit nproc
 extern int arg_rlimit_fsize;    // rlimit fsize
 extern int arg_rlimit_sigpending;// rlimit sigpending
+extern int arg_rlimit_as;       //rlimit as
 extern int arg_nogroups;        // disable supplementary groups
 extern int arg_nonewprivs;      // set the NO_NEW_PRIVS prctl
 extern int arg_noroot;          // create a new user namespace and disable root user
@@ -335,14 +310,16 @@ extern char *arg_netns;		// "ip netns"-created network namespace to use
 extern int arg_doubledash;      // double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
+extern int arg_keep_dev_shm;    // preserve /dev/shm
 extern int arg_private_etc;     // private etc directory
 extern int arg_private_opt;     // private opt directory
 extern int arg_private_srv;     // private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
 extern int arg_private_lib;     // private lib directory
+extern int arg_private_cwd;     // private working directory
 extern int arg_scan;            // arp-scan all interfaces
-extern int arg_whitelist;       // whitelist commad
+extern int arg_whitelist;       // whitelist command
 extern int arg_nosound; // disable sound
 extern int arg_novideo; //disable video devices in /dev
 extern int arg_no3d;            // disable 3d hardware acceleration
@@ -352,16 +329,16 @@ extern int arg_join_filesystem;	// join only the mount namespace
 extern int arg_nice;            // nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
+extern int arg_keep_config_pulse;       // disable automatic ~/.config/pulse init
 extern int arg_writable_var;    // writable var
+extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
-extern int arg_audit;           // audit
-extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
-extern int arg_x11_xorg;        // use X11 security extention
+extern int arg_x11_xorg;        // use X11 security extension
 extern int arg_allusers;        // all user home directories visible
 extern int arg_machineid;       // preserve /etc/machine-id
 extern int arg_disable_mnt;     // disable /mnt and /media
@@ -369,35 +346,53 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
+extern int arg_nou2f;   // --nou2f
+extern int arg_noinput; // --noinput
+extern int arg_deterministic_exit_code; // always exit with first child's exit status
+
+typedef enum {
+        DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
+        DBUS_POLICY_FILTER, // Filter with xdg-dbus-proxy
+        DBUS_POLICY_BLOCK   // Block access
+} DbusPolicy;
+extern DbusPolicy arg_dbus_user; // --dbus-user
+extern DbusPolicy arg_dbus_system; // --dbus-system
+extern int arg_dbus_log_user;
+extern int arg_dbus_log_system;
+extern const char *arg_dbus_log_file;
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
 extern pid_t sandbox_pid;
+extern mode_t orig_umask;
 extern unsigned long long start_timestamp;
 
 #define MAX_ARGS 128            // maximum number of command arguments (argc)
+#define MAX_ARG_LEN (PATH_MAX + 32) // --foobar=PATH
 extern char *fullargv[MAX_ARGS];
 extern int fullargc;
 
 // main.c
-void set_x11_file(pid_t pid, int display);
 void check_user_namespace(void);
 char *guess_shell(void);
 
 // sandbox.c
+#define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox);
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
+void set_apparmor(void);
 
 // network_main.c
-void net_configure_bridge(Bridge *br, char *dev_name);
 void net_configure_sandbox_ip(Bridge *br);
 void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
-void net_dns_print(pid_t pid);
+void net_dns_print(pid_t pid) __attribute__((noreturn));
 void network_main(pid_t child);
+void net_print(pid_t pid);
 
 // network.c
+int check_ip46_address(const char *addr);
 void net_if_up(const char *ifname);
 void net_if_down(const char *ifname);
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
@@ -415,27 +410,44 @@ void preproc_mount_mnt_dir(void);
 void preproc_clean_run(void);
 
 // fs.c
-// blacklist files or directoies by mounting empty files on top of them
+typedef enum {
+        BLACKLIST_FILE,
+        BLACKLIST_NOLOG,
+        MOUNT_READONLY,
+        MOUNT_TMPFS,
+        MOUNT_NOEXEC,
+        MOUNT_RDWR,
+        MOUNT_RDWR_NOCHECK, // no check of ownership
+        OPERATION_MAX
+} OPERATION;
+
+// blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void);
-// remount a directory read-only
-void fs_rdonly(const char *dir);
-// remount a directory noexec, nodev and nosuid
-void fs_noexec(const char *dir);
+// mount a writable tmpfs
+void fs_tmpfs(const char *dir, unsigned check_owner);
+// remount noexec/nodev/nosuid or read-only or read-write
+void fs_remount(const char *dir, OPERATION op, int rec);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
+// blacklist firejail configuration and runtime directories
+void disable_config(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
 // mount overlayfs on top of / directory
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
 void fs_overlayfs(void);
-// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
-void fs_chroot(const char *rootdir);
-void fs_check_chroot_dir(const char *rootdir);
 void fs_private_tmp(void);
+void fs_private_cache(void);
+void fs_mnt(const int enforce);
+
+// chroot.c
+// chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
+void fs_check_chroot_dir(void);
+void fs_chroot(const char *rootdir);
 
 // profile.c
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir);
+int profile_find_firejail(const char *name, int add_ext);
 // read a profile file
 void profile_read(const char *fname);
 // check profile line; if line == 0, this was generated from a command line option
@@ -444,19 +456,24 @@ void profile_read(const char *fname);
 int profile_check_line(char *ptr, int lineno, const char *fname);
 // add a profile entry in cfg.profile list; use str to populate the list
 void profile_add(char *str);
-void fs_mnt(void);
+void profile_add_ignore(const char *str);
+char *profile_list_normalize(char *list);
+char *profile_list_compress(char *list);
+void profile_list_augment(char **list, const char *items);
 
 // list.c
 void list(void);
 void tree(void);
 void top(void);
-void netstats(void);
 
 // usage.c
 void usage(void);
 
 // join.c
-void join(pid_t pid, int argc, char **argv, int index);
+void join(pid_t pid, int argc, char **argv, int index) __attribute__((noreturn));
+bool is_ready_for_join(const pid_t pid);
+void check_join_permission(pid_t pid);
+pid_t switch_to_child(pid_t pid);
 
 // shutdown.c
 void shut(pid_t pid);
@@ -471,8 +488,19 @@ int arp_check(const char *dev, uint32_t destaddr);
 // assign an IP address using arp scanning
 uint32_t arp_assign(const char *dev, Bridge *br);
 
+// macros.c
+char *expand_macros(const char *path);
+char *resolve_macro(const char *name);
+void invalid_filename(const char *fname, int globbing);
+int is_macro(const char *name);
+int macro_id(const char *name);
+
+
 // util.c
+void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
+void fmessage(char* fmt, ...);
+long long unsigned parse_arg_size(char *str);
 void drop_privs(int nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
@@ -480,32 +508,63 @@ void logsignal(int s);
 void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
+void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode);
+void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
+char *realpath_as_user(const char *fname);
+int stat_as_user(const char *fname, struct stat *s);
+int lstat_as_user(const char *fname, struct stat *s);
+void trim_trailing_slash_or_dot(char *path);
 char *line_remove_spaces(const char *buf);
 char *split_comma(char *str);
+char *clean_pathname(const char *path);
 void check_unsigned(const char *str, const char *msg);
 int find_child(pid_t parent, pid_t *child);
 void check_private_dir(void);
 void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
-char *expand_home(const char *path, const char* homedir);
-const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
-void invalid_filename(const char *fname);
 uid_t get_group_id(const char *group);
-int remove_directory(const char *path);
+int remove_overlay_directory(void);
 void flush_stdin(void);
+int create_empty_dir_as_user(const char *dir, mode_t mode);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
 void create_empty_file_as_root(const char *dir, mode_t mode);
 int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
-char *read_text_file_or_exit(const char *fname);
+unsigned extract_timeout(const char *str);
+void disable_file_or_dir(const char *fname);
+void disable_file_path(const char *path, const char *file);
+int safer_openat(int dirfd, const char *path, int flags);
+int remount_by_fd(int dst, unsigned long mountflags);
+int bind_mount_by_fd(int src, int dst);
+int bind_mount_path_to_fd(const char *srcname, int dst);
+int bind_mount_fd_to_path(int src, const char *destname);
+int has_handler(pid_t pid, int signal);
+void enter_network_namespace(pid_t pid);
+int read_pid(const char *name, pid_t *pid);
+pid_t require_pid(const char *name);
+void check_homedir(const char *dir);
+
+// Get info regarding the last kernel mount operation from /proc/self/mountinfo
+// The return value points to a static area, and will be overwritten by subsequent calls.
+// The function does an exit(1) if anything goes wrong.
+typedef struct {
+        int mountid; // id of the mount
+        char *fsname; // the pathname of the directory in the filesystem which forms the root of this mount
+        char *dir;      // mount destination
+        char *fstype; // filesystem type
+} MountData;
+
+// mountinfo.c
+MountData *get_last_mount(void);
+int get_mount_id(const char *path);
+char **build_mount_array(const int mount_id, const char *path);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -525,18 +584,18 @@ void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
 void fs_dev_disable_tv(void);
 void fs_dev_disable_dvd(void);
+void fs_dev_disable_u2f(void);
+void fs_dev_disable_input(void);
 
 // fs_home.c
 // private mode (--private)
 void fs_private(void);
 // private mode (--private=homedir)
 void fs_private_homedir(void);
-// private template (--private-template=templatedir)
-void fs_private_template(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
-// check new private template home directory (--private-template= option) exit if it fails
-void fs_check_private_template(void);
+// check new private working directory (--private-cwd= option) - exit if it fails
+void fs_check_private_cwd(const char *dir);
 void fs_private_home_list(void);
 
 
@@ -544,11 +603,13 @@ void fs_private_home_list(void);
 char *seccomp_check_list(const char *str);
 int seccomp_install_filters(void);
 int seccomp_load(const char *fname);
-int seccomp_filter_drop(void);
-int seccomp_filter_keep(void);
-void seccomp_print_filter(pid_t pid);
+int seccomp_filter_drop(bool native);
+int seccomp_filter_keep(bool native);
+int seccomp_filter_mdwx(bool native);
+void seccomp_print_filter(pid_t pid) __attribute__((noreturn));
 
 // caps.c
+void seccomp_load_file_list(void);
 int caps_default_filter(void);
 void caps_print(void);
 void caps_drop_all(void);
@@ -556,19 +617,16 @@ void caps_set(uint64_t caps);
 void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
-void caps_print_filter(pid_t pid);
+void caps_print_filter(pid_t pid) __attribute__((noreturn));
 void caps_drop_dac_override(void);
 
-// syscall.c
-const char *syscall_find_nr(int nr);
-
 // fs_trace.c
 void fs_trace_preload(void);
+void fs_tracefile(void);
 void fs_trace(void);
 
 // fs_hostname.c
 void fs_hostname(const char *hostname);
-void fs_resolvconf(void);
 char *fs_check_hosts_file(const char *fname);
 void fs_store_hosts_file(void);
 void fs_mount_hosts_file(void);
@@ -581,7 +639,7 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
-void cpu_print_filter(pid_t pid);
+void cpu_print_filter(pid_t pid) __attribute__((noreturn));
 
 // cgroup.c
 void save_cgroup(void);
@@ -595,6 +653,7 @@ void check_output(int argc, char **argv);
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
+void netfilter_print(pid_t pid, int ipv6);
 
 // netns.c
 void check_netns(const char *nsname);
@@ -602,20 +661,23 @@ void netns(const char *nsname);
 void netns_mounts(const char *nsname);
 
 // bandwidth.c
-void bandwidth_del_run_file(pid_t pid);
-void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
-void network_del_run_file(pid_t pid);
+void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) __attribute__((noreturn));
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
 void fs_machineid(void);
+void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_private_dir_mount(const char *private_dir, const char *private_run_dir);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_rebuild_etc(void);
 
 // no_sandbox.c
 int check_namespace_virt(void);
 int check_kernel_procs(void);
-void run_no_sandbox(int argc, char **argv);
+void run_no_sandbox(int argc, char **argv) __attribute__((noreturn));
 
+#define MAX_ENVS 256                    // some sane maximum number of environment variables
+#define MAX_ENV_LEN (PATH_MAX + 32)     // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps
 // env.c
 typedef enum {
         SETENV = 0,
@@ -623,19 +685,17 @@ typedef enum {
 } ENV_OP;
 
 void env_store(const char *str, ENV_OP op);
-void env_apply(void);
+void env_store_name_val(const char *name, const char *val, ENV_OP op);
+void env_apply_all(void);
+void env_apply_whitelist(void);
+void env_apply_whitelist_sbox(void);
 void env_defaults(void);
+const char *env_get(const char *name);
 void env_ibus_load(void);
 
 // fs_whitelist.c
 void fs_whitelist(void);
 
-// errno.c
-int errno_highest_nr(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-void errno_print(void);
-
 // pulseaudio.c
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
@@ -649,7 +709,7 @@ void fs_private_lib(void);
 // protocol.c
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
-void protocol_print_filter(pid_t pid);
+void protocol_print_filter(pid_t pid) __attribute__((noreturn));
 
 // restrict_users.c
 void restrict_users(void);
@@ -661,10 +721,10 @@ void fs_logger2int(const char *msg1, int d);
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3);
 void fs_logger_print(void);
 void fs_logger_change_owner(void);
-void fs_logger_print_log(pid_t pid);
+void fs_logger_print_log(pid_t pid) __attribute__((noreturn));
 
 // run_symlink.c
-void run_symlink(int argc, char **argv);
+void run_symlink(int argc, char **argv, int run_as_is);
 
 // paths.c
 char **build_paths(void);
@@ -687,20 +747,24 @@ void fs_mkfile(const char *name);
 
 void fs_x11(void);
 int x11_display(void);
-void x11_start(int argc, char **argv);
-void x11_start_xpra(int argc, char **argv);
-void x11_start_xephyr(int argc, char **argv);
+void x11_start(int argc, char **argv) __attribute__((noreturn));
+void x11_start_xpra(int argc, char **argv) __attribute__((noreturn));
+void x11_start_xephyr(int argc, char **argv) __attribute__((noreturn));
 void x11_block(void);
-void x11_start_xvfb(int argc, char **argv);
+void x11_start_xvfb(int argc, char **argv) __attribute__((noreturn));
+void x11_xorg(void);
 
 // ls.c
 enum {
         SANDBOX_FS_LS = 0,
+        SANDBOX_FS_CAT,
         SANDBOX_FS_GET,
         SANDBOX_FS_PUT,
         SANDBOX_FS_MAX // this should always be the last entry
 };
-void sandboxfs(int op, pid_t pid, const char *path1, const char *path2);
+void ls(const char *path);
+void cat(const char *path);
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) __attribute__((noreturn));
 
 // checkcfg.c
 #define DEFAULT_ARP_PROBES 2
@@ -714,21 +778,29 @@ enum {
         CFG_NETWORK,
         CFG_RESTRICTED_NETWORK,
         CFG_FORCE_NONEWPRIVS,
-        CFG_WHITELIST,
         CFG_XEPHYR_WINDOW_TITLE,
-        CFG_REMOUNT_PROC_SYS,
         CFG_OVERLAYFS,
-        CFG_CHROOT_DESKTOP,
-        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN,
         CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_PRIVATE_CACHE,
+        CFG_PRIVATE_ETC,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_LIB,
+        CFG_PRIVATE_OPT,
+        CFG_PRIVATE_SRV,
         CFG_FIREJAIL_PROMPT,
-        CFG_FOLLOW_SYMLINK_AS_USER,
-        CFG_FOLLOW_SYMLINK_PRIVATE_BIN,
         CFG_DISABLE_MNT,
         CFG_JOIN,
         CFG_ARP_PROBES,
         CFG_XPRA_ATTACH,
-        CFG_PRIVATE_LIB,
+        CFG_BROWSER_DISABLE_U2F,
+        CFG_BROWSER_ALLOW_DRM,
+        CFG_APPARMOR,
+        CFG_DBUS,
+        CFG_CGROUP,
+        CFG_NAME_CHANGE,
+        CFG_SECCOMP_ERROR_ACTION,
+        // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
@@ -737,31 +809,53 @@ extern char *xpra_extra_params;
 extern char *xvfb_screen;
 extern char *xvfb_extra_params;
 extern char *netfilter_default;
+extern unsigned long join_timeout;
+extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
+extern char **whitelist_reject_topdirs;
+
 int checkcfg(int val);
 void print_compiletime_support(void);
-void x11_xorg(void);
 
 // appimage.c
+int appimage_find_profile(const char *archive);
 void appimage_set(const char *appimage_path);
+void appimage_mount(void);
 void appimage_clear(void);
-const char *appimage_getdir(void);
 
 // appimage_size.c
-long unsigned int appimage2_size(const char *fname);
+long unsigned int appimage2_size(int fd);
 
 // cmdline.c
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path);
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
 
 // sbox.c
 // programs
-#define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FNET_MAIN (LIBDIR "/firejail/fnet")                // when called from main thread
+#define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet")        // when called from sandbox thread
+
+#define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter")
+
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
-#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
-#define PATH_FCOPY (LIBDIR "/firejail/fcopy")
+
+#define PATH_FSECCOMP_MAIN (LIBDIR "/firejail/fseccomp")                // when called from main thread
+#define PATH_FSECCOMP ( RUN_FIREJAIL_LIB_DIR "/fseccomp")       // when called from sandbox thread
+
+// FSEC_PRINT is run outside of sandbox by --seccomp.print
+// it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first
+#define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print")
+
+#define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize")
+
+#define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy")
+
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
-#define PATH_FLDD (LIBDIR "/firejail/fldd")
+
+#define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd")
+
+#define PATH_FIDS (LIBDIR "/firejail/fids")
 
 // bitmapped filters for sbox_run
 #define SBOX_ROOT (1 << 0)                      // run the sandbox as root
@@ -771,13 +865,43 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_NETWORK (1 << 4)      // caps filter for programs running network programs
 #define SBOX_ALLOW_STDIN (1 << 5)               // don't close stdin
 #define SBOX_STDIN_FROM_FILE (1 << 6)   // open file and redirect it to stdin
+#define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
+#define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
+#define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
+#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
-
-
-// git.c
-void git_install();
-void git_uninstall();
+int sbox_run_v(unsigned filter, char * const arg[]);
+void sbox_exec_v(unsigned filter, char * const arg[]) __attribute__((noreturn));
+
+// run_files.c
+void delete_run_files(pid_t pid);
+void delete_bandwidth_run_file(pid_t pid);
+void set_name_run_file(pid_t pid);
+void set_x11_run_file(pid_t pid, int display);
+void set_profile_run_file(pid_t pid, const char *fname);
+
+// dbus.c
+int dbus_check_name(const char *name);
+int dbus_check_call_rule(const char *name);
+void dbus_check_profile(void);
+void dbus_proxy_start(void);
+void dbus_proxy_stop(void);
+void dbus_set_session_bus_env(void);
+void dbus_set_system_bus_env(void);
+void dbus_apply_policy(void);
+
+// dhcp.c
+extern pid_t dhclient4_pid;
+extern pid_t dhclient6_pid;
+void dhcp_store_exec(void);
+void dhcp_start(void);
+
+// selinux.c
+void selinux_relabel_path(const char *path, const char *inside_path);
+
+// ids.c
+void run_ids(int argc, char **argv);
 
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0a6f40959..dd4c2139d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/statvfs.h>
@@ -26,36 +27,38 @@
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 
-static void fs_rdwr(const char *dir);
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
+#define MAX_BUF 4096
+#define EMPTY_STRING ("")
+// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
+//#define TEST_NO_BLACKLIST_MATCHING
 
 
 //***********************************************
 // process profile file
 //***********************************************
-typedef enum {
-        BLACKLIST_FILE,
-        BLACKLIST_NOLOG,
-        MOUNT_READONLY,
-        MOUNT_TMPFS,
-        MOUNT_NOEXEC,
-        MOUNT_RDWR,
-        OPERATION_MAX
-} OPERATION;
-
-typedef enum {
-        UNSUCCESSFUL,
-        SUCCESSFUL
-} LAST_DISABLE_OPERATION;
-LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
+static void fs_remount_rec(const char *dir, OPERATION op);
+
+static char *opstr[] = {
+        [BLACKLIST_FILE] = "blacklist",
+        [BLACKLIST_NOLOG] = "blacklist-nolog",
+        [MOUNT_READONLY] = "read-only",
+        [MOUNT_TMPFS] = "tmpfs",
+        [MOUNT_NOEXEC] = "noexec",
+        [MOUNT_RDWR] = "read-write",
+        [MOUNT_RDWR_NOCHECK] = "read-write",
+};
 
 static void disable_file(OPERATION op, const char *filename) {
         assert(filename);
         assert(op <OPERATION_MAX);
-        last_disable = UNSUCCESSFUL;
+        EUID_ASSERT();
 
         // Resolve all symlinks
         char* fname = realpath(filename, NULL);
@@ -63,20 +66,24 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
         if (fname == NULL && errno == EACCES) {
-                if (arg_debug)
-                        printf("Debug: no access to file %s, forcing mount\n", filename);
-                // realpath and stat funtions will fail on FUSE filesystems
+                // realpath and stat functions will fail on FUSE filesystems
                 // they don't seem to like a uid of 0
                 // force mounting
-                int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0");
-                if (rv == 0)
-                        last_disable = SUCCESSFUL;
-                else {
-                        rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0");
-                        if (rv == 0)
-                                last_disable = SUCCESSFUL;
+                int fd = open(filename, O_PATH|O_CLOEXEC);
+                if (fd < 0) {
+                        if (arg_debug)
+                                printf("Warning (blacklisting): cannot open %s: %s\n", filename, strerror(errno));
+                        return;
                 }
-                if (last_disable == SUCCESSFUL) {
+
+                EUID_ROOT();
+                int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
+                if (err != 0)
+                        err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
+                EUID_USER();
+                close(fd);
+
+                if (err == 0) {
                         if (arg_debug)
                                 printf("Disable %s\n", filename);
                         if (op == BLACKLIST_FILE)
@@ -84,21 +91,27 @@ static void disable_file(OPERATION op, const char *filename) {
                         else
                                 fs_logger2("blacklist-nolog", filename);
                 }
-                else {
-                        if (arg_debug)
-                                printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename);
-                }
+                else if (arg_debug)
+                        printf("Warning (blacklisting): cannot mount on %s\n", filename);
 
                 return;
         }
 
         // if the file is not present, do nothing
+        assert(fname);
         struct stat s;
-        if (fname == NULL)
-                return;
-        if (stat(fname, &s) == -1) {
+        if (stat(fname, &s) < 0) {
                 if (arg_debug)
-                        fwarning("%s does not exist, skipping...\n", fname);
+                        printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
+                free(fname);
+                return;
+        }
+
+        // check for firejail executable
+        // we might have a file found in ${PATH} pointing to /usr/bin/firejail
+        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
+        //     and expects Firefox to open in the same sandbox
+        if (strcmp(BINDIR "/firejail", fname) == 0) {
                 free(fname);
                 return;
         }
@@ -126,56 +139,70 @@ static void disable_file(OPERATION op, const char *filename) {
                                         printf(" - no logging\n");
                         }
 
+                        int fd = open(fname, O_PATH|O_CLOEXEC);
+                        if (fd < 0) {
+                                if (arg_debug)
+                                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
+                                free(fname);
+                                return;
+                        }
+                        EUID_ROOT();
                         if (S_ISDIR(s.st_mode)) {
-                                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
                                         errExit("disable file");
                         }
                         else {
-                                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
                                         errExit("disable file");
                         }
-                        last_disable = SUCCESSFUL;
+                        EUID_USER();
+                        close(fd);
+
                         if (op == BLACKLIST_FILE)
                                 fs_logger2("blacklist", fname);
                         else
                                 fs_logger2("blacklist-nolog", fname);
+
+                        // files in /etc will be reprocessed during /etc rebuild
+                        if (strncmp(fname, "/etc/", 5) == 0) {
+                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
+                                if (!prf)
+                                        errExit("malloc");
+                                memset(prf, 0, sizeof(ProfileEntry));
+                                prf->data = strdup(fname);
+                                if (!prf->data)
+                                        errExit("strdup");
+                                prf->next = cfg.profile_rebuild_etc;
+                                cfg.profile_rebuild_etc = prf;
+                        }
                 }
         }
-        else if (op == MOUNT_READONLY) {
-                if (arg_debug)
-                        printf("Mounting read-only %s\n", fname);
-                fs_rdonly(fname);
-// todo: last_disable = SUCCESSFUL;
-        }
-        else if (op == MOUNT_RDWR) {
-                if (arg_debug)
-                        printf("Mounting read-only %s\n", fname);
-                fs_rdwr(fname);
-// todo: last_disable = SUCCESSFUL;
-        }
-        else if (op == MOUNT_NOEXEC) {
-                if (arg_debug)
-                        printf("Mounting noexec %s\n", fname);
-                fs_noexec(fname);
-// todo: last_disable = SUCCESSFUL;
+        else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
+                fs_remount_rec(fname, op);
         }
         else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
-                        if (arg_debug)
-                                printf("Mounting tmpfs on %s\n", fname);
-                        // preserve owner and mode for the directory
-                        if (mount("tmpfs", fname, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  0) < 0)
-                                errExit("mounting tmpfs");
-                        /* coverity[toctou] */
-                        if (chown(fname, s.st_uid, s.st_gid) == -1)
-                                errExit("mounting tmpfs chown");
-                        if (chmod(fname, s.st_mode) == -1)
-                                errExit("mounting tmpfs chmod");
-                        last_disable = SUCCESSFUL;
-                        fs_logger2("tmpfs", fname);
-                }
-                else
+                if (!S_ISDIR(s.st_mode)) {
                         fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                        free(fname);
+                        return;
+                }
+
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
+                        }
+                }
+
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+
+                selinux_relabel_path(fname, fname);
         }
         else
                 assert(0);
@@ -183,9 +210,27 @@ static void disable_file(OPERATION op, const char *filename) {
         free(fname);
 }
 
+#ifdef TEST_NO_BLACKLIST_MATCHING
+static int nbcheck_start = 0;
+static size_t nbcheck_size = 0;
+static int *nbcheck = NULL;
+#endif
+
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
         assert(pattern);
+        EUID_ASSERT();
+
+#ifdef TEST_NO_BLACKLIST_MATCHING
+        if (nbcheck_start == 0) {
+                nbcheck_start = 1;
+                nbcheck_size = noblacklist_len;
+                nbcheck = malloc(sizeof(int) * noblacklist_len);
+                if (nbcheck == NULL)
+                        errExit("malloc");
+                memset(nbcheck, 0, sizeof(int) * noblacklist_len);
+        }
+#endif
 
         glob_t globbuf;
         // Profiles contain blacklists for files that might not exist on a user's machine.
@@ -206,28 +251,26 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                         continue;
                 // noblacklist is expected to be short in normal cases, so stupid and correct brute force is okay
                 bool okay_to_blacklist = true;
-                for (j = 0; j < noblacklist_len; j++) {
-                        int result = fnmatch(noblacklist[j], path, FNM_PATHNAME);
-                        if (result == FNM_NOMATCH)
-                                continue;
-                        else if (result == 0) {
-                                okay_to_blacklist = false;
-                                break;
-                        }
-                        else {
-                                fprintf(stderr, "Error: failed to compare path %s with pattern %s\n", path, noblacklist[j]);
-                                exit(1);
+                if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
+                        for (j = 0; j < noblacklist_len; j++) {
+                                int result = fnmatch(noblacklist[j], path, FNM_PATHNAME);
+                                if (result == FNM_NOMATCH)
+                                        continue;
+                                else if (result == 0) {
+                                        okay_to_blacklist = false;
+#ifdef TEST_NO_BLACKLIST_MATCHING
+                                        if (j < nbcheck_size)   // noblacklist checking
+                                                nbcheck[j] = 1;
+#endif
+                                        break;
+                                }
+                                else {
+                                        fprintf(stderr, "Error: failed to compare path %s with pattern %s\n", path, noblacklist[j]);
+                                        exit(1);
+                                }
                         }
                 }
 
-                // We don't usually need to blacklist things in private home directories
-                if (okay_to_blacklist
-                 && cfg.homedir
-                 && arg_private
-                 && (!arg_allow_private_blacklist)
-                 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
-                        okay_to_blacklist = false;
-
                 if (okay_to_blacklist)
                         disable_file(op, path);
                 else if (arg_debug)
@@ -239,8 +282,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 
 // blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
-        char *homedir = cfg.homedir;
-        assert(homedir);
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -252,6 +293,7 @@ void fs_blacklist(void) {
         if (noblacklist == NULL)
                 errExit("failed allocating memory for noblacklist entries");
 
+        EUID_USER();
         while (entry) {
                 OPERATION op = OPERATION_MAX;
                 char *ptr;
@@ -259,6 +301,7 @@ void fs_blacklist(void) {
                 // whitelist commands handled by fs_whitelist()
                 if (strncmp(entry->data, "whitelist ", 10) == 0 ||
                     strncmp(entry->data, "nowhitelist ", 12) == 0 ||
+                    strncmp(entry->data, "dbus-", 5) == 0 ||
                    *entry->data == '\0') {
                         entry = entry->next;
                         continue;
@@ -281,11 +324,13 @@ void fs_blacklist(void) {
                         if (arg_debug)
                                 printf("Mount-bind %s on top of %s\n", dname1, dname2);
                         // preserve dname2 mode and ownership
+                        // EUID_ROOT(); - option not accessible to non-root users
                         if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                 errExit("mount bind");
                         /* coverity[toctou] */
                         if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
                                 errExit("set_perms");
+                        // EUID_USER();
 
                         entry = entry->next;
                         continue;
@@ -317,7 +362,7 @@ void fs_blacklist(void) {
                                 enames = calloc(2, sizeof(char *));
                                 if (!enames)
                                         errExit("calloc");
-                                enames[0] = expand_home(entry->data + 12, homedir);
+                                enames[0] = expand_macros(entry->data + 12);
                                 assert(enames[1] == 0);
                         }
 
@@ -363,16 +408,12 @@ void fs_blacklist(void) {
                         op = MOUNT_TMPFS;
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
-                        EUID_USER();
                         fs_mkdir(entry->data + 6);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
                 else if (strncmp(entry->data, "mkfile ", 7) == 0) {
-                        EUID_USER();
                         fs_mkfile(entry->data + 7);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
@@ -383,7 +424,7 @@ void fs_blacklist(void) {
                 }
 
                 // replace home macro in blacklist array
-                char *new_name = expand_home(ptr, homedir);
+                char *new_name = expand_macros(ptr);
                 ptr = new_name;
 
                 // expand path macro - look for the file in /usr/local/bin,  /usr/local/sbin, /bin, /usr/bin, /sbin and  /usr/sbin directories
@@ -411,133 +452,305 @@ void fs_blacklist(void) {
         }
 
         size_t i;
-        for (i = 0; i < noblacklist_c; i++) free(noblacklist[i]);
-        free(noblacklist);
-}
-
-static int get_mount_flags(const char *path, unsigned long *flags) {
-        struct statvfs buf;
+#ifdef TEST_NO_BLACKLIST_MATCHING
+        // noblacklist checking
+        for (i = 0; i < nbcheck_size; i++)
+                if (!arg_quiet && !nbcheck[i])
+                        printf("TESTING warning: noblacklist %s not matched by a proper blacklist command in disable*.inc\n",
+                                 noblacklist[i]);
+
+        // free memory
+        if (nbcheck) {
+                free(nbcheck);
+                nbcheck = NULL;
+                nbcheck_size = 0;
+        }
+#endif
+        for (i = 0; i < noblacklist_c; i++)
+                free(noblacklist[i]);
+        free(noblacklist);
 
-        if (statvfs(path, &buf) < 0)
-                return -errno;
-        *flags = buf.f_flag;
-        return 0;
+        EUID_ROOT();
 }
 
 //***********************************************
 // mount namespace
 //***********************************************
 
-// remount a directory read-only
-void fs_rdonly(const char *dir) {
+// mount a writable tmpfs on directory; requires a resolved path
+void fs_tmpfs(const char *dir, unsigned check_owner) {
+        EUID_USER();
         assert(dir);
-        // check directory exists
+        if (arg_debug)
+                printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
+        // get a file descriptor for dir, fails if there is any symlink
+        int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("while opening directory");
         struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & MS_RDONLY) == MS_RDONLY)
-                        return;
-                flags |= MS_RDONLY;
-                // mount --bind /bin /bin
-                // mount --bind -o remount,ro /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount read-only");
-                fs_logger2("read-only", dir);
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (check_owner && s.st_uid != getuid()) {
+                fprintf(stderr, "Error: cannot mount tmpfs on %s: not owned by the current user\n", dir);
+                exit(1);
         }
+        // preserve ownership, mode
+        char *options;
+        if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1)
+                errExit("asprintf");
+        // preserve mount flags, but remove read-only flag
+        struct statvfs buf;
+        if (fstatvfs(fd, &buf) == -1)
+                errExit("fstatvfs");
+        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
+        // mount via the symbolic link in /proc/self/fd
+        EUID_ROOT();
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
+                errExit("mounting tmpfs");
+        // check the last mount operation
+        MountData *mdata = get_last_mount();
+        if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
+                errLogExit("invalid tmpfs mount");
+        fs_logger2("tmpfs", dir);
+        free(options);
+        free(proc);
+        close(fd);
 }
 
-static void fs_rdwr(const char *dir) {
-        assert(dir);
-        // check directory exists
+// remount path, preserving other mount flags; requires a resolved path
+static void fs_remount_simple(const char *path, OPERATION op) {
+        EUID_ASSERT();
+        assert(path);
+
+        // open path without following symbolic links
+        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0)
+                goto out;
+
         struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                // if the file is outside /home directory, allow only root user
-                uid_t u = getuid();
-                if (u != 0 && s.st_uid != u) {
-                        fwarning("you are not allowed to change %s to read-write\n", dir);
+        if (fstat(fd, &s) < 0) {
+                // fstat can fail with EACCES if path is a FUSE mount,
+                // mounted without 'allow_root' or 'allow_other'
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                goto out;
+        }
+        // get mount flags
+        struct statvfs buf;
+        if (fstatvfs(fd, &buf) < 0) {
+                close(fd);
+                goto out;
+        }
+        unsigned long flags = buf.f_flag;
+
+        // read-write option
+        if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
+                // nothing to do if there is no read-only flag
+                if ((flags & MS_RDONLY) == 0) {
+                        close(fd);
                         return;
                 }
-
-                // mount --bind /bin /bin
-                // mount --bind -o remount,rw /bin
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & MS_RDONLY) == 0)
+                // allow only user owned directories, except the user is root
+                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) {
+                        fwarning("you are not allowed to change %s to read-write\n", path);
+                        close(fd);
                         return;
+                }
                 flags &= ~MS_RDONLY;
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
-                fs_logger2("read-write", dir);
         }
+        // noexec option
+        else if (op == MOUNT_NOEXEC) {
+                // nothing to do if path is mounted noexec already
+                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
+                        close(fd);
+                        return;
+                }
+                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
+        }
+        // read-only option
+        else if (op == MOUNT_READONLY) {
+                // nothing to do if path is mounted read-only already
+                if ((flags & MS_RDONLY) == MS_RDONLY) {
+                        close(fd);
+                        return;
+                }
+                flags |= MS_RDONLY;
+        }
+        else
+                assert(0);
+
+        if (arg_debug)
+                printf("Mounting %s %s\n", opstr[op], path);
+
+        // make path a mount point:
+        // mount --bind path path
+        EUID_ROOT();
+        int err = bind_mount_by_fd(fd, fd);
+        EUID_USER();
+        if (err) {
+                close(fd);
+                goto out;
+        }
+
+        // remount the mount point
+        // need to open path again
+        int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        close(fd); // earliest timepoint to close fd
+        if (fd2 < 0)
+                goto out;
+
+        // device and inode number should be the same
+        struct stat s2;
+        if (fstat(fd2, &s2) < 0)
+                errExit("fstat");
+        if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino)
+                errLogExit("invalid %s mount", opstr[op]);
+
+        EUID_ROOT();
+        err = remount_by_fd(fd2, flags);
+        EUID_USER();
+        close(fd2);
+        if (err)
+                goto out;
+
+        // run a sanity check on /proc/self/mountinfo and confirm that target of the last
+        // mount operation was path; if there are other mount points contained inside path,
+        // one of those will show up as target of the last mount operation instead
+        MountData *mptr = get_last_mount();
+        size_t len = strlen(path);
+        if ((strncmp(mptr->dir, path, len) != 0 ||
+           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+           && strcmp(path, "/") != 0) // support read-only=/
+                errLogExit("invalid %s mount", opstr[op]);
+
+        fs_logger2(opstr[op], path);
+        return;
+
+out:
+        fwarning("not remounting %s\n", path);
 }
 
-void fs_noexec(const char *dir) {
+// remount recursively; requires a resolved path
+static void fs_remount_rec(const char *dir, OPERATION op) {
+        EUID_ASSERT();
         assert(dir);
-        // check directory exists
+
         struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                // mount --bind /bin /bin
-                // mount --bind -o remount,ro /bin
-                unsigned long flags = 0;
-                get_mount_flags(dir, &flags);
-                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
-                        return;
-                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
-                        errExit("mount noexec");
-                fs_logger2("noexec", dir);
+        if (stat(dir, &s) != 0)
+                return;
+        if (!S_ISDIR(s.st_mode)) {
+                // no need to search in /proc/self/mountinfo for submounts if not a directory
+                fs_remount_simple(dir, op);
+                return;
+        }
+        // get mount point of the directory
+        int mountid = get_mount_id(dir);
+        if (mountid == -1)
+                return;
+        if (mountid == -2) {
+                // falling back to a simple remount on old kernels
+                static int mount_warning = 0;
+                if (!mount_warning) {
+                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
+                        mount_warning = 1;
+                }
+                fs_remount_simple(dir, op);
+                return;
+        }
+        // build array with all mount points that need to get remounted
+        char **arr = build_mount_array(mountid, dir);
+        assert(arr);
+        // remount
+        char **tmp = arr;
+        while (*tmp) {
+                fs_remount_simple(*tmp, op);
+                free(*tmp++);
+        }
+        free(arr);
+}
+
+// resolve a path and remount it
+void fs_remount(const char *path, OPERATION op, int rec) {
+        assert(path);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        char *rpath = realpath(path, NULL);
+        if (rpath) {
+                if (rec)
+                        fs_remount_rec(rpath, op);
+                else
+                        fs_remount_simple(rpath, op);
+                free(rpath);
         }
+
+        if (called_as_root)
+                EUID_ROOT();
 }
 
 // Disable /mnt, /media, /run/mount and /run/media access
-void fs_mnt(void) {
-        disable_file(BLACKLIST_FILE, "/mnt");
-        disable_file(BLACKLIST_FILE, "/media");
-        disable_file(BLACKLIST_FILE, "/run/mount");
-        disable_file(BLACKLIST_FILE, "//run/media");
+void fs_mnt(const int enforce) {
+        EUID_USER();
+        if (enforce) {
+                // disable-mnt set in firejail.config
+                // overriding with noblacklist is not possible in this case
+                disable_file(BLACKLIST_FILE, "/mnt");
+                disable_file(BLACKLIST_FILE, "/media");
+                disable_file(BLACKLIST_FILE, "/run/mount");
+                disable_file(BLACKLIST_FILE, "/run/media");
+        }
+        else {
+                profile_add("blacklist /mnt");
+                profile_add("blacklist /media");
+                profile_add("blacklist /run/mount");
+                profile_add("blacklist /run/media");
+        }
+        EUID_ROOT();
 }
 
 
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
-        if (arg_debug)
-                printf("Remounting /proc and /proc/sys filesystems\n");
-        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
-                errExit("mounting /proc");
-        fs_logger("remount /proc");
 
         // remount /proc/sys readonly
+        if (arg_debug)
+                printf("Mounting read-only /proc/sys\n");
         if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
             mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mounting /proc/sys");
         fs_logger("read-only /proc/sys");
 
-
         /* Mount a version of /sys that describes the network namespace */
         if (arg_debug)
                 printf("Remounting /sys directory\n");
-        if (umount2("/sys", MNT_DETACH) < 0)
-                fwarning("failed to unmount /sys\n");
+        // sysfs not yet mounted in overlays, so don't try to unmount it
+        // expect that unmounting /sys fails in a chroot, no need to print a warning in that case
+        if (!arg_overlay) {
+                if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir)
+                        fwarning("failed to unmount /sys\n");
+        }
         if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
                 fwarning("failed to mount /sys\n");
         else
                 fs_logger("remount /sys");
 
+        EUID_USER();
+
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
-                EUID_USER();
+        { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
                 profile_add("blacklist /sys/fs");
-                EUID_ROOT();
+                profile_add("blacklist /sys/module");
         }
-        disable_file(BLACKLIST_FILE, "/sys/module");
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
         disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo");
@@ -556,7 +769,8 @@ void fs_proc_sys_dev_boot(void) {
         // various /proc files
         disable_file(BLACKLIST_FILE, "/proc/irq");
         disable_file(BLACKLIST_FILE, "/proc/bus");
-        disable_file(BLACKLIST_FILE, "/proc/config.gz");
+        // move /proc/config.gz to disable-common.inc
+        //disable_file(BLACKLIST_FILE, "/proc/config.gz");
         disable_file(BLACKLIST_FILE, "/proc/sched_debug");
         disable_file(BLACKLIST_FILE, "/proc/timer_list");
         disable_file(BLACKLIST_FILE, "/proc/timer_stats");
@@ -579,12 +793,8 @@ void fs_proc_sys_dev_boot(void) {
         // disable /dev/port
         disable_file(BLACKLIST_FILE, "/dev/port");
 
-
-
         // disable various ipc sockets in /run/user
         if (!arg_writable_run_user) {
-                struct stat s;
-        
                 char *fname;
                 if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
                         errExit("asprintf");
@@ -593,20 +803,18 @@ void fs_proc_sys_dev_boot(void) {
                         char *fnamegpg;
                         if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
                                 errExit("asprintf");
-                        if (stat(fnamegpg, &s) == -1)
-                            mkdir_attr(fnamegpg, 0700, getuid(), getgid());
-                        if (stat(fnamegpg, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamegpg);
+                        if (create_empty_dir_as_user(fnamegpg, 0700))
+                                fs_logger2("create", fnamegpg);
+                        disable_file(BLACKLIST_FILE, fnamegpg);
                         free(fnamegpg);
-        
+
                         // disable /run/user/{uid}/systemd
                         char *fnamesysd;
                         if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
                                 errExit("asprintf");
-                        if (stat(fnamesysd, &s) == -1)
-                                mkdir_attr(fnamesysd, 0755, getuid(), getgid());
-                        if (stat(fnamesysd, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamesysd);
+                        if (create_empty_dir_as_user(fnamesysd, 0755))
+                                fs_logger2("create", fnamesysd);
+                        disable_file(BLACKLIST_FILE, fnamesysd);
                         free(fnamesysd);
                 }
                 free(fname);
@@ -617,28 +825,26 @@ void fs_proc_sys_dev_boot(void) {
                 disable_file(BLACKLIST_FILE, "/dev/kmsg");
                 disable_file(BLACKLIST_FILE, "/proc/kmsg");
         }
-}
 
-// disable firejail configuration in /etc/firejail and in ~/.config/firejail
-static void disable_config(void) {
-        struct stat s;
+        EUID_ROOT();
+}
 
+// disable firejail configuration in ~/.config/firejail
+void disable_config(void) {
+        EUID_USER();
         char *fname;
         if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (stat(fname, &s) == 0)
-                disable_file(BLACKLIST_FILE, fname);
+        disable_file(BLACKLIST_FILE, fname);
         free(fname);
 
         // disable run time information
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
-        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        EUID_ROOT();
 }
 
 
@@ -646,36 +852,42 @@ static void disable_config(void) {
 void fs_basic_fs(void) {
         uid_t uid = getuid();
 
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc filesystem representing the PID namespace\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
+        EUID_USER();
         if (arg_debug)
-                printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
+                printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
-                fs_rdonly("/etc");
+                fs_remount("/etc", MOUNT_READONLY, 1);
                 if (uid)
-                        fs_noexec("/etc");
-                if (arg_debug) printf(", /etc");
+                        fs_remount("/etc", MOUNT_NOEXEC, 1);
         }
         if (!arg_writable_var) {
-                fs_rdonly("/var");
+                fs_remount("/var", MOUNT_READONLY, 1);
                 if (uid)
-                        fs_noexec("/var");
-                if (arg_debug) printf(", /var");
+                        fs_remount("/var", MOUNT_NOEXEC, 1);
         }
-        if (arg_debug) printf("\n");
-        fs_rdonly("/bin");
-        fs_rdonly("/sbin");
-        fs_rdonly("/lib");
-        fs_rdonly("/lib64");
-        fs_rdonly("/lib32");
-        fs_rdonly("/libx32");
-        fs_rdonly("/usr");
+        fs_remount("/usr", MOUNT_READONLY, 1);
+        fs_remount("/bin", MOUNT_READONLY, 1);
+        fs_remount("/sbin", MOUNT_READONLY, 1);
+        fs_remount("/lib", MOUNT_READONLY, 1);
+        fs_remount("/lib64", MOUNT_READONLY, 1);
+        fs_remount("/lib32", MOUNT_READONLY, 1);
+        fs_remount("/libx32", MOUNT_READONLY, 1);
+        EUID_ROOT();
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
-        fs_var_tmp();
+        if (!arg_keep_var_tmp)
+          fs_var_tmp();
         if (!arg_writable_var_log)
                 fs_var_log();
         else
-                fs_rdwr("/var/log");
+                fs_remount("/var/log", MOUNT_RDWR_NOCHECK, 0);
 
         fs_var_lib();
         fs_var_cache();
@@ -686,8 +898,6 @@ void fs_basic_fs(void) {
         restrict_users();
 
         // when starting as root, firejail config is not disabled;
-        // this mode could be used to install and test new software by chaining
-        // firejail sandboxes (firejail --force)
         if (uid)
                 disable_config();
 }
@@ -696,57 +906,54 @@ void fs_basic_fs(void) {
 
 #ifdef HAVE_OVERLAYFS
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        assert(subdirname);
+        EUID_ASSERT();
         struct stat s;
         char *dirname;
 
-        // create ~/.firejail directory
         if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                 errExit("asprintf");
-
-        if (is_link(dirname)) {
-                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
-                exit(1);
-        }
-        if (stat(dirname, &s) == -1) {
-                // create directory
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        // create directory
-                        if (mkdir(dirname, 0700))
-                                errExit("mkdir");
-                        if (chmod(dirname, 0700) == -1)
-                                errExit("chmod");
-                        ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
-                        _exit(0);
+        // check if ~/.firejail already exists
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
                 }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-                if (stat(dirname, &s) == -1) {
-                        fprintf(stderr, "Error: cannot create ~/.firejail directory\n");
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
                         exit(1);
                 }
         }
-        else if (s.st_uid != getuid()) {
-                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
-                exit(1);
+        else {
+                // create ~/.firejail directory
+                create_empty_dir_as_user(dirname, 0700);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
+                        exit(1);
+                }
         }
         free(dirname);
 
         // check overlay directory
         if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
                 errExit("asprintf");
-        if (is_link(dirname)) {
-                fprintf(stderr, "Error: overlay directory is a symbolic link\n");
-                exit(1);
-        }
-        if (allow_reuse == 0) {
-                if (stat(dirname, &s) == 0) {
-                        fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname);
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
+                        exit(1);
+                }
+                if (allow_reuse == 0) {
+                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
                         exit(1);
                 }
         }
@@ -783,9 +990,11 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
 // # umount /root/overlay/root
 
 
-// to do: fix the code below; also, it might work without /dev; impose seccomp/caps filters when not root
+// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean
 #include <sys/utsname.h>
 void fs_overlayfs(void) {
+        struct stat s;
+
         // check kernel version
         struct utsname u;
         int rv = uname(&u);
@@ -808,54 +1017,88 @@ void fs_overlayfs(void) {
         if (major == 3 && minor < 18)
                 oldkernel = 1;
 
-        char *oroot;
-        if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
-                errExit("asprintf");
+        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
+        // we disable overlayfs for now, pending fixing
+        if (major >= 4 &&minor >= 19) {
+                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
+                exit(1);
+        }
+
+        char *oroot = RUN_OVERLAY_ROOT;
         mkdir_attr(oroot, 0755, 0, 0);
 
-        struct stat s;
+        // set base for working and diff directories
         char *basedir = RUN_MNT_DIR;
+        int basefd = -1;
+
         if (arg_overlay_keep) {
-                // set base for working and diff directories
                 basedir = cfg.overlay_dir;
-
-                // does the overlay exist?
-                if (stat(basedir, &s) == 0) {
-                        if (arg_overlay_reuse == 0) {
-                                fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
-                                exit(1);
-                        }
-                }
-                else {
-                        /* coverity[toctou] */
-                        if (mkdir(basedir, 0755) != 0) {
-                                fprintf(stderr, "Error: cannot create overlay directory\n");
-                                exit(1);
-                        }
+                assert(basedir);
+                // get a file descriptor for ~/.firejail, fails if there is any symlink
+                char *firejail;
+                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1)
+                        errExit("safer_openat");
+                free(firejail);
+                // create basedir if it doesn't exist
+                // the new directory will be owned by root
+                const char *dirname = gnu_basename(basedir);
+                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
+                        perror("mkdir");
+                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
+                        exit(1);
                 }
+                // open basedir
+                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                close(fd);
+        }
+        else {
+                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        }
+        if (basefd == -1) {
+                perror("open");
+                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
+                exit(1);
         }
 
-        char *odiff;
-        if(asprintf(&odiff, "%s/odiff", basedir) == -1)
-                errExit("asprintf");
+        // confirm once more base is owned by root
+        if (fstat(basefd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
+                exit(1);
+        }
+        // confirm permissions of base are 0755
+        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
+                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
+                exit(1);
+        }
 
+        // create diff and work directories inside base
         // no need to check arg_overlay_reuse
-        if (stat(odiff, &s) != 0) {
-                mkdir_attr(odiff, 0755, 0, 0);
+        char *odiff;
+        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
+                exit(1);
         }
-        else if (set_perms(odiff, 0, 0, 0755))
-                errExit("set_perms");
+        ASSERT_PERMS(odiff, 0, 0, 0755);
 
         char *owork;
-        if(asprintf(&owork, "%s/owork", basedir) == -1)
+        if (asprintf(&owork, "%s/owork", basedir) == -1)
                 errExit("asprintf");
-
-        // no need to check arg_overlay_reuse
-        if (stat(owork, &s) != 0) {
-                mkdir_attr(owork, 0755, 0, 0);
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
+                exit(1);
         }
-        else if (set_perms(owork, 0, 0, 0755))
-                errExit("chown");
+        ASSERT_PERMS(owork, 0, 0, 0755);
 
         // mount overlayfs
         if (arg_debug)
@@ -874,8 +1117,10 @@ void fs_overlayfs(void) {
         else { // kernel 3.18 or newer
                 if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
                         errExit("asprintf");
-                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0)
+                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
+                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
                         errExit("mounting overlayfs");
+                }
 
                 //***************************
                 // issue #263 start code
@@ -895,52 +1140,58 @@ void fs_overlayfs(void) {
 
                         // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
                         // must create var for oroot/cfg.homedir
-                        if (asprintf(&overlayhome,"%s%s",oroot,cfg.homedir) == -1)
+                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
                                 errExit("asprintf");
-                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n",overlayhome);
+                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
 
                         // if no homedir in overlay -- create another overlay for /home
-                        if (stat(overlayhome, &s) == -1) {
-
-                                if(asprintf(&hroot, "%s/oroot/home", RUN_MNT_DIR) == -1)
-                                        errExit("asprintf");
-
-                                if(asprintf(&hdiff, "%s/hdiff", basedir) == -1)
-                                        errExit("asprintf");
+                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
 
                                 // no need to check arg_overlay_reuse
-                                if (stat(hdiff, &s) != 0) {
-                                        mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                }
-                                else if (set_perms(hdiff, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
-                                        errExit("set_perms");
-
-                                if(asprintf(&hwork, "%s/hwork", basedir) == -1)
+                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
                                         errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hdiff, 0, 0, 0755);
 
                                 // no need to check arg_overlay_reuse
-                                if (stat(hwork, &s) != 0) {
-                                        mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
+                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
+                                        exit(1);
                                 }
-                                else if (set_perms(hwork, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
-                                        errExit("set_perms");
+                                ASSERT_PERMS(hwork, 0, 0, 0755);
 
                                 // no homedir in overlay so now mount another overlay for /home
+                                if (asprintf(&hroot, "%s/home", oroot) == -1)
+                                        errExit("asprintf");
                                 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
                                         errExit("asprintf");
                                 if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
                                         errExit("mounting overlayfs for mounted home directory");
 
                                 printf("OverlayFS for /home configured in %s directory\n", basedir);
+                                free(hroot);
+                                free(hdiff);
+                                free(hwork);
+
                         } // stat(overlayhome)
                         free(overlayhome);
                 }
                 // issue #263 end code
                 //***************************
         }
-        if (!arg_quiet)
-                printf("OverlayFS configured in %s directory\n", basedir);
+        fmessage("OverlayFS configured in %s directory\n", basedir);
+        close(basefd);
 
+        // /dev, /run and /tmp are not covered by the overlay
         // mount-bind dev directory
         if (arg_debug)
                 printf("Mounting /dev\n");
@@ -961,37 +1212,36 @@ void fs_overlayfs(void) {
                 errExit("mounting /run");
         fs_logger("whitelist /run");
 
-        // mount-bind /tmp/.X11-unix directory
-        if (stat("/tmp/.X11-unix", &s) == 0) {
-                if (arg_debug)
-                        printf("Mounting /tmp/.X11-unix\n");
-                char *x11;
-                if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1)
-                        errExit("asprintf");
-                if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        fwarning("cannot mount /tmp/.X11-unix in overlay\n");
-                else
-                        fs_logger("whitelist /tmp/.X11-unix");
-                free(x11);
-        }
+        // mount-bind tmp directory
+        if (arg_debug)
+                printf("Mounting /tmp\n");
+        char *tmp;
+        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /tmp");
+        fs_logger("whitelist /tmp");
 
         // chroot in the new filesystem
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         if (chroot(oroot) == -1)
                 errExit("chroot");
 
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc filesystem representing the PID namespace\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
         // update /var directory in order to support multiple sandboxes running on the same root directory
 //      if (!arg_private_dev)
 //              fs_dev_shm();
         fs_var_lock();
-        fs_var_tmp();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
         if (!arg_writable_var_log)
                 fs_var_log();
-        else
-                fs_rdwr("/var/log");
-
         fs_var_lib();
         fs_var_cache();
         fs_var_utmp();
@@ -1001,260 +1251,34 @@ void fs_overlayfs(void) {
         restrict_users();
 
         // when starting as root, firejail config is not disabled;
-        // this mode could be used to install and test new software by chaining
-        // firejail sandboxes (firejail --force)
         if (getuid() != 0)
                 disable_config();
 
         // cleanup and exit
         free(option);
-        free(oroot);
         free(odiff);
+        free(owork);
+        free(dev);
+        free(run);
+        free(tmp);
 }
 #endif
 
-
-#ifdef HAVE_CHROOT
-// return 1 if error
-void fs_check_chroot_dir(const char *rootdir) {
+// this function is called from sandbox.c before blacklist/whitelist functions
+void fs_private_tmp(void) {
         EUID_ASSERT();
-        assert(rootdir);
-        struct stat s;
-        char *name;
-
-        if (strcmp(rootdir, "/tmp") == 0 || strcmp(rootdir, "/var/tmp") == 0) {
-                fprintf(stderr, "Error: invalid chroot directory\n");
-                exit(1);
-        }
-
-        // rootdir has to be owned by root
-        if (stat(rootdir, &s) != 0) {
-                fprintf(stderr, "Error: cannot find chroot directory\n");
-                exit(1);
-        }
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: chroot directory should be owned by root\n");
-                exit(1);
-        }
-
-        // check /dev
-        if (asprintf(&name, "%s/dev", rootdir) == -1)
-                errExit("asprintf");
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /dev in chroot directory\n");
-                exit(1);
-        }
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: chroot /dev directory should be owned by root\n");
-                exit(1);
-        }
-        free(name);
-
-        // check /var/tmp
-        if (asprintf(&name, "%s/var/tmp", rootdir) == -1)
-                errExit("asprintf");
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /var/tmp in chroot directory\n");
-                exit(1);
-        }
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: chroot /var/tmp directory should be owned by root\n");
-                exit(1);
-        }
-        free(name);
-
-        // check /proc
-        if (asprintf(&name, "%s/proc", rootdir) == -1)
-                errExit("asprintf");
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /proc in chroot directory\n");
-                exit(1);
-        }
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: chroot /proc directory should be owned by root\n");
-                exit(1);
-        }
-        free(name);
-
-        // check /tmp
-        if (asprintf(&name, "%s/tmp", rootdir) == -1)
-                errExit("asprintf");
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /tmp in chroot directory\n");
-                exit(1);
-        }
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: chroot /tmp directory should be owned by root\n");
-                exit(1);
-        }
-        free(name);
-
-        // check /etc
-        if (asprintf(&name, "%s/etc", rootdir) == -1)
-                errExit("asprintf");
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: cannot find /etc in chroot directory\n");
-                exit(1);
-        }
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: chroot /etc directory should be owned by root\n");
-                exit(1);
-        }
-        free(name);
-
-        // check /etc/resolv.conf
-        if (asprintf(&name, "%s/etc/resolv.conf", rootdir) == -1)
-                errExit("asprintf");
-        if (stat(name, &s) == 0) {
-                if (s.st_uid != 0) {
-                        fprintf(stderr, "Error: chroot /etc/resolv.conf should be owned by root\n");
-                        exit(1);
-                }
-        }
-        else {
-                fprintf(stderr, "Error: chroot /etc/resolv.conf not found\n");
-                exit(1);
-        }
-        // on Arch /etc/resolv.conf could be a symlink to /run/systemd/resolve/resolv.conf
-        // on Ubuntu 17.04 /etc/resolv.conf could be a symlink to /run/resolveconf/resolv.conf
-        if (is_link(name)) {
-                // check the link points in chroot
-                char *rname = realpath(name, NULL);
-                if (!rname || strncmp(rname, rootdir, strlen(rootdir)) != 0) {
-                        fprintf(stderr, "Error: chroot /etc/resolv.conf is pointing outside chroot\n");
-                        exit(1);
-                }
-        }
-        free(name);
-
-        // check x11 socket directory
-        if (getenv("FIREJAIL_X11")) {
-                char *name;
-                if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1)
-                        errExit("asprintf");
-                if (stat(name, &s) == -1) {
-                        fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n");
-                        exit(1);
-                }
-                if (s.st_uid != 0) {
-                        fprintf(stderr, "Error: chroot /tmp/.X11-unix directory should be owned by root\n");
-                        exit(1);
-                }
-                free(name);
-        }
-}
-
-// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
-void fs_chroot(const char *rootdir) {
-        assert(rootdir);
-
-        if (checkcfg(CFG_CHROOT_DESKTOP)) {
-                // mount-bind a /dev in rootdir
-                char *newdev;
-                if (asprintf(&newdev, "%s/dev", rootdir) == -1)
-                        errExit("asprintf");
-                if (arg_debug)
-                        printf("Mounting /dev on %s\n", newdev);
-                if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /dev");
-                free(newdev);
-
-                // x11
-                if (getenv("FIREJAIL_X11")) {
-                        char *newx11;
-                        if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
-                                errExit("asprintf");
-                        if (arg_debug)
-                                printf("Mounting /tmp/.X11-unix on %s\n", newx11);
-                        if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mounting /tmp/.X11-unix");
-                        free(newx11);
-                }
-
-                // some older distros don't have a /run directory
-                // create one by default
-                // create /run/firejail directory in chroot
-                char *rundir;
-                if (asprintf(&rundir, "%s/run", rootdir) == -1)
-                        errExit("asprintf");
-                if (is_link(rundir)) {
-                        fprintf(stderr, "Error: invalid run directory inside chroot\n");
-                        exit(1);
-                }
-                create_empty_dir_as_root(rundir, 0755);
-                free(rundir);
-                if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
-                        errExit("asprintf");
-                create_empty_dir_as_root(rundir, 0755);
-                free(rundir);
-
-                // create /run/firejail/mnt directory in chroot and mount the current one
-                if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
-                        errExit("asprintf");
-                create_empty_dir_as_root(rundir, 0755);
-                if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-
-                // copy /etc/resolv.conf in chroot directory
-                char *fname;
-                if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
-                        errExit("asprintf");
-                if (arg_debug)
-                        printf("Updating /etc/resolv.conf in %s\n", fname);
-                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
-                        fwarning("/etc/resolv.conf not initialized\n");
-        }
-
-        // chroot into the new directory
-#ifdef HAVE_GCOV
-        __gcov_flush();
-#endif
         if (arg_debug)
-                printf("Chrooting into %s\n", rootdir);
-        if (chroot(rootdir) < 0)
-                errExit("chroot");
-
-        // create all other /run/firejail files and directories
-        preproc_build_firejail_dir();
-
-        if (checkcfg(CFG_CHROOT_DESKTOP)) {
-                // update /var directory in order to support multiple sandboxes running on the same root directory
-//              if (!arg_private_dev)
-//                      fs_dev_shm();
-                fs_var_lock();
-                fs_var_tmp();
-                if (!arg_writable_var_log)
-                        fs_var_log();
-                else
-                        fs_rdwr("/var/log");
-
-                fs_var_lib();
-                fs_var_cache();
-                fs_var_utmp();
-                fs_machineid();
+                printf("Generate private-tmp whitelist commands\n");
 
-                // don't leak user information
-                restrict_users();
-
-                // when starting as root, firejail config is not disabled;
-                // this mode could be used to install and test new software by chaining
-                // firejail sandboxes (firejail --force)
-                if (getuid() != 0)
-                        disable_config();
-        }
-}
-#endif
-
-// this function is called from sandbox.c before blacklist/whitelist functions
-void fs_private_tmp(void) {
         // check XAUTHORITY file, KDE keeps it under /tmp
-        char *xauth = getenv("XAUTHORITY");
+        const char *xauth = env_get("XAUTHORITY");
         if (xauth) {
                 char *rp = realpath(xauth, NULL);
                 if (rp && strncmp(rp, "/tmp/", 5) == 0) {
                         char *cmd;
                         if (asprintf(&cmd, "whitelist %s", rp) == -1)
                                 errExit("asprintf");
+                        profile_check_line(cmd, 0, NULL);
                         profile_add(cmd); // profile_add does not duplicate the string
                 }
                 if (rp)
@@ -1263,6 +1287,11 @@ void fs_private_tmp(void) {
 
         // whitelist x11 directory
         profile_add("whitelist /tmp/.X11-unix");
+        // read-only x11 directory
+        profile_add("read-only /tmp/.X11-unix");
+
+        // whitelist sndio directory
+        profile_add("whitelist /tmp/sndio");
 
         // whitelist any pulse* file in /tmp directory
         // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
@@ -1281,10 +1310,9 @@ void fs_private_tmp(void) {
                         char *cmd;
                         if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
                                 errExit("asprintf");
+                        profile_check_line(cmd, 0, NULL);
                         profile_add(cmd); // profile_add does not duplicate the string
                 }
         }
         closedir(dir);
-
-
 }
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 9aa227caf..61398f12b 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,6 +23,9 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
+#include <glob.h>
+
+static int prog_cnt = 0;
 
 static char *paths[] = {
         "/usr/local/bin",
@@ -39,7 +42,6 @@ static char *paths[] = {
 // return 1 if found, 0 if not found
 static char *check_dir_or_file(const char *name) {
         assert(name);
-
         struct stat s;
         char *fname = NULL;
 
@@ -98,17 +100,24 @@ static char *check_dir_or_file(const char *name) {
 static int valid_full_path_file(const char *name) {
         assert(name);
 
-        char *full_name = realpath(name, NULL);
-        if (!full_name)
-                goto errexit;
-        char *fname = strrchr(full_name, '/');
-        if (!fname)
-                goto errexit;
-        if (*(++fname) == '\0')
-                goto errexit;
+        if (*name != '/')
+                return 0;
+        if (strstr(name, ".."))
+                return 0;
 
+        // do we have a file?
+        struct stat s;
+        if (stat(name, &s) == -1)
+                return 0;
+        // directories not allowed
+        if (S_ISDIR(s.st_mode))
+                return 0;
+        // checking access
+        if (access(name, X_OK) == -1)
+                return 0;
+
+        // check standard paths
         int i = 0;
-        int found = 0;
         while (paths[i]) {
                 // private-bin-no-local can be disabled in /etc/firejail/firejail.config
                 if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) {
@@ -116,54 +125,48 @@ static int valid_full_path_file(const char *name) {
                         continue;
                 }
 
-                // check file
-                char *full_name2;
-                if (asprintf(&full_name2, "%s/%s", paths[i], fname) == -1)
-                        errExit("asprintf");
-
-                if (strcmp(full_name, full_name2) == 0) {
-                        free(full_name2);
-                        found = 1;
-                        break;
-                }
-
-                free(full_name2);
+                int len = strlen(paths[i]);
+                if (strncmp(name, paths[i], len) == 0 && name[len] == '/' && name[len + 1] != '\0')
+                        return 1;
                 i++;
         }
-
-        if (!found)
-                goto errexit;
-
-        free(full_name);
-        return 1;
-
-errexit:
         if (arg_debug)
-                fwarning("file %s not found\n", name);
-        if (full_name)
-                free(full_name);
+                printf("file %s not found\n", name);
         return 0;
 }
 
-static void duplicate(char *fname, FILE *fplist) {
+static void report_duplication(const char *fname) {
+        // report the file on all bin paths
+        int i = 0;
+        while (paths[i]) {
+                char *p;
+                if (asprintf(&p, "%s/%s", paths[i], fname) == -1)
+                        errExit("asprintf");
+                fs_logger2("clone", p);
+                free(p);
+                i++;
+        }
+}
+
+static void duplicate(char *fname) {
+        assert(fname);
+
         if (*fname == '~' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
-        invalid_filename(fname);
+        invalid_filename(fname, 0); // no globbing
 
         char *full_path;
         if (*fname == '/') {
                 // If the absolute filename is indicated, directly use it. This
-                // is required for the following three cases:
+                // is required for the following cases:
                 //  - if user's $PATH order is not the same as the above
                 //    paths[] variable order
-                //  - if for example /usr/bin/which is a symlink to /bin/which,
-                //    because in this case the result is a symlink pointing to
-                //    itself due to the file name being the same.
-
-                if (!valid_full_path_file(fname))
+                if (!valid_full_path_file(fname)) {
+                        fwarning("invalid private-bin path %s\n", fname);
                         return;
+                }
 
                 full_path = strdup(fname);
                 if (!full_path)
@@ -179,35 +182,97 @@ static void duplicate(char *fname, FILE *fplist) {
                         errExit("asprintf");
         }
 
-        if (fplist)
-                fprintf(fplist, "%s\n", full_path);
-
-        // copy the file
-        if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
+        // add to private-lib list
+        if (cfg.bin_private_lib == NULL) {
+                if (asprintf(&cfg.bin_private_lib, "%s,%s",fname, full_path) == -1)
+                        errExit("asprintf");
+        }
         else {
-                // if full_path is simlink, and the link is in our path, copy both
-                if (is_link(full_path)) {
-                        char *actual_path = realpath(full_path, NULL);
-                        if (actual_path) {
-                                if (valid_full_path_file(actual_path))
-                                        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR);
-                                free(actual_path);
+                char *tmp;
+                if (asprintf(&tmp, "%s,%s,%s", cfg.bin_private_lib, fname, full_path) == -1)
+                        errExit("asprintf");
+                free(cfg.bin_private_lib);
+                cfg.bin_private_lib = tmp;
+        }
+
+        // if full_path is symlink, and the link is in our path, copy both the file and the symlink
+        if (is_link(full_path)) {
+                char *actual_path = realpath(full_path, NULL);
+                if (actual_path) {
+                        if (valid_full_path_file(actual_path)) {
+                                // solving problems such as /bin/sh -> /bin/dash
+                                // copy the real file pointed by symlink
+                                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR);
+                                prog_cnt++;
+                                char *f = strrchr(actual_path, '/');
+                                if (f && *(++f) !='\0')
+                                        report_duplication(f);
                         }
+                        free(actual_path);
                 }
-
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
         }
 
-        fs_logger2("clone", fname);
+        // copy a file or a symlink
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR);
+        prog_cnt++;
         free(full_path);
+        report_duplication(fname);
 }
 
+static void globbing(char *fname) {
+        assert(fname);
+
+        // go directly to duplicate() if no globbing char is present - see man 7 glob
+        if (strrchr(fname, '*') == NULL &&
+            strrchr(fname, '[') == NULL &&
+            strrchr(fname, '?') == NULL)
+                return duplicate(fname);
+
+        // loop through paths[]
+        int i = 0;
+        while (paths[i]) {
+                // private-bin-no-local can be disabled in /etc/firejail/firejail.config
+                if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) {
+                        i++;
+                        continue;
+                }
+
+                // check file
+                char *pattern;
+                if (asprintf(&pattern, "%s/%s", paths[i], fname) == -1)
+                        errExit("asprintf");
+
+                // globbing
+                glob_t globbuf;
+                int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+                if (globerr) {
+                        fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern);
+                        exit(1);
+                }
+
+                size_t j;
+                for (j = 0; j < globbuf.gl_pathc; j++) {
+                        assert(globbuf.gl_pathv[j]);
+                        // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
+                        if (strcmp(globbuf.gl_pathv[j], pattern) == 0)
+                                continue;
+
+                        duplicate(globbuf.gl_pathv[j]);
+                }
+
+                globfree(&globbuf);
+                free(pattern);
+                i++;
+        }
+}
 
 void fs_private_bin_list(void) {
         char *private_list = cfg.bin_private_keep;
         assert(private_list);
 
+        // start timetrace
+        timetrace_start();
+
         // create /run/firejail/mnt/bin directory
         mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
 
@@ -219,22 +284,16 @@ void fs_private_bin_list(void) {
         if (!dlist)
                 errExit("strdup");
 
-        // save a list of private-bin files in order to bring in private-libs later
-        FILE *fplist = NULL;
-        if (arg_private_lib) {
-                fplist = fopen(RUN_LIB_BIN, "w");
-                if (!fplist)
-                        errExit("fopen");
-        }
-
         char *ptr = strtok(dlist, ",");
-        duplicate(ptr, fplist);
+        if (!ptr) {
+                fprintf(stderr, "Error: invalid private-bin argument\n");
+                exit(1);
+        }
+        globbing(ptr);
         while ((ptr = strtok(NULL, ",")) != NULL)
-                duplicate(ptr, fplist);
+                globbing(ptr);
         free(dlist);
         fs_logger_print();
-        if (fplist)
-                fclose(fplist);
 
         // mount-bind
         int i = 0;
@@ -250,4 +309,6 @@ void fs_private_bin_list(void) {
                 }
                 i++;
         }
+        selinux_relabel_path(RUN_BIN_DIR, "/bin");
+        fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end());
 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 0dbbb65a0..8cc3ecc62 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <pwd.h>
+#include <errno.h>
 #ifndef _BSD_SOURCE
 #define _BSD_SOURCE
 #endif
@@ -39,6 +40,8 @@ typedef enum {
         DEV_VIDEO,
         DEV_TV,
         DEV_DVD,
+        DEV_U2F,
+        DEV_INPUT
 } DEV_TYPE;
 
 
@@ -76,6 +79,18 @@ static DevEntry dev[] = {
         {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
         {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device
         {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players
+        {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F},
+        {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F},
+        {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F},
+        {"/dev/hidraw3", RUN_DEV_DIR "/hidraw3", DEV_U2F},
+        {"/dev/hidraw4", RUN_DEV_DIR "/hidraw4", DEV_U2F},
+        {"/dev/hidraw5", RUN_DEV_DIR "/hidraw5", DEV_U2F},
+        {"/dev/hidraw6", RUN_DEV_DIR "/hidraw6", DEV_U2F},
+        {"/dev/hidraw7", RUN_DEV_DIR "/hidraw7", DEV_U2F},
+        {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F},
+        {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F},
+        {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F},      // USB devices such as Yubikey, U2F
+        {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT},
         {NULL, NULL, DEV_NONE}
 };
 
@@ -84,14 +99,15 @@ static void deventry_mount(void) {
         while (dev[i].dev_fname != NULL) {
                 struct stat s;
                 if (stat(dev[i].run_fname, &s) == 0) {
-                        
                         // check device type and subsystem configuration
                         if ((dev[i].type == DEV_SOUND && arg_nosound == 0) ||
                             (dev[i].type == DEV_3D && arg_no3d == 0) ||
                             (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
                             (dev[i].type == DEV_TV && arg_notv == 0) ||
-                            (dev[i].type == DEV_DVD && arg_nodvd == 0)) {
-                        
+                            (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
+                            (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
+                            (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
+
                                 int dir = is_dir(dev[i].run_fname);
                                 if (arg_debug)
                                         printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
@@ -106,14 +122,14 @@ static void deventry_mount(void) {
                                                 i++;
                                                 continue;
                                         }
-                                        FILE *fp = fopen(dev[i].dev_fname, "w");
+                                        FILE *fp = fopen(dev[i].dev_fname, "we");
                                         if (fp) {
                                                 fprintf(fp, "\n");
                                                 SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
                                                 fclose(fp);
                                         }
                                 }
-        
+
                                 if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
                                         errExit("mounting dev file");
                                 fs_logger2("whitelist", dev[i].dev_fname);
@@ -125,32 +141,69 @@ static void deventry_mount(void) {
 }
 
 static void create_char_dev(const char *path, mode_t mode, int major, int minor) {
-        dev_t dev = makedev(major, minor);
-        if (mknod(path, S_IFCHR | mode, dev) == -1)
+        dev_t device = makedev(major, minor);
+        if (mknod(path, S_IFCHR | mode, device) == -1)
                 goto errexit;
         if (chmod(path, mode) < 0)
                 goto errexit;
         ASSERT_PERMS(path, 0, 0, mode);
+        fs_logger2("create", path);
 
         return;
 
 errexit:
-        fprintf(stderr, "Error: cannot create %s device\n", path);
+        fprintf(stderr, "Error: cannot create %s device: %s\n", path, strerror(errno));
         exit(1);
 }
 
 static void create_link(const char *oldpath, const char *newpath) {
-        if (symlink(oldpath, newpath) == -1)
-                goto errexit;
-        if (chown(newpath, 0, 0) < 0)
-                goto errexit;
+        if (symlink(oldpath, newpath) == -1) {
+                fprintf(stderr, "Error: cannot create %s device\n", newpath);
+                exit(1);
+        }
+        fs_logger2("create", newpath);
         return;
+}
+
+static void empty_dev_shm(void) {
+        // create an empty /dev/shm directory
+        mkdir_attr("/dev/shm", 01777, 0, 0);
+        selinux_relabel_path("/dev/shm", "/dev/shm");
+        fs_logger("mkdir /dev/shm");
+        fs_logger("create /dev/shm");
+}
+
+static void mount_dev_shm(void) {
+        mkdir_attr("/dev/shm", 01777, 0, 0);
+        int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0");
+        if (rv == -1) {
+                fwarning("cannot mount the old /dev/shm in private-dev\n");
+                dbg_test_dir(RUN_DEV_DIR "/shm");
+                empty_dev_shm();
+                return;
+        }
+}
+
+static void process_dev_shm(void) {
+        // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
+        // looking for jack socket
+        EUID_USER();
+        glob_t globbuf;
+        int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
+        if (globerr && !arg_keep_dev_shm) {
+                empty_dev_shm();
+                return;
+        }
+        globfree(&globbuf);
+
+        // if we got here, it means we have a jack server installed
+        // mount-bind the old /dev/shm
+        mount_dev_shm();
 
-errexit:
-        fprintf(stderr, "Error: cannot create %s device\n", newpath);
-        exit(1);
 }
 
+
 void fs_private_dev(void){
         // install a new /dev directory
         if (arg_debug)
@@ -167,7 +220,7 @@ void fs_private_dev(void){
         struct stat s;
         if (stat("/dev/log", &s) == 0) {
                 have_devlog = 1;
-                FILE *fp = fopen(RUN_DEVLOG_FILE, "w");
+                FILE *fp = fopen(RUN_DEVLOG_FILE, "we");
                 if (!fp)
                         have_devlog = 0;
                 else {
@@ -179,7 +232,7 @@ void fs_private_dev(void){
         }
 
         // mount tmpfs on top of /dev
-        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                 errExit("mounting /dev");
         fs_logger("tmpfs /dev");
 
@@ -188,7 +241,7 @@ void fs_private_dev(void){
 
         // bring back /dev/log
         if (have_devlog) {
-                FILE *fp = fopen("/dev/log", "w");
+                FILE *fp = fopen("/dev/log", "we");
                 if (fp) {
                         fprintf(fp, "\n");
                         fclose(fp);
@@ -196,15 +249,17 @@ void fs_private_dev(void){
                                 errExit("mounting /dev/log");
                         fs_logger("clone /dev/log");
                 }
+                if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("blacklisting " RUN_DEVLOG_FILE);
         }
-        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
-                errExit("disable run dev directory");
 
-        // create /dev/shm
+        // bring forward the current /dev/shm directory if necessary
         if (arg_debug)
-                printf("Create /dev/shm directory\n");
-        mkdir_attr("/dev/shm", 01777, 0, 0);
-        fs_logger("mkdir /dev/shm");
+                printf("Process /dev/shm directory\n");
+        process_dev_shm();
+
+        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable run dev directory");
 
         // create default devices
         create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
@@ -227,9 +282,13 @@ void fs_private_dev(void){
         // pseudo-terminal
         mkdir_attr("/dev/pts", 0755, 0, 0);
         fs_logger("mkdir /dev/pts");
+        selinux_relabel_path("/dev/pts", "/dev/pts");
+        fs_logger("create /dev/pts");
         create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
+        selinux_relabel_path("/dev/pts/ptmx", "/dev/pts/ptmx");
         fs_logger("mknod /dev/pts/ptmx");
         create_link("/dev/pts/ptmx", "/dev/ptmx");
+        selinux_relabel_path("/dev/ptmx", "/dev/ptmx");
 
 // code before github issue #351
         // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts
@@ -247,13 +306,11 @@ void fs_private_dev(void){
         free(data);
         fs_logger("clone /dev/pts");
 
-#if 0
         // stdin, stdout, stderr
         create_link("/proc/self/fd", "/dev/fd");
         create_link("/proc/self/fd/0", "/dev/stdin");
         create_link("/proc/self/fd/1", "/dev/stdout");
         create_link("/proc/self/fd/2", "/dev/stderr");
-#endif
 
         // symlinks for DVD/CD players
         if (stat("/dev/sr0", &s) == 0) {
@@ -264,101 +321,81 @@ void fs_private_dev(void){
         }
 }
 
+void fs_dev_disable_sound(void) {
+        unsigned i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_SOUND)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
 
-#if 0
-void fs_dev_shm(void) {
-        uid_t uid = getuid(); // set a new shm only if we started as root
-        if (uid)
+        // disable all jack sockets in /dev/shm
+        glob_t globbuf;
+        int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        if (globerr)
                 return;
 
-        if (is_dir("/dev/shm")) {
-                if (arg_debug)
-                        printf("Mounting tmpfs on /dev/shm\n");
-                if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                        errExit("mounting /dev/shm");
-                fs_logger("tmpfs /dev/shm");
-        }
-        else {
-                char *lnk = realpath("/dev/shm", NULL);
-                if (lnk) {
-                        if (!is_dir(lnk)) {
-                                // create directory
-                                mkdir_attr(lnk, 01777, 0, 0);
-                        }
-                        if (arg_debug)
-                                printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                                errExit("mounting /var/tmp");
-                        fs_logger2("tmpfs", lnk);
-                        free(lnk);
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *path = globbuf.gl_pathv[i];
+                assert(path);
+                if (is_link(path)) {
+                        fwarning("skipping nosound for %s because it is a symbolic link\n", path);
+                        continue;
                 }
-                else {
-                        fwarning("/dev/shm not mounted\n");
-                        dbg_test_dir("/dev/shm");
-                }
-
+                disable_file_or_dir(path);
         }
+        globfree(&globbuf);
 }
-#endif
 
-static void disable_file_or_dir(const char *fname) {
-        if (arg_debug)
-                printf("disable %s\n", fname);
-        struct stat s;
-        if (stat(fname, &s) != -1) {
-                if (is_dir(fname)) {
-                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable directory");
-                }
-                else {
-                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
-                }
+void fs_dev_disable_video(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_VIDEO)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
         }
-        fs_logger2("blacklist", fname);
-
 }
 
-void fs_dev_disable_sound(void) {
+void fs_dev_disable_3d(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
-                if (dev[i].type == DEV_SOUND)
+                if (dev[i].type == DEV_3D)
                         disable_file_or_dir(dev[i].dev_fname);
                 i++;
         }
 }
 
-void fs_dev_disable_video(void) {
+void fs_dev_disable_tv(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
-                if (dev[i].type == DEV_VIDEO)
+                if (dev[i].type == DEV_TV)
                         disable_file_or_dir(dev[i].dev_fname);
                 i++;
         }
 }
 
-void fs_dev_disable_3d(void) {
+void fs_dev_disable_dvd(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
-                if (dev[i].type == DEV_3D)
+                if (dev[i].type == DEV_DVD)
                         disable_file_or_dir(dev[i].dev_fname);
                 i++;
         }
 }
 
-void fs_dev_disable_tv(void) {
+void fs_dev_disable_u2f(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
-                if (dev[i].type == DEV_TV)
+                if (dev[i].type == DEV_U2F)
                         disable_file_or_dir(dev[i].dev_fname);
                 i++;
         }
 }
 
-void fs_dev_disable_dvd(void) {
+void fs_dev_disable_input(void) {
         int i = 0;
         while (dev[i].dev_fname != NULL) {
-                if (dev[i].type == DEV_DVD)
+                if (dev[i].type == DEV_INPUT)
                         disable_file_or_dir(dev[i].dev_fname);
                 i++;
         }
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index b0835d50b..76054b485 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,11 +18,13 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <errno.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
+#include <dirent.h>
 
 // spoof /etc/machine_id
 void fs_machineid(void) {
@@ -51,7 +53,7 @@ void fs_machineid(void) {
         mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
 
         // write it in a file
-        FILE *fp = fopen(RUN_MACHINEID, "w");
+        FILE *fp = fopen(RUN_MACHINEID, "we");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]);
@@ -59,6 +61,7 @@ void fs_machineid(void) {
         if (set_perms(RUN_MACHINEID, 0, 0, 0444))
                 errExit("set_perms");
 
+        selinux_relabel_path(RUN_MACHINEID, "/etc/machine-id");
 
         struct stat s;
         if (stat("/etc/machine-id", &s) == 0) {
@@ -74,6 +77,44 @@ void fs_machineid(void) {
         }
 }
 
+// Duplicate directory structure from src to dst by creating empty directories.
+// The paths _must_ be identical after their respective prefixes.
+// When finished, dst will point to the target directory. That is, if
+// it starts out pointing to a file, it will instead be truncated so
+// that it contains the parent directory instead.
+static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) {
+        char *p = src + src_prefix_len + 1;
+        char *q = dst + dst_prefix_len + 1;
+        char *r = dst + dst_prefix_len;
+        struct stat s;
+        bool last = false;
+        *r = '\0';
+        for (; !last; p++, q++) {
+                if (*p == '\0') {
+                        last = true;
+                }
+                if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) {
+                        // We found a new component of our src path.
+                        // Null-terminate it temporarily here so that we can work
+                        // with it.
+                        *p = '\0';
+                        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
+                                // Null-terminate the dst path and undo its previous
+                                // termination.
+                                *q = '\0';
+                                *r = '/';
+                                r = q;
+                                create_empty_dir_as_root(dst, s.st_mode);
+                        }
+                        if (!last) {
+                                // If we're not at the final terminating null, restore
+                                // the slash so that we can continue our traversal.
+                                *p = '/';
+                        }
+                }
+        }
+}
+
 // return 0 if file not found, 1 if found
 static int check_dir_or_file(const char *fname) {
         assert(fname);
@@ -99,11 +140,13 @@ errexit:
 }
 
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
-        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
+        assert(fname);
+
+        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
-        invalid_filename(fname);
+        invalid_filename(fname, 0); // no globbing
 
         char *src;
         if (asprintf(&src,  "%s/%s", private_dir, fname) == -1)
@@ -115,33 +158,37 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
         }
 
         if (arg_debug)
-                printf("copying %s to private %s\n", src, private_dir);
+                printf("Copying %s to private %s\n", src, private_dir);
 
-        struct stat s;
-        if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
-                // create the directory in RUN_ETC_DIR
-                char *dirname;
-                if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1)
-                        errExit("asprintf");
-                create_empty_dir_as_root(dirname, s.st_mode);
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname);
-                free(dirname);
-        }
-        else
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir);
+        char *dst;
+        if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1)
+                errExit("asprintf");
 
+        build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir));
+        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst);
+
+        free(dst);
         fs_logger2("clone", src);
         free(src);
 }
 
 
-void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
+void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list) {
         assert(private_dir);
         assert(private_run_dir);
         assert(private_list);
 
+        // nothing to do if directory does not exist
+        struct stat s;
+        if (stat(private_dir, &s) == -1) {
+                if (arg_debug)
+                        printf("Cannot find %s: %s\n", private_dir, strerror(errno));
+                return;
+        }
+
         // create /run/firejail/mnt/etc directory
         mkdir_attr(private_run_dir, 0755, 0, 0);
+        selinux_relabel_path(private_run_dir, private_dir);
         fs_logger2("tmpfs", private_dir);
 
         fs_logger_print();      // save the current log
@@ -160,6 +207,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
 
 
                 char *ptr = strtok(dlist, ",");
+                if (!ptr) {
+                        fprintf(stderr, "Error: invalid private %s argument\n", private_dir);
+                        exit(1);
+                }
                 duplicate(ptr, private_dir, private_run_dir);
 
                 while ((ptr = strtok(NULL, ",")) != NULL)
@@ -167,10 +218,161 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
                 free(dlist);
                 fs_logger_print();
         }
+}
+
+void fs_private_dir_mount(const char *private_dir, const char *private_run_dir) {
+        assert(private_dir);
+        assert(private_run_dir);
 
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir);
+
+        // nothing to do if directory does not exist
+        struct stat s;
+        if (stat(private_dir, &s) == -1) {
+                if (arg_debug)
+                        printf("Cannot find %s: %s\n", private_dir, strerror(errno));
+                return;
+        }
+
         if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind");
         fs_logger2("mount", private_dir);
+
+        // mask private_run_dir (who knows if there are writable paths, and it is mounted exec)
+        if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        fs_logger2("tmpfs", private_run_dir);
+}
+
+void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) {
+        timetrace_start();
+        fs_private_dir_copy(private_dir, private_run_dir, private_list);
+        fs_private_dir_mount(private_dir, private_run_dir);
+        fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
+}
+
+void fs_rebuild_etc(void) {
+        int have_dhcp = 1;
+        if (cfg.dns1 == NULL && !any_dhcp())
+                have_dhcp = 0;
+
+        if (arg_debug)
+                printf("rebuilding /etc directory\n");
+        if (mkdir(RUN_DNS_ETC, 0755))
+                errExit("mkdir");
+        selinux_relabel_path(RUN_DNS_ETC, "/etc");
+        fs_logger("tmpfs /etc");
+
+        DIR *dir = opendir("/etc");
+        if (!dir)
+                errExit("opendir");
+
+        struct stat s;
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                // skip files in cfg.profile_rebuild_etc list
+                // these files are already blacklisted
+                {
+                        ProfileEntry *prf = cfg.profile_rebuild_etc;
+                        int found = 0;
+                        while (prf) {
+                                if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/")
+                                        found = 1;
+                                        break;
+                                }
+                                prf = prf->next;
+                        }
+                        if (found)
+                                continue;
+                }
+
+                // for resolv.conf we might have to  create a brand new file later
+                if (have_dhcp &&
+                    (strcmp(entry->d_name, "resolv.conf") == 0 ||
+                     strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0))
+                        continue;
+//              printf("linking %s\n", entry->d_name);
+
+                char *src;
+                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
+                        errExit("asprintf");
+                if (stat(src, &s) != 0) {
+                        free(src);
+                        continue;
+                }
+
+                char *dest;
+                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
+                        errExit("asprintf");
+
+                int symlink_done = 0;
+                if (is_link(src)) {
+                        char *rp =realpath(src, NULL);
+                        if (rp == NULL) {
+                                free(src);
+                                free(dest);
+                                continue;
+                        }
+                        if (symlink(rp, dest))
+                                errExit("symlink");
+                        else
+                                symlink_done = 1;
+                }
+                else if (S_ISDIR(s.st_mode))
+                        create_empty_dir_as_root(dest, s.st_mode);
+                else
+                        create_empty_file_as_root(dest, s.st_mode);
+
+                // bind-mount src on top of dest
+                if (!symlink_done) {
+                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind mirroring /etc");
+                }
+                fs_logger2("clone", src);
+
+                free(src);
+                free(dest);
+        }
+        closedir(dir);
+
+        // mount bind our private etc directory on top of /etc
+        if (arg_debug)
+                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
+        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind mirroring /etc");
+        fs_logger("mount /etc");
+
+        if (have_dhcp == 0)
+                return;
+
+        if (arg_debug)
+                printf("Creating a new /etc/resolv.conf file\n");
+        FILE *fp = fopen("/etc/resolv.conf", "wxe");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
+                exit(1);
+        }
+
+        if (cfg.dns1) {
+                if (any_dhcp())
+                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
+                fprintf(fp, "nameserver %s\n", cfg.dns1);
+        }
+        if (cfg.dns2)
+                fprintf(fp, "nameserver %s\n", cfg.dns2);
+        if (cfg.dns3)
+                fprintf(fp, "nameserver %s\n", cfg.dns3);
+        if (cfg.dns4)
+                fprintf(fp, "nameserver %s\n", cfg.dns4);
+
+        // mode and owner
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+
+        fclose(fp);
+
+        fs_logger("create /etc/resolv.conf");
 }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 9e3678c33..0ed476063 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,9 +20,7 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <linux/limits.h>
-#include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -31,148 +29,182 @@
 #include <grp.h>
 //#include <ftw.h>
 
-static void skel(const char *homedir, uid_t u, gid_t g) {
-        char *fname;
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+static void skel(const char *homedir) {
+        EUID_ASSERT();
 
         // zsh
         if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.zshrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.zshrc");
+                        fs_logger2("clone", fname);
                 }
                 else {
-                        touch_file_as_user(fname, u, g, 0644);
+                        touch_file_as_user(fname, 0644);
                         fs_logger2("touch", fname);
                 }
+                selinux_relabel_path(fname, fname);
                 free(fname);
         }
         // csh
         else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
-
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.cshrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.cshrc");
+                        fs_logger2("clone", fname);
                 }
                 else {
-                        touch_file_as_user(fname, u, g, 0644);
+                        touch_file_as_user(fname, 0644);
                         fs_logger2("touch", fname);
                 }
+                selinux_relabel_path(fname, fname);
                 free(fname);
         }
         // bash etc.
         else {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.bashrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.bashrc");
+                        fs_logger2("clone", fname);
                 }
+                selinux_relabel_path(fname, fname);
                 free(fname);
         }
 }
 
 static int store_xauthority(void) {
+        EUID_ASSERT();
+        if (arg_x11_block)
+                return 0;
+
         // put a copy of .Xauthority in XAUTHORITY_FILE
-        char *src;
         char *dest = RUN_XAUTHORITY_FILE;
-        // create an empty file as root, and change ownership to user
-        FILE *fp = fopen(dest, "w");
-        if (fp) {
-                fprintf(fp, "\n");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
-                fclose(fp);
-        }
-
+        char *src;
         if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         fwarning("invalid .Xauthority file\n");
+                        free(src);
                         return 0;
                 }
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
+                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
+                FILE *fp = fopen(dest, "we");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
+                        fclose(fp);
+                }
+                else
+                        errExit("fopen");
+                EUID_USER();
+
+                copy_file_as_user(src, dest, 0600); // regular user
+                selinux_relabel_path(dest, src);
                 fs_logger2("clone", dest);
+                free(src);
                 return 1; // file copied
         }
 
+        free(src);
         return 0;
 }
 
 static int store_asoundrc(void) {
-        // put a copy of .Xauthority in XAUTHORITY_FILE
-        char *src;
-        char *dest = RUN_ASOUNDRC_FILE;
-        // create an empty file as root, and change ownership to user
-        FILE *fp = fopen(dest, "w");
-        if (fp) {
-                fprintf(fp, "\n");
-                SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
-                fclose(fp);
-        }
+        EUID_ASSERT();
+        if (arg_nosound)
+                return 0;
 
+        // put a copy of .asoundrc in ASOUNDRC_FILE
+        char *dest = RUN_ASOUNDRC_FILE;
+        char *src;
         if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         // make sure the real path of the file is inside the home directory
                         /* coverity[toctou] */
-                        char* rp = realpath(src, NULL);
+                        char *rp = realpath(src, NULL);
                         if (!rp) {
                                 fprintf(stderr, "Error: Cannot access %s\n", src);
                                 exit(1);
                         }
-                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0) {
+                        if (strncmp(rp, cfg.homedir, strlen(cfg.homedir)) != 0 || rp[strlen(cfg.homedir)] != '/') {
                                 fprintf(stderr, "Error: .asoundrc is a symbolic link pointing to a file outside home directory\n");
                                 exit(1);
                         }
                         free(rp);
                 }
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
+                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
+                FILE *fp = fopen(dest, "we");
+                if (fp) {
+                        fprintf(fp, "\n");
+                        SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
+                        fclose(fp);
+                }
+                else
+                        errExit("fopen");
+                EUID_USER();
+
+                copy_file_as_user(src, dest, 0644); // regular user
                 fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
+                free(src);
                 return 1; // file copied
         }
 
+        free(src);
         return 0;
 }
 
 static void copy_xauthority(void) {
+        EUID_ASSERT();
         // copy XAUTHORITY_FILE in the new home directory
         char *src = RUN_XAUTHORITY_FILE ;
         char *dest;
@@ -185,15 +217,19 @@ static void copy_xauthority(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
+        free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 static void copy_asoundrc(void) {
-        // copy XAUTHORITY_FILE in the new home directory
+        EUID_ASSERT();
+        // copy ASOUNDRC_FILE in the new home directory
         char *src = RUN_ASOUNDRC_FILE ;
         char *dest;
         if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
@@ -205,11 +241,14 @@ static void copy_asoundrc(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
+        free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 // private mode (--private=homedir):
@@ -222,45 +261,86 @@ void fs_private_homedir(void) {
         char *private_homedir = cfg.home_private;
         assert(homedir);
         assert(private_homedir);
+        EUID_ASSERT();
+
+        uid_t u = getuid();
+        // gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        uid_t u = getuid();
-        gid_t g = getgid();
-
         // mount bind private_homedir on top of homedir
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
-        if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
+        // get file descriptors for homedir and private_homedir, fails if there is any symlink
+        int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (src == -1)
+                errExit("opening private directory");
+        int dst = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (dst == -1)
+                errExit("opening home directory");
+        // both mount source and target should be owned by the user
+        struct stat s;
+        if (fstat(src, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != u) {
+                fprintf(stderr, "Error: private directory is not owned by the current user\n");
+                exit(1);
+        }
+        if ((S_IRWXU & s.st_mode) != S_IRWXU)
+                fwarning("no full permissions on private directory\n");
+        if (fstat(dst, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != u) {
+                fprintf(stderr, "Error: cannot mount private directory:\n"
+                        "Home directory is not owned by the current user\n");
+                exit(1);
+        }
+        // mount via the links in /proc/self/fd
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
-        fs_logger3("mount-bind", private_homedir, cfg.homedir);
-        fs_logger2("whitelist", cfg.homedir);
+        EUID_USER();
+
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        size_t len = strlen(homedir);
+        if (strncmp(mptr->dir, homedir, len) != 0 ||
+           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+                errLogExit("invalid private mount");
+
+        close(src);
+        close(dst);
+        fs_logger3("mount-bind", private_homedir, homedir);
+        fs_logger2("whitelist", homedir);
 // preserve mode and ownership
 //      if (chown(homedir, s.st_uid, s.st_gid) == -1)
 //              errExit("mount-bind chown");
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
 
+        EUID_ROOT();
         if (u != 0) {
                 // mask /root
                 if (arg_debug)
                         printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
-                        errExit("mounting home directory");
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=700,gid=0") < 0)
+                        errExit("mounting /root directory");
+                selinux_relabel_path("/root", "/root");
                 fs_logger("tmpfs /root");
         }
-        else {
+        if (u == 0 && !arg_allusers) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting home directory");
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                        errExit("mounting /home directory");
+                selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
-
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -275,87 +355,94 @@ void fs_private_homedir(void) {
 void fs_private(void) {
         char *homedir = cfg.homedir;
         assert(homedir);
+        EUID_ASSERT();
+
         uid_t u = getuid();
         gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        // mask /home
-        if (arg_debug)
-                printf("Mounting a new /home directory\n");
-        if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root
-                ;
-        else {
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting home directory");
-                fs_logger("tmpfs /home");
-        }
-
+        EUID_ROOT();
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
-        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
-                errExit("mounting root directory");
+        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=700,gid=0") < 0)
+                errExit("mounting /root directory");
+        selinux_relabel_path("/root", "/root");
         fs_logger("tmpfs /root");
 
-        if (u != 0) {
-                // create /home/user
+        // mask /home
+        if (!arg_allusers) {
                 if (arg_debug)
-                        printf("Create a new user directory\n");
-                if (mkdir(homedir, S_IRWXU) == -1) {
-                        if (mkpath_as_root(homedir) == -1)
-                                errExit("mkpath");
-                        if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
-                                errExit("mkdir");
+                        printf("Mounting a new /home directory\n");
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                        errExit("mounting /home directory");
+                selinux_relabel_path("/home", "/home");
+                fs_logger("tmpfs /home");
+        }
+
+        if (u != 0) {
+                if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
+                        // create new empty /home/user directory
+                        if (arg_debug)
+                                printf("Create a new user directory\n");
+                        if (mkdir(homedir, S_IRWXU) == -1) {
+                                if (mkpath_as_root(homedir) == -1)
+                                        errExit("mkpath");
+                                if (mkdir(homedir, S_IRWXU) == -1)
+                                        errExit("mkdir");
+                        }
+                        if (chown(homedir, u, g) < 0)
+                                errExit("chown");
+
+                        fs_logger2("mkdir", homedir);
+                        fs_logger2("tmpfs", homedir);
                 }
-                if (chown(homedir, u, g) < 0)
-                        errExit("chown");
-                fs_logger2("mkdir", homedir);
+                else
+                        // mask user home directory
+                        // the directory should be owned by the current user
+                        fs_tmpfs(homedir, 1);
+
+                selinux_relabel_path(homedir, homedir);
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
                 copy_asoundrc();
-
 }
 
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void) {
         EUID_ASSERT();
-        invalid_filename(cfg.home_private);
+        invalid_filename(cfg.home_private, 0); // no globbing
 
         // Expand the home directory
-        char *tmp = expand_home(cfg.home_private, cfg.homedir);
+        char *tmp = expand_macros(cfg.home_private);
         cfg.home_private = realpath(tmp, NULL);
         free(tmp);
 
         if (!cfg.home_private
-         || !is_dir(cfg.home_private)
-         || is_link(cfg.home_private)
-         || strstr(cfg.home_private, "..")) {
+         || !is_dir(cfg.home_private)) {
                 fprintf(stderr, "Error: invalid private directory\n");
                 exit(1);
         }
+}
 
-        // check home directory and chroot home directory have the same owner
-        struct stat s2;
-        int rv = stat(cfg.home_private, &s2);
-        if (rv < 0) {
-                fprintf(stderr, "Error: cannot find %s directory\n", cfg.home_private);
-                exit(1);
-        }
+// check new private working directory (--private-cwd= option) - exit if it fails
+void fs_check_private_cwd(const char *dir) {
+        EUID_ASSERT();
+        invalid_filename(dir, 0); // no globbing
 
-        struct stat s1;
-        rv = stat(cfg.homedir, &s1);
-        if (rv < 0) {
-                fprintf(stderr, "Error: cannot find %s directory, full path name required\n", cfg.homedir);
-                exit(1);
-        }
-        if (s1.st_uid != s2.st_uid) {
-                printf("Error: --private directory should be owned by the current user\n");
+        // Expand the working directory
+        cfg.cwd = expand_macros(dir);
+
+        // realpath/is_dir not used because path may not exist outside of jail
+        if (strstr(cfg.cwd, "..")) {
+                fprintf(stderr, "Error: invalid private working directory\n");
                 exit(1);
         }
 }
@@ -364,15 +451,16 @@ void fs_check_private_dir(void) {
 // --private-home
 //***********************************************************************************
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
 
         // basic checks
-        invalid_filename(name);
+        invalid_filename(name, 0); // no globbing
         if (arg_debug)
                 printf("Private home: checking %s\n", name);
 
         // expand home directory
-        char *fname = expand_home(name, cfg.homedir);
+        char *fname = expand_macros(name);
         assert(fname);
 
         // If it doesn't start with '/', it must be relative to homedir
@@ -387,6 +475,8 @@ static char *check_dir_or_file(const char *name) {
         // we allow only files in user home directory or symbolic links to files or directories owned by the user
         struct stat s;
         if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) {
+                if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 || fname[strlen(cfg.homedir)] != '/')
+                        goto errexit;
                 if (stat(fname, &s) == 0) {
                         if (s.st_uid != getuid()) {
                                 fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname);
@@ -394,37 +484,35 @@ static char *check_dir_or_file(const char *name) {
                         }
                         return fname;
                 }
-                else {
-                        fprintf(stderr, "Error: invalid file %s\n", name);
-                        exit(1);
-                }
+                else // dangling link
+                        goto errexit;
         }
         else {
-                // check the file is in user home directory, a full home directory is not allowed
+                // check the file is in user home directory
                 char *rname = realpath(fname, NULL);
-                if (!rname ||
-                    strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 ||
-                    strcmp(rname, cfg.homedir) == 0) {
-                        fprintf(stderr, "Error: invalid file %s\n", name);
-                        exit(1);
-                }
-
-                // only top files and directories in user home are allowed
+                if (!rname || strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0)
+                        goto errexit;
+                // a full home directory is not allowed
                 char *ptr = rname + strlen(cfg.homedir);
-                assert(*ptr != '\0');
+                if (*ptr != '/')
+                        goto errexit;
+                // only top files and directories in user home are allowed
                 ptr = strchr(++ptr, '/');
                 if (ptr) {
-                        if (*ptr != '\0') {
-                                fprintf(stderr, "Error: only top files and directories in user home are allowed\n");
-                                exit(1);
-                        }
+                        fprintf(stderr, "Error: only top files and directories in user home are allowed\n");
+                        exit(1);
                 }
                 free(fname);
                 return rname;
         }
+
+errexit:
+        fprintf(stderr, "Error: invalid file %s\n", name);
+        exit(1);
 }
 
 static void duplicate(char *name) {
+        EUID_ASSERT();
         char *fname = check_dir_or_file(name);
 
         if (arg_debug)
@@ -438,14 +526,14 @@ static void duplicate(char *name) {
         }
         else if (S_ISDIR(s.st_mode)) {
                 // create the directory in RUN_HOME_DIR
-                char *name;
+                char *path;
                 char *ptr = strrchr(fname, '/');
                 ptr++;
-                if (asprintf(&name, "%s/%s", RUN_HOME_DIR, ptr) == -1)
+                if (asprintf(&path, "%s/%s", RUN_HOME_DIR, ptr) == -1)
                         errExit("asprintf");
-                mkdir_attr(name, 0755, getuid(), getgid());
-                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, name);
-                free(name);
+                create_empty_dir_as_user(path, 0755);
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, path);
+                free(path);
         }
         else
                 sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR);
@@ -466,26 +554,36 @@ void fs_private_home_list(void) {
         char *private_list = cfg.home_private_keep;
         assert(homedir);
         assert(private_list);
+        EUID_ASSERT();
 
-        int xflag = store_xauthority();
-        int aflag = store_asoundrc();
+        timetrace_start();
 
         uid_t uid = getuid();
         gid_t gid = getgid();
 
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+
         // create /run/firejail/mnt/home directory
+        EUID_ROOT();
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
+        selinux_relabel_path(RUN_HOME_DIR, homedir);
+
         fs_logger_print();      // save the current log
+        EUID_USER();
 
+        // copy the list of files in the new home directory
         if (arg_debug)
                 printf("Copying files in the new home:\n");
-
-        // copy the list of files in the new home directory
         char *dlist = strdup(cfg.home_private_keep);
         if (!dlist)
                 errExit("strdup");
 
         char *ptr = strtok(dlist, ",");
+        if (!ptr) {
+                fprintf(stderr, "Error: invalid private-home argument\n");
+                exit(1);
+        }
         duplicate(ptr);
         while ((ptr = strtok(NULL, ",")) != NULL)
                 duplicate(ptr);
@@ -496,27 +594,62 @@ void fs_private_home_list(void) {
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
 
-        if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        int fd = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("opening home directory");
+        // home directory should be owned by the user
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != uid) {
+                fprintf(stderr, "Error: cannot mount private directory:\n"
+                        "Home directory is not owned by the current user\n");
+                exit(1);
+        }
+        // mount using the file descriptor
+        EUID_ROOT();
+        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                 errExit("mount bind");
+        EUID_USER();
+        close(fd);
 
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
+                errLogExit("invalid private-home mount");
+        fs_logger2("tmpfs", homedir);
+
+        EUID_ROOT();
         if (uid != 0) {
                 // mask /root
                 if (arg_debug)
                         printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
-                        errExit("mounting home directory");
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=700,gid=0") < 0)
+                        errExit("mounting /root directory");
+                selinux_relabel_path("/root", "/root");
+                fs_logger("tmpfs /root");
         }
-        else {
+        if (uid == 0 && !arg_allusers) {
                 // mask /home
                 if (arg_debug)
                         printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting home directory");
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                        errExit("mounting /home directory");
+                selinux_relabel_path("/home", "/home");
+                fs_logger("tmpfs /home");
         }
 
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
                 copy_asoundrc();
+
+        if (!arg_quiet)
+                fprintf(stderr, "Home directory installed in %0.2f ms\n", timetrace_end());
 }
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index b22870713..7d320e90b 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -47,11 +47,11 @@ void fs_hostname(const char *hostname) {
                         printf("Creating a new /etc/hosts file\n");
                 // copy /etc/host into our new file, and modify it on the fly
                 /* coverity[toctou] */
-                FILE *fp1 = fopen("/etc/hosts", "r");
+                FILE *fp1 = fopen("/etc/hosts", "re");
                 if (!fp1)
                         goto errexit;
 
-                FILE *fp2 = fopen(RUN_HOSTS_FILE, "w");
+                FILE *fp2 = fopen(RUN_HOSTS_FILE, "we");
                 if (!fp2) {
                         fclose(fp1);
                         goto errexit;
@@ -88,49 +88,10 @@ errexit:
         exit(1);
 }
 
-void fs_resolvconf(void) {
-        if (cfg.dns1 == 0)
-                return;
-
-        struct stat s;
-
-        // create a new /etc/hostname
-        if (stat("/etc/resolv.conf", &s) == 0) {
-                if (arg_debug)
-                        printf("Creating a new /etc/resolv.conf file\n");
-                FILE *fp = fopen(RUN_RESOLVCONF_FILE, "w");
-                if (!fp) {
-                        fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE);
-                        exit(1);
-                }
-
-                if (cfg.dns1)
-                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
-                if (cfg.dns2)
-                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
-                if (cfg.dns3)
-                        fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
-
-                // mode and owner
-                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-
-                fclose(fp);
-
-                // bind-mount the file on top of /etc/hostname
-                if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind /etc/resolv.conf");
-                fs_logger("create /etc/resolv.conf");
-        }
-        else {
-                fprintf(stderr, "Error: cannot set DNS servers, /etc/resolv.conf file is missing\n");
-                exit(1);
-        }
-}
-
 char *fs_check_hosts_file(const char *fname) {
         assert(fname);
-        invalid_filename(fname);
-        char *rv = expand_home(fname, cfg.homedir);
+        invalid_filename(fname, 0); // no globbing
+        char *rv = expand_macros(fname);
 
         // the user has read access to the file
         if (access(rv, R_OK))
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index abd7cee1a..9d7a17cf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -16,58 +16,211 @@
  * You should have received a copy of the GNU General Public License along
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
+ */
 #include "firejail.h"
+#include "../include/ldd_utils.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <dirent.h>
-
+#include <fcntl.h>
+#include <errno.h>
+#include <glob.h>
 #define MAXBUF 4096
 
-static const char * const lib_paths[] = {
-        "/lib",
-        "/lib/x86_64-linux-gnu",
+extern void fslib_install_stdc(void);
+extern void fslib_install_firejail(void);
+extern void fslib_install_system(void);
+
+static int lib_cnt = 0;
+static int dir_cnt = 0;
+
+static const char *masked_lib_dirs[] = {
+        "/usr/lib64",
         "/lib64",
         "/usr/lib",
-        "/usr/lib/x86_64-linux-gnu",
-        LIBDIR,
+        "/lib",
+        "/usr/local/lib64",
         "/usr/local/lib",
-        NULL
-}; // Note: this array is duplicated in src/fldd/main.c
+        NULL,
+};
 
-static void duplicate(const char *fname, const char *private_run_dir) {
+// return 1 if the file is in masked_lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                size_t len = strlen(masked_lib_dirs[i]);
+                if (strncmp(full_path, masked_lib_dirs[i], len) == 0 &&
+                    full_path[len] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
+
+char *find_in_path(const char *program) {
+        EUID_ASSERT();
         if (arg_debug)
-                printf("copying %s to private %s\n", fname, private_run_dir);
+                printf("Searching $PATH for %s\n", program);
+
+        char self[MAXBUF];
+        ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
+        if (len < 0)
+                errExit("readlink");
+        self[len] = '\0';
+
+        const char *path = env_get("PATH");
+        if (!path)
+                return NULL;
+
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+        char *tok = strtok(dup, ":");
+        while (tok) {
+                char *fname;
+                if (asprintf(&fname, "%s/%s", tok, program) == -1)
+                        errExit("asprintf");
 
-        // copy only root-owned files
-        struct stat s;
-        if (stat(fname, &s) == 0 && s.st_uid == 0)
-                sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", fname, private_run_dir);
+                if (arg_debug)
+                        printf("trying #%s#\n", fname);
+                struct stat s;
+                if (stat(fname, &s) == 0) {
+                        // but skip links created by firecfg
+                        char *rp = realpath(fname, NULL);
+                        if (!rp)
+                                errExit("realpath");
+                        if (strcmp(self, rp) != 0) {
+                                free(rp);
+                                free(dup);
+                                return fname;
+                        }
+                        free(rp);
+                }
+                free(fname);
+                tok = strtok(NULL, ":");
+        }
+
+        free(dup);
+        return NULL;
+}
+
+static char *build_dest_dir(const char *full_path) {
+        assert(full_path);
+        if (strstr(full_path, "/x86_64-linux-gnu/"))
+                return RUN_LIB_DIR "/x86_64-linux-gnu";
+        return RUN_LIB_DIR;
+}
+
+// return name of mount target in allocated memory
+static char *build_dest_name(const char *full_path) {
+        assert(full_path);
+        char *fname = strrchr(full_path, '/');
+        assert(fname);
+        fname++;
+        // no trailing slash or dot
+        assert(fname[0] != '\0' && (fname[0] != '.' || fname[1] != '\0'));
+
+        char *dest;
+        if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1)
+                errExit("asprintf");
+        return dest;
 }
 
+static void fslib_mount_dir(const char *full_path) {
+        // create new directory and mount the original on top of it
+        char *dest = build_dest_name(full_path);
+        if (mkdir(dest, 0755) == -1) {
+                if (errno == EEXIST) { // directory has been mounted already, nothing to do
+                        free(dest);
+                        return;
+                }
+                errExit("mkdir");
+        }
+
+        if (arg_debug || arg_debug_private_lib)
+                printf("    mounting %s on %s\n", full_path, dest);
+        // if full_path is a symbolic link, mount will follow it
+        if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        free(dest);
+        dir_cnt++;
+}
+
+static void fslib_mount_file(const char *full_path) {
+        // create new file and mount the original on top of it
+        char *dest = build_dest_name(full_path);
+        int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (fd == -1) {
+                if (errno == EEXIST) { // file has been mounted already, nothing to do
+                        free(dest);
+                        return;
+                }
+                errExit("open");
+        }
+        close(fd);
+
+        if (arg_debug || arg_debug_private_lib)
+                printf("    mounting %s on %s\n", full_path, dest);
+        // if full_path is a symbolic link, mount will follow it
+        if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0)
+                errExit("mount bind");
+        free(dest);
+        lib_cnt++;
+}
+
+void fslib_mount(const char *full_path) {
+        assert(full_path);
+        struct stat s;
+
+        if (*full_path == '\0' ||
+            !valid_full_path(full_path) ||
+            stat_as_user(full_path, &s) != 0 ||
+            s.st_uid != 0)
+                return;
+
+        if (S_ISDIR(s.st_mode))
+                fslib_mount_dir(full_path);
+        else if (S_ISREG(s.st_mode) && is_lib_64(full_path))
+                fslib_mount_file(full_path);
+}
 
 // requires full path for lib
-static void copy_libs(const char *lib, const char *private_run_dir, const char *output_file) {
+// it could be a library or an executable
+// lib is not copied, only libraries used by it
+void fslib_mount_libs(const char *full_path, unsigned user) {
+        assert(full_path);
         // if library/executable does not exist or the user does not have read access to it
         // print a warning and exit the function.
-        if (access(lib, R_OK)) {
-                fwarning("cannot find %s for private-lib, skipping...\n", lib);
+        if (user && access(full_path, R_OK)) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Cannot read %s, skipping...\n", full_path);
                 return;
         }
 
+        if (arg_debug || arg_debug_private_lib)
+                printf("    fslib_mount_libs %s\n", full_path);
         // create an empty RUN_LIB_FILE and allow the user to write to it
-        unlink(output_file); // in case is there
-        create_empty_file_as_root(output_file, 0644);
-        if (chown(output_file, getuid(), getgid()))
+        unlink(RUN_LIB_FILE);                     // in case is there
+        create_empty_file_as_root(RUN_LIB_FILE, 0644);
+        if (user && chown(RUN_LIB_FILE, getuid(), getgid()))
                 errExit("chown");
-                
-        // run fldd to extact the list of file
-        sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, lib, output_file);
-        
+
+        // run fldd to extract the list of files
+        if (arg_debug || arg_debug_private_lib)
+                printf("    running fldd %s as %s\n", full_path, user ? "user" : "root");
+        unsigned mask;
+        if (user)
+                mask = SBOX_USER;
+        else
+                mask = SBOX_ROOT;
+        sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE);
+
         // open the list of libraries and install them on by one
-        FILE *fp = fopen(output_file, "r");
+        FILE *fp = fopen(RUN_LIB_FILE, "re");
         if (!fp)
                 errExit("fopen");
 
@@ -77,141 +230,145 @@ static void copy_libs(const char *lib, const char *private_run_dir, const char *
                 char *ptr = strchr(buf, '\n');
                 if (ptr)
                         *ptr = '\0';
-                duplicate(buf, private_run_dir);
+
+                trim_trailing_slash_or_dot(buf);
+                fslib_mount(buf);
         }
         fclose(fp);
+        unlink(RUN_LIB_FILE);
 }
 
-static void copy_directory(const char *full_path, const char *dir_name, const char *private_run_dir) {
-        char *dest;
-        if (asprintf(&dest, "%s/%s", private_run_dir, dir_name) == -1)
-                errExit("asprintf");
+// fname should be a full path at this point
+static void load_library(const char *fname) {
+        assert(fname);
+        assert(*fname == '/');
 
-        // do nothing if the directory is already there
+        // existing file owned by root
         struct stat s;
-        if (stat(dest, &s) == 0) {
-                free(dest);
-                return;
+        if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) {
+                // load directories, regular 64 bit libraries, and 64 bit executables
+                if (S_ISDIR(s.st_mode))
+                        fslib_mount(fname);
+                else if (S_ISREG(s.st_mode) && is_lib_64(fname)) {
+                        if (strstr(fname, ".so") ||
+                            access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries
+                                fslib_mount(fname);
+
+                        fslib_mount_libs(fname, 1); // parse as user
+                }
         }
-
-        // create new directory and mount the original on top of it
-        mkdir_attr(dest, 0755, 0, 0);
-
-        if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-            mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        fs_logger2("clone", full_path);
-        fs_logger2("mount", full_path);
-        free(dest);
 }
 
-// return 1 if the file is valid
-static char *valid_file(const char *lib) {
+static void install_list_entry(const char *lib) {
+        assert(lib);
+
         // filename check
         int len = strlen(lib);
-        if (strcspn(lib, "\\&!?\"'<>%^(){}[];,*") != (size_t)len ||
-            strstr(lib, "..")) {
+        if (strcspn(lib, "\\&!?\"'<>%^(){}[];,") != (size_t)len ||
+        strstr(lib, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid library\n", lib);
                 exit(1);
         }
-        
+
+        // if this is a full path, use it as is
+        if (*lib == '/')
+                return load_library(lib);
+
+
         // find the library
         int i;
-        for (i = 0; lib_paths[i]; i++) {
-                char *fname;
-                if (asprintf(&fname, "%s/%s", lib_paths[i], lib) == -1)
+        for (i = 0; default_lib_paths[i]; i++) {
+                char *fname = NULL;
+                if (asprintf(&fname, "%s/%s", default_lib_paths[i], lib) == -1)
                         errExit("asprintf");
-                
-                // existing file owned by root
-                struct stat s;
-                if (stat(fname, &s) == 0 && s.st_uid == 0) {
-                        return fname;
+
+#define DO_GLOBBING
+#ifdef DO_GLOBBING
+                // globbing
+                EUID_USER();
+                glob_t globbuf;
+                int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+                if (globerr) {
+                        fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname);
+                        exit(1);
                 }
+                EUID_ROOT();
+                size_t j;
+                for (j = 0; j < globbuf.gl_pathc; j++) {
+                        assert(globbuf.gl_pathv[j]);
+//printf("glob %s\n", globbuf.gl_pathv[j]);
+                        // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway
+
+                        // foobar/* expands to foobar/. and foobar/..
+                        const char *base = gnu_basename(globbuf.gl_pathv[j]);
+                        if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0)
+                                continue;
+                        load_library(globbuf.gl_pathv[j]);
+                }
+
+                globfree(&globbuf);
+#else
+                load_library(fname);
+#endif
                 free(fname);
         }
 
-        fwarning("%s library not found, skipping...\n", lib);   
-        return NULL;
+//      fwarning("%s library not found, skipping...\n", lib);
+        return;
 }
 
-// standard libc libraries based on Debian's libc6 package
-// selinux seems to be linked in most command line utilities
-// locale (/usr/lib/locale) - without it, the program will default to "C" locale
-typedef struct liblist_t {
-        const char *name;
-        int len;
-} LibList;
-
-static LibList libc_list[] = {
-//      { "locale", 0 },   hardcoded!
-        { "libselinux.so.", 0 },
-        { "ld-linux-x86-64.so.", 0 },
-        { "libanl.so.", 0 },
-        { "libc.so.", 0 },
-        { "libcidn.so.", 0 },
-        { "libcrypt.so.", 0 },
-        { "libdl.so.", 0 },
-        { "libm.so.", 0 },
-        { "libmemusage.so", 0 },
-        { "libmvec.so.", 0 },
-        { "libnsl.so.", 0 },
-        { "libnss_compat.so.", 0 },
-        { "libnss_dns.so.", 0 },
-        { "libnss_files.so.", 0 },
-        { "libnss_hesiod.so.", 0 },
-        { "libnss_nisplus.so.", 0 },
-        { "libnss_nis.so.", 0 },
-        { "libpthread.so.", 0 },
-        { "libresolv.so.", 0 },
-        { "librt.so.", 0 },
-        { "libthread_db.so.", 0 },
-        { "libutil.so.", 0 },
-        { NULL, 0}
-};
+void fslib_install_list(const char *lib_list) {
+        assert(lib_list);
+        if (arg_debug || arg_debug_private_lib)
+                printf("    fslib_install_list  %s\n", lib_list);
 
-static int find(const char *name) {
-        assert(name);
+        char *dlist = strdup(lib_list);
+        if (!dlist)
+                errExit("strdup");
 
-        int i = 0;
-        while (libc_list[i].name) {
-                if (libc_list[i].len == 0)
-                        libc_list[i].len = strlen(libc_list[i].name);
-                if (strncmp(name, libc_list[i].name, libc_list[i].len) == 0)
-                        return 1;
-                i++;
+        char *ptr = strtok(dlist, ",");
+        if (!ptr) {
+                fprintf(stderr, "Error: invalid private-lib argument\n");
+                exit(1);
         }
-        return 0;
+        trim_trailing_slash_or_dot(ptr);
+        install_list_entry(ptr);
+
+        while ((ptr = strtok(NULL, ",")) != NULL) {
+                trim_trailing_slash_or_dot(ptr);
+                install_list_entry(ptr);
+        }
+        free(dlist);
+        fs_logger_print();
 }
 
-// compare the files in dirname against liblist above
-static void walk_directory(const char *dirname, const char *destdir) {
-        assert(dirname);
-        assert(destdir);
+static void mount_directories(void) {
+        fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself
 
-        DIR *dir = opendir(dirname);
-        if (dir) {
-                struct dirent *entry;
-                while ((entry = readdir(dir)) != NULL) {
-                        if (strcmp(entry->d_name, ".") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, "..") == 0)
-                                continue;
-                        
-                        if (find(entry->d_name)) {
-                                char *fname;
-                                if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
-                                        errExit("asprintf");
-
-                                if (is_dir(fname))
-                                        copy_directory(fname, entry->d_name, RUN_LIB_DIR);
-                                else
-                                        duplicate(fname, destdir);
-                        }
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                if (is_dir(masked_lib_dirs[i])) {
+                        if (arg_debug || arg_debug_private_lib)
+                                printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]);
+                        if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        fs_logger2("tmpfs", masked_lib_dirs[i]);
+                        fs_logger2("mount", masked_lib_dirs[i]);
                 }
-                closedir(dir);
+                i++;
+        }
+
+        // for amd64 only - we'll deal with i386 later
+        if (is_dir("/lib32")) {
+                if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("disable file");
+                fs_logger("blacklist-nolog /lib32");
+        }
+        if (is_dir("/libx32")) {
+                if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("disable file");
+                fs_logger("blacklist-nolog /libx32");
         }
-        else
-                fprintf(stderr, "Error: cannot open %s in order to set --private-lib\n", dirname);
 }
 
 void fs_private_lib(void) {
@@ -219,130 +376,80 @@ void fs_private_lib(void) {
         fwarning("private-lib feature is currently available only on amd64 platforms\n");
         return;
 #endif
-
         char *private_list = cfg.lib_private_keep;
-        if (arg_debug)
+        if (arg_debug || arg_debug_private_lib)
                 printf("Starting private-lib processing: program %s, shell %s\n",
                         (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none",
-                        (arg_shell_none)? "none": cfg.shell);
+                (arg_shell_none)? "none": cfg.shell);
 
         // create /run/firejail/mnt/lib directory
         mkdir_attr(RUN_LIB_DIR, 0755, 0, 0);
+        selinux_relabel_path(RUN_LIB_DIR, "/usr/lib");
 
-        struct stat s;
-        if (stat("/lib/x86_64-linux-gnu", &s) == 0) {
-                mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
-                walk_directory("/lib/x86_64-linux-gnu", RUN_LIB_DIR "/x86_64-linux-gnu");
-        }
-        if (stat("/usr/lib/locale", &s) == 0)
-                copy_directory("/usr/lib/locale", "locale", RUN_LIB_DIR);
+        // install standard C libraries
+        if (arg_debug || arg_debug_private_lib)
+                printf("Installing standard C library\n");
+        fslib_install_stdc();
+
+        // install other libraries needed by firejail
+        if (arg_debug || arg_debug_private_lib)
+                printf("Installing Firejail libraries\n");
+        fslib_install_firejail();
+
+        // start timetrace
+        timetrace_start();
 
         // copy the libs in the new lib directory for the main exe
-        if (cfg.original_program_index > 0)
-                copy_libs(cfg.original_argv[cfg.original_program_index], RUN_LIB_DIR, RUN_LIB_FILE);
+        if (cfg.original_program_index > 0) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Installing sandboxed program libraries\n");
+
+                if (strchr(cfg.original_argv[cfg.original_program_index], '/'))
+                        fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+                else { // search executable in $PATH
+                        EUID_USER();
+                        char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]);
+                        EUID_ROOT();
+                        if (fname) {
+                                fslib_install_list(fname);
+                                free(fname);
+                        }
+                }
+        }
 
         // for the shell
         if (!arg_shell_none) {
-                copy_libs(cfg.shell, RUN_LIB_DIR, RUN_LIB_FILE);
-                // a shell is useless without ls command
-                copy_libs("/bin/ls", RUN_LIB_DIR, RUN_LIB_FILE);
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Installing shell libraries\n");
+
+                fslib_install_list(cfg.shell);
+                // a shell is useless without some basic commands
+                fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm");
         }
 
-        // for the listed libs
+        // for the listed libs and directories
         if (private_list && *private_list != '\0') {
-                if (arg_debug)
-                        printf("Copying extra files (%s) in the new lib directory:\n", private_list);
-
-                char *dlist = strdup(private_list);
-                if (!dlist)
-                        errExit("strdup");
-
-                char *ptr = strtok(dlist, ",");
-                char *lib = valid_file(ptr);
-                if (lib) {
-                        if (is_dir(lib))
-                                copy_directory(lib, ptr, RUN_LIB_DIR);
-                        else {
-                                duplicate(lib, RUN_LIB_DIR);
-                                copy_libs(lib, RUN_LIB_DIR, RUN_LIB_FILE);
-                        }
-                        free(lib);
-                }
-
-                while ((ptr = strtok(NULL, ",")) != NULL) {
-                        lib = valid_file(ptr);
-                        if (lib) {
-                                if (is_dir(lib))
-                                        copy_directory(lib, ptr, RUN_LIB_DIR);
-                                else {
-                                        duplicate(lib, RUN_LIB_DIR);
-                                        copy_libs(lib, RUN_LIB_DIR, RUN_LIB_FILE);
-                                }
-                                free(lib);
-                        }
-                }
-                free(dlist);
-                fs_logger_print();
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Processing private-lib files\n");
+                fslib_install_list(private_list);
         }
 
         // for private-bin files
-        if (arg_private_bin) {
-                FILE *fp = fopen(RUN_LIB_BIN, "r");
-                if (fp) {
-                        char buf[MAXBUF];
-                        while (fgets(buf, MAXBUF, fp)) {
-                                // remove \n
-                                char *ptr = strchr(buf, '\n');
-                                if (ptr)
-                                        *ptr = '\0';
-                                copy_libs(buf, RUN_LIB_DIR, RUN_LIB_FILE);
-                        }
-                }
-                fclose(fp);
+        if (arg_private_bin && cfg.bin_private_lib && *cfg.bin_private_lib != '\0') {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Processing private-bin files\n");
+                fslib_install_list(cfg.bin_private_lib);
         }
+        fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
 
-        // for our trace and tracelog libs
-        if (arg_trace)
-                duplicate(LIBDIR "/firejail/libtrace.so", RUN_LIB_DIR);
-        else if (arg_tracelog)
-                duplicate(LIBDIR "/firejail/libtracelog.so", RUN_LIB_DIR);
+        // install the rest of the system libraries
+        if (arg_debug || arg_debug_private_lib)
+                printf("Installing system libraries\n");
+        fslib_install_system();
 
-        if (arg_debug)
-                printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR);
-
-    if (is_dir("/lib")) {
-        if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-            errExit("mount bind");
-        fs_logger2("tmpfs", "/lib");
-            fs_logger("mount /lib");
-    }
-
-    if (is_dir("/lib64")) {     
-        if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-            mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        fs_logger2("tmpfs", "/lib64");
-        fs_logger("mount /lib64");
-    }
-
-    if (is_dir("/usr/lib")) {
-        if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-            errExit("mount bind");
-       fs_logger2("tmpfs", "/usr/lib");
-        fs_logger("mount /usr/lib");
-    }
+        fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
+                dir_cnt, (dir_cnt == 1)? "directory": "directories");
 
-        // for amd64 only - we'll deal with i386 later
-    if (is_dir("/lib32")) {
-        if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0)
-                errExit("disable file");
-        fs_logger("blacklist-nolog /lib32");
-    }
-    if (is_dir("/libx32")) {
-        if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0)
-                errExit("disable file");
-            fs_logger("blacklist-nolog /libx32");
-    }
+        // mount lib filesystem
+        mount_directories();
 }
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
new file mode 100644
index 000000000..c69bf7c98
--- /dev/null
+++ b/src/firejail/fs_lib2.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firejail.h"
+#include <dirent.h>
+#include <sys/stat.h>
+
+extern void fslib_mount_libs(const char *full_path, unsigned user);
+extern void fslib_mount(const char *full_path);
+
+//***************************************************************
+// Standard C library
+//***************************************************************
+// standard libc libraries based on Debian's libc6 package
+// selinux seems to be linked in most command line utilities
+// libpcre2 is a dependency of selinux
+// locale (/usr/lib/locale) - without it, the program will default to "C" locale
+typedef struct liblist_t {
+        const char *name;
+        int len;
+} LibList;
+
+static LibList libc_list[] = {
+        { "libselinux.so.", 0 },
+        { "libpcre2-8.so.", 0 },
+        { "libapparmor.so.", 0},
+        { "ld-linux-x86-64.so.", 0 },
+        { "libanl.so.", 0 },
+        { "libc.so.", 0 },
+        { "libcidn.so.", 0 },
+        { "libcrypt.so.", 0 },
+        { "libdl.so.", 0 },
+        { "libm.so.", 0 },
+        { "libmemusage.so", 0 },
+        { "libmvec.so.", 0 },
+        { "libnsl.so.", 0 },
+        { "libnss_compat.so.", 0 },
+        { "libnss_dns.so.", 0 },
+        { "libnss_files.so.", 0 },
+        { "libnss_hesiod.so.", 0 },
+        { "libnss_nisplus.so.", 0 },
+        { "libnss_nis.so.", 0 },
+        { "libpthread.so.", 0 },
+        { "libresolv.so.", 0 },
+        { "librt.so.", 0 },
+        { "libthread_db.so.", 0 },
+        { "libutil.so.", 0 },
+        { NULL, 0}
+};
+
+static int find_libc_list(const char *name) {
+        assert(name);
+
+        int i = 0;
+        while (libc_list[i].name) {
+                if (libc_list[i].len == 0)
+                        libc_list[i].len = strlen(libc_list[i].name);
+                if (strncmp(name, libc_list[i].name, libc_list[i].len) == 0)
+                        return 1;
+                i++;
+        }
+        return 0;
+}
+
+// compare the files in dirname against liblist above
+static void stdc(const char *dirname) {
+        assert(dirname);
+
+        DIR *dir = opendir(dirname);
+        if (dir) {
+                struct dirent *entry;
+                while ((entry = readdir(dir)) != NULL) {
+                        if (strcmp(entry->d_name, ".") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, "..") == 0)
+                                continue;
+
+                        if (find_libc_list(entry->d_name)) {
+                                char *fname;
+                                if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
+                                        errExit("asprintf");
+
+                                fslib_mount(fname);
+                                free(fname);
+                        }
+                }
+                closedir(dir);
+        }
+}
+
+void fslib_install_stdc(void) {
+        // install standard C libraries
+        timetrace_start();
+        struct stat s;
+        if (stat("/lib/x86_64-linux-gnu", &s) == 0) {   // Debian & friends
+                mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
+                selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu");
+                stdc("/lib/x86_64-linux-gnu");
+        }
+
+        stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends
+
+        // install locale
+        if (stat("/usr/lib/locale", &s) == 0)
+                fslib_mount("/usr/lib/locale");
+
+        fmessage("Standard C library installed in %0.2f ms\n", timetrace_end());
+}
+
+//***************************************************************
+// Firejail libraries
+//***************************************************************
+
+static void fdir(void) {
+        // firejail directory itself
+        fslib_mount(LIBDIR "/firejail");
+
+        // executables and libraries from firejail directory
+        static const char * const fbin[] = {
+                PATH_FCOPY, // currently sufficient to find all needed libraries
+                // PATH_FSECCOMP,
+                // PATH_FSEC_OPTIMIZE,
+                // PATH_FSEC_PRINT,
+                // RUN_FIREJAIL_LIB_DIR "/libtrace.so",
+                // RUN_FIREJAIL_LIB_DIR "/libtracelog.so",
+                // RUN_FIREJAIL_LIB_DIR "/libpostexecseccomp.so",
+                NULL,
+        };
+
+        // need to parse as root user, unprivileged users have no read permission on executables
+        int i;
+        for (i = 0; fbin[i]; i++)
+                fslib_mount_libs(fbin[i], 0);
+}
+
+void fslib_install_firejail(void) {
+        timetrace_start();
+        // bring in firejail executable libraries, in case we are redirected here
+        // by a firejail symlink from /usr/local/bin/firejail
+        fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user
+
+        // bring in firejail directory
+        fdir();
+
+        // bring in dhclient libraries
+        if (any_dhcp())
+                fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
+
+        // bring in xauth libraries
+        if (arg_x11_xorg)
+                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
+
+        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
+}
+
+//***************************************************************
+// various system libraries
+//***************************************************************
+
+// look for library in the new filesystem, and install one or two more directories, dir1 and dir2
+typedef struct syslib_t {
+        const char *library;    // look in the system for this library
+        int len;                        // length of library string, 0 by default
+        int found;              // library found, 0 by default
+        const char *dir1;               // directory to install
+        const char *dir2;               // directory to install
+        const char *message;    // message to print on the screen
+} SysLib;
+
+SysLib syslibs[] = {
+#if 0
+        {
+                "",     // library
+                0, 0,   // len and found flag
+                "",     // dir1
+                "",     // dir2
+                ""      // message
+        },
+#endif
+        { // pixmaps - libraries used by GTK to display application menu icons
+                "libgdk_pixbuf-2.0",    // library
+                0, 0,   // len and found flag
+                "gdk-pixbuf-2.0",       // dir1
+                "",     // dir2
+                "GdkPixbuf"     // message
+        },
+        { // GTK2
+                "libgtk-x11-2.0",       // library
+                0, 0,   // len and found flag
+                "gtk-2.0",      // dir1
+                "libgtk2.0-0",  // dir2
+                "GTK2"  // message
+        },
+        { // GTK3
+                "libgtk-3",     // library
+                0, 0,   // len and found flag
+                "gtk-3.0",      // dir1
+                "libgtk-3-0",   // dir2
+                "GTK3"  // message
+        },
+        { // Pango - text internationalization, found on older GTK2-based systems
+                "libpango",     // library
+                0, 0,   // len and found flag
+                "pango",        // dir1
+                "",     // dir2
+                "Pango" // message
+        },
+        { // Library for handling GObject introspection data on GTK systems
+                "libgirepository-1.0",  // library
+                0, 0,   // len and found flag
+                "girepository-1.0",     // dir1
+                "",     // dir2
+                "GIRepository"  // message
+        },
+        { // GIO
+                "libgio",       // library
+                0, 0,   // len and found flag
+                "gio",  // dir1
+                "",     // dir2
+                "GIO"   // message
+        },
+        { // Enchant speller
+                "libenchant.so.",       // library
+                0, 0,   // len and found flag
+                "enchant",      // dir1
+                "",     // dir2
+                "Enchant (speller)"     // message
+        },
+        { // Qt5 - lots of problems on Arch Linux, Qt5 version 5.9.1 - disabled in all apps profiles
+                "libQt5",       // library
+                0, 0,   // len and found flag
+                "qt5",  // dir1
+                "gdk-pixbuf-2.0",       // dir2
+                "Qt5, GdkPixbuf"        // message
+        },
+        { // Qt4
+                "libQtCore",    // library
+                0, 0,   // len and found flag
+                "qt4",  // dir1
+                "gdk-pixbuf-2.0",       // dir2
+                "Qt4"   // message
+        },
+
+        { // NULL terminated list
+                NULL,   // library
+                0, 0,   // len and found flag
+                "",     // dir1
+                "",     // dir2
+                ""      // message
+        }
+};
+
+void fslib_install_system(void) {
+        // look for installed libraries
+        DIR *dir = opendir(RUN_LIB_DIR "/x86_64-linux-gnu");
+        if (!dir)
+                dir = opendir(RUN_LIB_DIR);
+
+        if (dir) {
+                struct dirent *entry;
+                while ((entry = readdir(dir)) != NULL) {
+                        if (strcmp(entry->d_name, ".") == 0)
+                                continue;
+                        if (strcmp(entry->d_name, "..") == 0)
+                                continue;
+
+                        SysLib *ptr = &syslibs[0];
+                        while (ptr->library) {
+                                if (ptr->len == 0)
+                                        ptr->len = strlen(ptr->library);
+
+                                if (strncmp(entry->d_name, ptr->library, ptr->len) == 0) {
+                                        ptr->found = 1;
+                                        break;
+                                }
+
+                                ptr++;
+                        }
+
+                }
+                closedir(dir);
+        }
+        else
+                assert(0);
+
+        // install required directories
+        SysLib *ptr = &syslibs[0];
+        while (ptr->library) {
+                if (ptr->found) {
+                        assert(*ptr->message != '\0');
+                        timetrace_start();
+
+                        // bring in all libraries
+                        assert(ptr->dir1);
+                        char *name;
+                        // Debian & friends
+                        if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1)
+                                errExit("asprintf");
+                        if (access(name, R_OK) == 0) {
+                                fslib_mount_libs(name, 1); // parse as user
+                                fslib_mount(name);
+                        }
+                        else {
+                                free(name);
+                                // CentOS, Fedora, Arch
+                                if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1)
+                                        errExit("asprintf");
+                                if (access(name, R_OK) == 0) {
+                                        fslib_mount_libs(name, 1); // parse as user
+                                        fslib_mount(name);
+                                }
+                        }
+                        free(name);
+
+                        if (*ptr->dir2 != '\0') {
+                                // Debian & friends
+                                if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1)
+                                        errExit("asprintf");
+                                if (access(name, R_OK) == 0) {
+                                        fslib_mount_libs(name, 1); // parse as user
+                                        fslib_mount(name);
+                                }
+                                else {
+                                        free(name);
+                                        // CentOS, Fedora, Arch
+                                        if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1)
+                                                errExit("asprintf");
+                                        if (access(name, R_OK) == 0) {
+                                                fslib_mount_libs(name, 1); // parse as user
+                                                fslib_mount(name);
+                                        }
+                                }
+                                free(name);
+                        }
+
+                        fmessage("%s installed in %0.2f ms\n", ptr->message, timetrace_end());
+                }
+                ptr++;
+        }
+}
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 354e720a1..604e297b1 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -92,7 +92,7 @@ void fs_logger_print(void) {
         if (!head)
                 return;
 
-        FILE *fp = fopen(RUN_FSLOGGER_FILE, "a");
+        FILE *fp = fopen(RUN_FSLOGGER_FILE, "ae");
         if (!fp) {
                 perror("fopen");
                 return;
@@ -120,29 +120,11 @@ void fs_logger_change_owner(void) {
 void fs_logger_print_log(pid_t pid) {
         EUID_ASSERT();
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // print RUN_FSLOGGER_FILE
         char *fname;
@@ -150,24 +132,16 @@ void fs_logger_print_log(pid_t pid) {
                 errExit("asprintf");
 
         EUID_ROOT();
-        struct stat s;
-        if (stat(fname, &s) == -1) {
-                fprintf(stderr, "Error: Cannot access filesystem log\n");
-                exit(1);
-        }
-
-        /* coverity[toctou] */
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
+        free(fname);
         if (!fp) {
                 fprintf(stderr, "Error: Cannot open filesystem log\n");
                 exit(1);
         }
-
         char buf[MAXBUF];
         while (fgets(buf, MAXBUF, fp))
                 printf("%s", buf);
         fclose(fp);
-        free(fname);
 
         exit(0);
 }
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 20ffe825a..4983db0a0 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -25,12 +26,27 @@
 #include <sys/wait.h>
 #include <string.h>
 
+static void check(const char *fname) {
+        // manufacture /run/user directory
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1)
+                errExit("asprintf");
+
+        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+            strncmp(fname, "/tmp", 4) != 0 &&
+            strncmp(fname, runuser, strlen(runuser)) != 0) {
+                fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n");
+                exit(1);
+        }
+        free(runuser);
+}
+
 static void mkdir_recursive(char *path) {
         char *subdir = NULL;
         struct stat s;
 
         if (chdir("/")) {
-                fprintf(stderr, "Error: can't chdir to /");
+                fprintf(stderr, "Error: can't chdir to /\n");
                 return;
         }
 
@@ -47,7 +63,7 @@ static void mkdir_recursive(char *path) {
                         return;
                 }
                 if (chdir(subdir)) {
-                        fprintf(stderr, "Error: can't chdir to %s", subdir);
+                        fprintf(stderr, "Error: can't chdir to %s\n", subdir);
                         return;
                 }
 
@@ -59,13 +75,9 @@ void fs_mkdir(const char *name) {
         EUID_ASSERT();
 
         // check directory name
-        invalid_filename(name);
-        char *expanded = expand_home(name, cfg.homedir);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n");
-                exit(1);
-        }
+        invalid_filename(name, 0); // no globbing
+        char *expanded = expand_macros(name);
+        check(expanded); // will exit if wrong path
 
         struct stat s;
         if (stat(expanded, &s) == 0) {
@@ -83,9 +95,9 @@ void fs_mkdir(const char *name) {
 
                 // create directory
                 mkdir_recursive(expanded);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -99,13 +111,9 @@ void fs_mkfile(const char *name) {
         EUID_ASSERT();
 
         // check file name
-        invalid_filename(name);
-        char *expanded = expand_home(name, cfg.homedir);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n");
-                exit(1);
-        }
+        invalid_filename(name, 0); // no globbing
+        char *expanded = expand_macros(name);
+        check(expanded); // will exit if wrong path
 
         struct stat s;
         if (stat(expanded, &s) == 0) {
@@ -114,7 +122,7 @@ void fs_mkfile(const char *name) {
         }
 
         // create file
-        touch_file_as_user(expanded, getuid(), getgid(), 0600);
+        touch_file_as_user(expanded, 0600);
 
 doexit:
         free(expanded);
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index c87d29b5c..475a391ec 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -33,8 +33,7 @@ void fs_trace_preload(void) {
         if (stat("/etc/ld.so.preload", &s)) {
                 if (arg_debug)
                         printf("Creating an empty /etc/ld.so.preload file\n");
-                /* coverity[toctou] */
-                FILE *fp = fopen("/etc/ld.so.preload", "w");
+                FILE *fp = fopen("/etc/ld.so.preload", "wxe");
                 if (!fp)
                         errExit("fopen");
                 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
@@ -43,30 +42,62 @@ void fs_trace_preload(void) {
         }
 }
 
+void fs_tracefile(void) {
+        // create a bind mounted trace logfile that the sandbox can see
+        if (arg_debug)
+                printf("Creating an empty trace log file: %s\n", arg_tracefile);
+        EUID_USER();
+        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        if (fd == -1) {
+                perror("open");
+                fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
+                exit(1);
+        }
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                fprintf(stderr, "Error: cannot write trace log: %s is no regular file\n", arg_tracefile);
+                exit(1);
+        }
+        if (ftruncate(fd, 0) == -1)
+                errExit("ftruncate");
+        EUID_ROOT();
+        FILE *fp = fopen(RUN_TRACE_FILE, "we");
+        if (!fp)
+                errExit("fopen " RUN_TRACE_FILE);
+        fclose(fp);
+        fs_logger2("touch", arg_tracefile);
+        // mount using the symbolic link in /proc/self/fd
+        if (arg_debug)
+                printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
+        if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE))
+                errExit("mount bind " RUN_TRACE_FILE);
+        close(fd);
+        // now that RUN_TRACE_FILE is user-writable, mount it noexec
+        fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0);
+}
+
 void fs_trace(void) {
         // create the new ld.so.preload file and mount-bind it
         if (arg_debug)
                 printf("Create the new ld.so.preload file\n");
 
-        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
+        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we");
         if (!fp)
                 errExit("fopen");
-        const char *prefix = LIBDIR "/firejail";
-        if (arg_private_lib)
-                prefix = RUN_LIB_DIR;
+        const char *prefix = RUN_FIREJAIL_LIB_DIR;
 
         if (arg_trace) {
                 fprintf(fp, "%s/libtrace.so\n", prefix);
         }
         else if (arg_tracelog) {
                 fprintf(fp, "%s/libtracelog.so\n", prefix);
-                if (!arg_quiet)
-                        printf("Blacklist violations are logged to syslog\n");
+                fmessage("Blacklist violations are logged to syslog\n");
         }
         if (arg_seccomp_postexec) {
                 fprintf(fp, "%s/libpostexecseccomp.so\n", prefix);
-                if (!arg_quiet)
-                        printf("Post-exec seccomp protector enabled\n");
+                fmessage("Post-exec seccomp protector enabled\n");
         }
 
         SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 11e9eabf5..20e262d80 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -118,7 +118,7 @@ void fs_var_log(void) {
                 // mount a tmpfs on top of /var/log
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/log\n");
-                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/log");
                 fs_logger("tmpfs /var/log");
 
@@ -127,7 +127,7 @@ void fs_var_log(void) {
 
                 // create an empty /var/log/wtmp file
                 /* coverity[toctou] */
-                FILE *fp = fopen("/var/log/wtmp", "w");
+                FILE *fp = fopen("/var/log/wtmp", "wxe");
                 if (fp) {
                         SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
                         fclose(fp);
@@ -135,7 +135,7 @@ void fs_var_log(void) {
                 fs_logger("touch /var/log/wtmp");
 
                 // create an empty /var/log/btmp file
-                fp = fopen("/var/log/btmp", "w");
+                fp = fopen("/var/log/btmp", "wxe");
                 if (fp) {
                         SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
                         fclose(fp);
@@ -153,13 +153,12 @@ void fs_var_lib(void) {
         if (stat("/var/lib/dhcp", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/dhcp\n");
-                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/dhcp");
                 fs_logger("tmpfs /var/lib/dhcp");
 
                 // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file
-                FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w");
-
+                FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "wxe");
                 if (fp) {
                         fprintf(fp, "\n");
                         SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
@@ -172,7 +171,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/nginx", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/nginx\n");
-                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/nginx");
                 fs_logger("tmpfs /var/lib/nginx");
         }
@@ -181,7 +180,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/snmp", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/snmp\n");
-                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/snmp");
                 fs_logger("tmpfs /var/lib/snmp");
         }
@@ -190,7 +189,7 @@ void fs_var_lib(void) {
         if (stat("/var/lib/sudo", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lib/sudo\n");
-                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/lib/sudo");
                 fs_logger("tmpfs /var/lib/sudo");
         }
@@ -202,7 +201,7 @@ void fs_var_cache(void) {
         if (stat("/var/cache/apache2", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/cache/apache2\n");
-                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/cache/apache2");
                 fs_logger("tmpfs /var/cache/apache2");
         }
@@ -210,7 +209,7 @@ void fs_var_cache(void) {
         if (stat("/var/cache/lighttpd", &s) == 0) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/cache/lighttpd\n");
-                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /var/cache/lighttpd");
                 fs_logger("tmpfs /var/cache/lighttpd");
 
@@ -223,9 +222,11 @@ void fs_var_cache(void) {
                 }
 
                 mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
+                selinux_relabel_path("/var/cache/lighttpd/compress", "/var/cache/lighttpd/compress");
                 fs_logger("mkdir /var/cache/lighttpd/compress");
 
                 mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
+                selinux_relabel_path("/var/cache/lighttpd/uploads", "/var/cache/lighttpd/uploads");
                 fs_logger("/var/cache/lighttpd/uploads");
         }
 }
@@ -250,28 +251,13 @@ void fs_var_lock(void) {
         if (is_dir("/var/lock")) {
                 if (arg_debug)
                         printf("Mounting tmpfs on /var/lock\n");
-                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
                         errExit("mounting /lock");
                 fs_logger("tmpfs /var/lock");
         }
         else {
-                char *lnk = realpath("/var/lock", NULL);
-                if (lnk) {
-                        if (!is_dir(lnk)) {
-                                // create directory
-                                mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
-                        }
-                        if (arg_debug)
-                                printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                                errExit("mounting /var/lock");
-                        free(lnk);
-                        fs_logger("tmpfs /var/lock");
-                }
-                else {
-                        fwarning("/var/lock not mounted\n");
-                        dbg_test_dir("/var/lock");
-                }
+                fwarning("/var/lock not mounted\n");
+                dbg_test_dir("/var/lock");
         }
 }
 
@@ -281,7 +267,7 @@ void fs_var_tmp(void) {
                 if (!is_link("/var/tmp")) {
                         if (arg_debug)
                                 printf("Mounting tmpfs on /var/tmp\n");
-                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
                                 errExit("mounting /var/tmp");
                         fs_logger("tmpfs /var/tmp");
                 }
@@ -300,7 +286,7 @@ void fs_var_utmp(void) {
         if (stat(UTMP_FILE, &s) == 0)
                 utmp_group = s.st_gid;
         else {
-                fwarning("cannot find /var/run/utmp\n");
+                fwarning("cannot find %s\n", UTMP_FILE);
                 return;
         }
 
@@ -309,7 +295,7 @@ void fs_var_utmp(void) {
                 printf("Create the new utmp file\n");
 
         /* coverity[toctou] */
-        FILE *fp = fopen(RUN_UTMP_FILE, "w");
+        FILE *fp = fopen(RUN_UTMP_FILE, "we");
         if (!fp)
                 errExit("fopen");
 
@@ -336,5 +322,9 @@ void fs_var_utmp(void) {
                 printf("Mount the new utmp file\n");
         if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
-        fs_logger("create /var/run/utmp");
+        fs_logger2("create", UTMP_FILE);
+
+        // blacklist RUN_UTMP_FILE
+        if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount bind");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 6e766f996..943f275de 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -16,323 +16,527 @@
  * You should have received a copy of the GNU General Public License along
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
+ */
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
-#include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 
-static char *dentry[] = {
-        "Downloads",
-        "Загрузки",
-        "Téléchargement",
-        NULL
-};
-
-#define EMPTY_STRING ("")
-#define MAXBUF 4098
-static char *resolve_downloads(int nowhitelist_flag) {
-        char *fname;
-        struct stat s;
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
-        // try a well known download directory name
-        int i = 0;
-        while (dentry[i] != NULL) {
-                if (asprintf(&fname, "%s/%s", cfg.homedir, dentry[i]) == -1)
-                        errExit("asprintf");
+#define TOP_MAX 64 // maximum number of top level directories
 
-                if (stat(fname, &s) == 0) {
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Downloads directory resolved as \"%s\"\n", fname);
+// mountinfo functionality test;
+// 1. enable TEST_MOUNTINFO definition
+// 2. run firejail --whitelist=/any/directory
+//#define TEST_MOUNTINFO
 
-                        char *rv;
-                        if (nowhitelist_flag) {
-                                if (asprintf(&rv, "nowhitelist ~/%s", dentry[i]) == -1)
-                                        errExit("asprintf");
-                        }
-                        else {
-                                if (asprintf(&rv, "whitelist ~/%s", dentry[i]) == -1)
-                                        errExit("asprintf");
+static size_t homedir_len = 0; // cache length of homedir string
+static size_t runuser_len = 0; // cache length of runuser string
+static char *runuser = NULL;
+
+
+
+static void whitelist_error(const char *path) {
+        assert(path);
+
+        fprintf(stderr, "Error: invalid whitelist path %s\n", path);
+        exit(1);
+}
+
+static int whitelist_mkpath(const char* path, mode_t mode) {
+        // work on a copy of the path
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+
+        // only create leading directories, don't create the file
+        char *p = strrchr(dup, '/');
+        assert(p);
+        *p = '\0';
+
+        int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
+        if (parentfd == -1)
+                errExit("open");
+
+        // traverse the path, return -1 if a symlink is encountered
+        int fd = -1;
+        int done = 0;
+        char *tok = strtok(dup, "/");
+        assert(tok);
+        while (tok) {
+                // create the directory if necessary
+                if (mkdirat(parentfd, tok, mode) == -1) {
+                        if (errno != EEXIST) {
+                                if (arg_debug || arg_debug_whitelists)
+                                        perror("mkdir");
+                                close(parentfd);
+                                free(dup);
+                                return -1;
                         }
-                        free(fname);
-                        return rv;
                 }
-                free(fname);
-                i++;
+                else
+                        done = 1;
+                // open the directory
+                fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1) {
+                        if (arg_debug || arg_debug_whitelists)
+                                perror("open");
+                        close(parentfd);
+                        free(dup);
+                        return -1;
+                }
+                // move on to next path segment
+                close(parentfd);
+                parentfd = fd;
+                tok = strtok(NULL, "/");
         }
 
-        // try a name form ~/.config/user-dirs.dirs
-        if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1)
-                errExit("asprintf");
-        FILE *fp = fopen(fname, "r");
-        if (!fp) {
-                free(fname);
-                return NULL;
+        if (done)
+                fs_logger2("mkpath", path);
+
+        free(dup);
+        return fd;
+}
+
+static void whitelist_file(int dirfd, const char *relpath, const char *path) {
+        assert(relpath && path);
+
+        // open mount source, using a file descriptor that refers to the
+        // top level directory
+        // as the top level directory was opened before mounting the tmpfs
+        // we still have full access to all directory contents
+        // take care to not follow symbolic links (dirfd was obtained without
+        // following a link, too)
+        int fd = safer_openat(dirfd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
+                return;
+        }
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (S_ISLNK(s.st_mode)) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
+                close(fd);
+                return;
+        }
+
+        // create mount target as root, except if inside home or run/user/$UID directory
+        int userprivs = 0;
+        if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') ||
+            (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) {
+                EUID_USER();
+                userprivs = 1;
         }
-        free(fname);
 
-        // extract downloads directory
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                char *ptr = buf;
+        // create path of the mount target
+        int fd2 = whitelist_mkpath(path, 0755);
+        if (fd2 == -1) {
+                // something went wrong during path creation or a symlink was found;
+                // if there is a symlink somewhere in the path of the mount target,
+                // assume the file is whitelisted already
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
+                close(fd);
+                if (userprivs)
+                        EUID_ROOT();
+                return;
+        }
 
-                // skip blanks
-                while (*ptr == ' ' || *ptr == '\t')
-                        ptr++;
-                if (*ptr == '\0' || *ptr == '\n' || *ptr == '#')
-                        continue;
+        // get file name of the mount target
+        const char *file = gnu_basename(path);
 
-                if (strncmp(ptr, "XDG_DOWNLOAD_DIR=\"$HOME/", 24) == 0) {
-                        char *ptr1 = ptr + 24;
-                        char *ptr2 = strchr(ptr1, '"');
-                        if (ptr2) {
-                                fclose(fp);
-                                *ptr2 = '\0';
-                                if (arg_debug || arg_debug_whitelists)
-                                        printf("extracted %s from ~/.config/user-dirs.dirs\n", ptr1);
-                                if (strlen(ptr1) != 0) {
-                                        if (arg_debug || arg_debug_whitelists)
-                                                printf("Downloads directory resolved as \"%s\"\n", ptr1);
-
-                                        if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
-                                                errExit("asprintf");
-
-                                        if (stat(fname, &s) == -1) {
-                                                free(fname);
-                                                goto errout;
-                                        }
-
-                                        char *rv;
-                                        if (nowhitelist_flag) {
-                                                if (asprintf(&rv, "nowhitelist ~/%s", ptr + 24) == -1)
-                                                        errExit("asprintf");
-                                        }
-                                        else {
-                                                if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)
-                                                        errExit("asprintf");
-                                        }
-                                        return rv;
-                                }
-                                else
-                                        goto errout;
+        // create mount target itself and open it, a symlink is rejected
+        int fd3 = -1;
+        if (S_ISDIR(s.st_mode)) {
+                // directory foo can exist already:
+                // firejail --whitelist=~/foo/bar --whitelist=~/foo
+                if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) {
+                        if (arg_debug || arg_debug_whitelists) {
+                                perror("mkdir");
+                                printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                         }
+                        close(fd);
+                        close(fd2);
+                        if (userprivs)
+                                EUID_ROOT();
+                        return;
                 }
+                fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         }
+        else
+                // create an empty file, fails with EEXIST if it is whitelisted already:
+                // firejail --whitelist=/foo --whitelist=/foo/bar
+                fd3 = openat(fd2, file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR|S_IWUSR);
 
-        fclose(fp);
-        return NULL;
-
-errout:
-        if (!arg_private) {
-                fprintf(stderr, "***\n");
-                fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n");
-                fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n");
-                fprintf(stderr, "***\n");
+        if (fd3 == -1) {
+                if (errno != EEXIST && (arg_debug || arg_debug_whitelists)) {
+                        perror("open");
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
+                }
+                close(fd);
+                close(fd2);
+                if (userprivs)
+                        EUID_ROOT();
+                return;
         }
 
-        return NULL;
+        close(fd2);
+        if (userprivs)
+                EUID_ROOT();
+
+        if (arg_debug || arg_debug_whitelists)
+                printf("Whitelisting %s\n", path);
+        if (bind_mount_by_fd(fd, fd3))
+                errExit("mount bind");
+        // check the last mount operation
+        MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
+#ifdef TEST_MOUNTINFO
+        printf("TEST_MOUNTINFO\n");
+        mptr->dir = "foo";
+#endif
+        // confirm the file was mounted on the right target
+        // strcmp does not work here, because mptr->dir can be a child mount
+        size_t path_len = strlen(path);
+        if (strncmp(mptr->dir, path, path_len) != 0 ||
+           (*(mptr->dir + path_len) != '\0' && *(mptr->dir + path_len) != '/'))
+                errLogExit("invalid whitelist mount");
+        // No mounts are allowed on top level directories. A destination such as "/etc" is very bad!
+        //  - there should be more than one '/' char in dest string
+        if (mptr->dir == strrchr(mptr->dir, '/'))
+                errLogExit("invalid whitelist mount");
+        close(fd);
+        close(fd3);
+        fs_logger2("whitelist", path);
 }
 
-static int mkpath(const char* path, mode_t mode) {
-        assert(path && *path);
+static void whitelist_symlink(const char *link, const char *target) {
+        assert(link && target);
 
-        mode |= 0111;
+        // create files as root, except if inside home or run/user/$UID directory
+        int userprivs = 0;
+        if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') ||
+            (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) {
+                EUID_USER();
+                userprivs = 1;
+        }
 
-        // create directories with uid/gid as root or as current user if inside home directory
-        uid_t uid = getuid();
-        gid_t gid = getgid();
-        if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                uid = 0;
-                gid = 0;
+        int fd = whitelist_mkpath(link, 0755);
+        if (fd == -1) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
+                if (userprivs)
+                        EUID_ROOT();
+                return;
         }
 
-        // work on a copy of the path
-        char *file_path = strdup(path);
-        if (!file_path)
-                errExit("strdup");
+        // get file name of symlink
+        const char *file = gnu_basename(link);
 
-        char* p;
-        int done = 0;
-        for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) {
-                *p='\0';
-                if (mkdir(file_path, mode)==-1) {
-                        if (errno != EEXIST) {
-                                *p='/';
-                                free(file_path);
-                                return -1;
-                        }
+        // create the link
+        if (symlinkat(target, fd, file) == -1) {
+                if (arg_debug || arg_debug_whitelists) {
+                        perror("symlink");
+                        printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
                 }
-                else {
-                        if (set_perms(file_path, uid, gid, mode))
-                                errExit("set_perms");
-                        done = 1;
-                }
-
-                *p='/';
         }
-        if (done)
-                fs_logger2("mkpath", path);
+        else if (arg_debug || arg_debug_whitelists)
+                printf("Created symbolic link %s -> %s\n", link, target);
 
-        free(file_path);
-        return 0;
+        close(fd);
+        if (userprivs)
+                EUID_ROOT();
 }
 
-static void whitelist_path(ProfileEntry *entry) {
-        assert(entry);
-        char *path = entry->data + 10;
-        assert(path);
-        const char *fname;
-        char *wfile = NULL;
-
-        if (entry->home_dir) {
-                if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {
-                        fname = path + strlen(cfg.homedir);
-                        if (*fname == '\0')
-                                goto errexit;
-                }
-                else
-                        fname = path;
+static void globbing(const char *pattern) {
+        EUID_ASSERT();
+        assert(pattern);
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
-                        errExit("asprintf");
+        // globbing
+        glob_t globbuf;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern);
+                exit(1);
         }
-        else if (entry->tmp_dir) {
-                fname = path + 4; // strlen("/tmp")
-                if (*fname == '\0')
-                        goto errexit;
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
-                        errExit("asprintf");
-        }
-        else if (entry->media_dir) {
-                fname = path + 6; // strlen("/media")
-                if (*fname == '\0')
-                        goto errexit;
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                assert(globbuf.gl_pathv[i]);
+                // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
+                if (strcmp(globbuf.gl_pathv[i], pattern) == 0)
+                        continue;
+                // foo/* expands to foo/. and foo/..
+                const char *base = gnu_basename(globbuf.gl_pathv[i]);
+                if (strcmp(base, ".") == 0 ||
+                    strcmp(base, "..") == 0)
+                        continue;
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
+                // build the new profile command
+                char *newcmd;
+                if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1)
                         errExit("asprintf");
+
+                // add the new profile command at the end of the list
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Adding new profile command: %s\n", newcmd);
+                profile_add(newcmd);
         }
-        else if (entry->mnt_dir) {
-                fname = path + 4; // strlen("/mnt")
-                if (*fname == '\0')
-                        goto errexit;
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
-                        errExit("asprintf");
+        globfree(&globbuf);
+}
+
+// mount tmpfs on all top level directories
+static void tmpfs_topdirs(const TopDir *topdirs) {
+        int tmpfs_home = 0;
+        int tmpfs_runuser = 0;
+
+        int i;
+        for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
+                // do nested top level directories last
+                // this way '--whitelist=nested_top_level_dir'
+                // yields the full, unmodified directory
+                // instead of the tmpfs
+                if (strcmp(topdirs[i].path, cfg.homedir) == 0) {
+                        tmpfs_home = 1;
+                        continue;
+                }
+                if (strcmp(topdirs[i].path, runuser) == 0) {
+                        tmpfs_runuser = 1;
+                        continue;
+                }
+
+                // special case /run
+                // open /run/firejail, so it can be restored right after mounting the tmpfs
+                int fd = -1;
+                if (strcmp(topdirs[i].path, "/run") == 0) {
+                        fd = open(RUN_FIREJAIL_DIR, O_PATH|O_CLOEXEC);
+                        if (fd == -1)
+                                errExit("open");
+                }
+
+                // mount tmpfs
+                fs_tmpfs(topdirs[i].path, 0);
+                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
+
+                // init tmpfs
+                if (strcmp(topdirs[i].path, "/run") == 0) {
+                        // restore /run/firejail directory
+                        if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
+                                errExit("mkdir");
+                        if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
+                                errExit("mount bind");
+                        close(fd);
+                        fs_logger2("whitelist", RUN_FIREJAIL_DIR);
+
+                        // restore /run/user/$UID directory
+                        // get path relative to /run
+                        const char *rel = runuser + 5;
+                        whitelist_file(topdirs[i].fd, rel, runuser);
+                }
+                else if (strcmp(topdirs[i].path, "/tmp") == 0) {
+                        // fix pam-tmpdir (#2685)
+                        const char *env = env_get("TMP");
+                        if (env) {
+                                char *pamtmpdir;
+                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir) == 0) {
+                                        // create empty user-owned /tmp/user/$UID directory
+                                        mkdir_attr("/tmp/user", 0711, 0, 0);
+                                        selinux_relabel_path("/tmp/user", "/tmp/user");
+                                        fs_logger("mkdir /tmp/user");
+                                        mkdir_attr(pamtmpdir, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir, pamtmpdir);
+                                        fs_logger2("mkdir", pamtmpdir);
+                                }
+                                free(pamtmpdir);
+                        }
+                }
+
+                // restore user home directory if it is masked by the tmpfs
+                // creates path owned by root
+                // does nothing if user home directory doesn't exist
+                size_t topdir_len = strlen(topdirs[i].path);
+                if (strncmp(topdirs[i].path, cfg.homedir, topdir_len) == 0 && cfg.homedir[topdir_len] == '/') {
+                        // get path relative to top level directory
+                        const char *rel = cfg.homedir + topdir_len + 1;
+                        whitelist_file(topdirs[i].fd, rel, cfg.homedir);
+                }
         }
-        else if (entry->var_dir) {
-                fname = path + 4; // strlen("/var")
-                if (*fname == '\0')
-                        goto errexit;
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
-                        errExit("asprintf");
+        // user home directory
+        if (tmpfs_home) {
+                EUID_USER();
+                fs_private(); // checks owner if outside /home
+                EUID_ROOT();
         }
-        else if (entry->dev_dir) {
-                fname = path + 4; // strlen("/dev")
-                if (*fname == '\0')
-                        goto errexit;
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
-                        errExit("asprintf");
+        // /run/user/$UID directory
+        if (tmpfs_runuser) {
+                fs_tmpfs(runuser, 0);
+                selinux_relabel_path(runuser, runuser);
         }
-        else if (entry->opt_dir) {
-                fname = path + 4; // strlen("/opt")
-                if (*fname == '\0')
-                        goto errexit;
+}
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
-                        errExit("asprintf");
+static int reject_topdir(const char *dir) {
+        if (!whitelist_reject_topdirs)
+                return 0;
+
+        size_t i;
+        for (i = 0; whitelist_reject_topdirs[i]; i++) {
+                if (strcmp(dir, whitelist_reject_topdirs[i]) == 0)
+                        return 1;
         }
-        else if (entry->srv_dir) {
-                fname = path + 4; // strlen("/srv")
-                if (*fname == '\0')
-                        goto errexit;
+        return 0;
+}
 
-                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
-                        errExit("asprintf");
+// keep track of whitelist top level directories by adding them to an array
+// open each directory
+static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
+        assert(dir && path);
+
+        // /proc and /sys are not allowed
+        if (strcmp(dir, "/") == 0 ||
+            strcmp(dir, "/proc") == 0 ||
+            strcmp(dir, "/sys") == 0)
+                whitelist_error(path);
+
+        // whitelisting home directory is disabled if --private option is present
+        if (arg_private && strcmp(dir, cfg.homedir) == 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path);
+                return NULL;
         }
-        // check if the file exists
+
+        // do nothing if directory doesn't exist
         struct stat s;
-        if (wfile && stat(wfile, &s) == 0) {
+        if (lstat(dir, &s) != 0) {
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Whitelisting %s\n", path);
+                        printf("Cannot access whitelist top level directory %s: %s\n", dir, strerror(errno));
+                return NULL;
         }
-        else {
-                return;
+        // do nothing if directory is a link
+        if (!S_ISDIR(s.st_mode)) {
+                if (S_ISLNK(s.st_mode)) {
+                        fwarning("skipping whitelist %s because %s is a symbolic link\n", path, dir);
+                        return NULL;
+                }
+                whitelist_error(path);
+        }
+        // do nothing if directory is disabled by administrator
+        if (reject_topdir(dir)) {
+                fmessage("Whitelist top level directory %s is disabled in Firejail configuration file\n", dir);
+                return NULL;
         }
 
-        // create the path if necessary
-        mkpath(path, s.st_mode);
-        fs_logger2("whitelist", path);
-
-        // process directory
-        if (S_ISDIR(s.st_mode)) {
-                // create directory
-                int rv = mkdir(path, 0755);
-                (void) rv;
+        // add directory to array
+        if (arg_debug || arg_debug_whitelists)
+                printf("Adding whitelist top level directory %s\n", dir);
+        static int cnt = 0;
+        if (cnt >= TOP_MAX) {
+                fprintf(stderr, "Error: too many whitelist top level directories\n");
+                exit(1);
         }
+        TopDir *rv = topdirs + cnt;
+        cnt++;
 
-        // process regular file
-        else {
-                if (access(path, R_OK)) {
-                        // create an empty file
-                        FILE *fp = fopen(path, "w");
-                        if (!fp) {
-                                fprintf(stderr, "Error: cannot create empty file in home directory\n");
-                                exit(1);
-                        }
-                        // set file properties
-                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
-                        fclose(fp);
-                }
-                else
-                        return; // the file is already present
+        rv->path = strdup(dir);
+        if (!rv->path)
+                errExit("strdup");
+
+        // open the directory, don't follow symbolic links
+        rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
+        if (rv->fd == -1) {
+                fprintf(stderr, "Error: cannot open %s\n", dir);
+                exit(1);
         }
 
-        // mount
-        if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
+        return rv;
+}
 
-        free(wfile);
-        return;
+static TopDir *have_topdir(const char *dir, TopDir *topdirs) {
+        assert(dir);
 
-errexit:
-        fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path);
-        exit(1);
+        int i;
+        for (i = 0; i < TOP_MAX; i++) {
+                TopDir *rv = topdirs + i;
+                if (!rv->path)
+                        break;
+                if (strcmp(dir, rv->path) == 0)
+                        return rv;
+        }
+        return NULL;
 }
 
+static char *extract_topdir(const char *path) {
+        assert(path);
+
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+
+        // user home directory can be anywhere; disconnect user home
+        // whitelisting from top level directory whitelisting
+        // by treating user home as separate whitelist top level directory
+        if (strncmp(dup, cfg.homedir, homedir_len) == 0 && dup[homedir_len] == '/')
+                dup[homedir_len] = '\0';
+        // /run/user/$UID is treated as top level directory
+        else if (strncmp(dup, runuser, runuser_len) == 0 && dup[runuser_len] == '/')
+                dup[runuser_len] = '\0';
+        // whitelisting in /sys is not allowed, but /sys/module is an exception
+        // and is treated as top level directory here
+        else if (strncmp(dup, "/sys/module", 11) == 0 && dup[11] == '/')
+                dup[11] = '\0';
+        // treat /usr subdirectories as top level directories
+        else if (strncmp(dup, "/usr/", 5) == 0) {
+                char *p = strchr(dup+5, '/');
+                if (!p)
+                        whitelist_error(path);
+                *p = '\0';
+        }
+        // all other top level directories
+        else {
+                assert(dup[0] == '/');
+                char *p = strchr(dup+1, '/');
+                if (!p)
+                        whitelist_error(path);
+                *p = '\0';
+        }
+
+        return dup;
+}
 
-// whitelist for /home/user directory
 void fs_whitelist(void) {
-        char *homedir = cfg.homedir;
-        assert(homedir);
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
 
-        char *new_name = NULL;
-        int home_dir = 0;       // /home/user directory flag
-        int tmp_dir = 0;        // /tmp directory flag
-        int media_dir = 0;      // /media directory flag
-        int mnt_dir = 0;        // /mnt directory flag
-        int var_dir = 0;                // /var directory flag
-        int dev_dir = 0;                // /dev directory flag
-        int opt_dir = 0;                // /opt directory flag
-        int srv_dir = 0;                // /srv directory flag
+        if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
+                errExit("asprintf");
+        runuser_len = strlen(runuser);
+        homedir_len = strlen(cfg.homedir);
 
         size_t nowhitelist_c = 0;
         size_t nowhitelist_m = 32;
         char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist));
         if (nowhitelist == NULL)
-                errExit("failed allocating memory for nowhitelist entries");
+                errExit("calloc");
+
+        TopDir *topdirs = calloc(TOP_MAX, sizeof(*topdirs));
+        if (topdirs == NULL)
+                errExit("calloc");
 
         // verify whitelist files, extract symbolic links, etc.
+        EUID_USER();
         while (entry) {
                 int nowhitelist_flag = 0;
 
@@ -345,82 +549,108 @@ void fs_whitelist(void) {
                         entry = entry->next;
                         continue;
                 }
-                char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;
-
-                // resolve ${DOWNLOADS}
-                if (strcmp(dataptr, "${DOWNLOADS}") == 0) {
-                        char *tmp = resolve_downloads(nowhitelist_flag);
-                        if (tmp) {
-                                entry->data = tmp;
-                                dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;
-                        }
-                        else {
-                                if (!nowhitelist_flag && !arg_quiet && !arg_private) {
-                                        fprintf(stderr, "***\n");
-                                        fprintf(stderr, "*** Warning: cannot whitelist Downloads directory\n");
-                                        fprintf(stderr, "*** \tAny file saved will be lost when the sandbox is closed.\n");
-                                        fprintf(stderr, "*** \tPlease create a proper Downloads directory for your application.\n");
-                                        fprintf(stderr, "***\n");
-                                }
-                                entry->data = EMPTY_STRING;
-                                continue;
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: %s\n", __LINE__, entry->data);
+
+                const char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;
+
+                // replace ~ into /home/username or resolve macro
+                char *expanded = expand_macros(dataptr);
+
+                // check if respolving the macro was successful
+                if (is_macro(expanded) && macro_id(expanded) > -1) {
+                        if (!nowhitelist_flag && (have_topdir(cfg.homedir, topdirs) || add_topdir(cfg.homedir, topdirs, expanded)) && !arg_quiet) {
+                                fprintf(stderr, "***\n");
+                                fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", expanded);
+                                fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n");
+                                fprintf(stderr, "***\n");
                         }
+                        entry = entry->next;
+                        free(expanded);
+                        continue;
                 }
 
-                // replace ~/ or ${HOME} into /home/username
-                new_name = expand_home(dataptr, cfg.homedir);
-                assert(new_name);
                 if (arg_debug || arg_debug_whitelists)
-                        fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
+                        printf("Debug %d: expanded: %s\n", __LINE__, expanded);
+
+                // path should be absolute at this point
+                if (expanded[0] != '/')
+                        whitelist_error(expanded);
+
+                // sane pathname
+                char *new_name = clean_pathname(expanded);
+                free(expanded);
+
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: new_name: %s\n", __LINE__, new_name);
+
+                if (strstr(new_name, ".."))
+                        whitelist_error(new_name);
+
+                // /run/firejail is not allowed
+                if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0)
+                        whitelist_error(new_name);
 
-                // valid path referenced to filesystem root
-                if (*new_name != '/') {
+                TopDir *current_top = NULL;
+                if (!nowhitelist_flag) {
+                        // extract whitelist top level directory
+                        char *dir = extract_topdir(new_name);
                         if (arg_debug || arg_debug_whitelists)
-                                fprintf(stderr, "Debug %d: \n", __LINE__);
-                        goto errexit;
+                                printf("Debug %d: dir: %s\n", __LINE__, dir);
+
+                        // check if this top level directory has been processed already
+                        current_top = have_topdir(dir, topdirs);
+                        if (!current_top) { // got new top level directory
+                                current_top = add_topdir(dir, topdirs, new_name);
+                                if (!current_top) { // skip this command, top level directory not valid
+                                        entry = entry->next;
+                                        free(new_name);
+                                        free(dir);
+                                        continue;
+                                }
+                        }
+                        free(dir);
                 }
 
+                // extract resolved path of the file
+                // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission
+                // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr
+                char *fname = NULL;
+                if (strcmp(new_name, "/dev/fd") == 0)
+                        fname = strdup("/proc/self/fd");
+                else if (strcmp(new_name, "/dev/stdin") == 0)
+                        fname = strdup("/proc/self/fd/0");
+                else if (strcmp(new_name, "/dev/stdout") == 0)
+                        fname = strdup("/proc/self/fd/1");
+                else if (strcmp(new_name, "/dev/stderr") == 0)
+                        fname = strdup("/proc/self/fd/2");
+                else
+                        fname = realpath(new_name, NULL);
 
-                // extract the absolute path of the file
-                // realpath function will fail with ENOENT if the file is not found
-                char *fname = realpath(new_name, NULL);
                 if (!fname) {
-                        // file not found, blank the entry in the list and continue
                         if (arg_debug || arg_debug_whitelists) {
-                                printf("Removed whitelist/nowhitelist path: %s\n", entry->data);
+                                printf("Removed path: %s\n", entry->data);
                                 printf("\texpanded: %s\n", new_name);
-                                printf("\treal path: (null)\n");
-                                printf("\t");fflush(0);
-                                perror("realpath");
+                                printf("\trealpath: (null)\n");
+                                printf("\t%s\n", strerror(errno));
                         }
 
-                        // if 1 the file was not found; mount an empty directory
                         if (!nowhitelist_flag) {
-                                if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
-                                        if(!arg_private)
-                                                home_dir = 1;
-                                }
-                                else if (strncmp(new_name, "/tmp/", 5) == 0)
-                                        tmp_dir = 1;
-                                else if (strncmp(new_name, "/media/", 7) == 0)
-                                        media_dir = 1;
-                                else if (strncmp(new_name, "/mnt/", 5) == 0)
-                                        mnt_dir = 1;
-                                else if (strncmp(new_name, "/var/", 5) == 0)
-                                        var_dir = 1;
-                                else if (strncmp(new_name, "/dev/", 5) == 0)
-                                        dev_dir = 1;
-                                else if (strncmp(new_name, "/opt/", 5) == 0)
-                                        opt_dir = 1;
-                                else if (strncmp(new_name, "/srv/", 5) == 0)
-                                        opt_dir = 1;
+                                // if this is not a real path, let's try globbing
+                                // push the new paths at the end of profile entry list
+                                // the new profile entries will be processed in this loop
+                                // currently there is no globbing support for nowhitelist
+                                globbing(new_name);
                         }
 
-                        entry->data = EMPTY_STRING;
+                        entry = entry->next;
+                        free(new_name);
                         continue;
                 }
-                else if (arg_debug_whitelists)
-                        printf("real path %s\n", fname);
+
+                // /run/firejail is not allowed
+                if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0)
+                        whitelist_error(fname);
 
                 if (nowhitelist_flag) {
                         // store the path in nowhitelist array
@@ -434,111 +664,12 @@ void fs_whitelist(void) {
                                         errExit("failed increasing memory for nowhitelist entries");
                         }
                         nowhitelist[nowhitelist_c++] = fname;
-                        entry->data = EMPTY_STRING;
+                        entry = entry->next;
+                        free(new_name);
                         continue;
                 }
-
-
-                // check for supported directories
-                if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
-                        // whitelisting home directory is disabled if --private option is present
-                        if (arg_private) {
-                                if (arg_debug || arg_debug_whitelists)
-                                        printf("\"%s\" disabled by --private\n", entry->data);
-
-                                entry->data = EMPTY_STRING;
-                                continue;
-                        }
-
-                        entry->home_dir = 1;
-                        home_dir = 1;
-                        if (arg_debug || arg_debug_whitelists)
-                                fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n",
-                                        __LINE__, fname, cfg.homedir);
-
-                        // both path and absolute path are under /home
-                        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) {
-                                if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) {
-                                        // check if the file is owned by the user
-                                        struct stat s;
-                                        if (stat(fname, &s) == 0 && s.st_uid != getuid())
-                                                goto errexit;
-                                }
-                        }
-                }
-                else if (strncmp(new_name, "/tmp/", 5) == 0) {
-                        entry->tmp_dir = 1;
-                        tmp_dir = 1;
-                        // both path and absolute path are under /tmp
-                        if (strncmp(fname, "/tmp/", 5) != 0) {
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/media/", 7) == 0) {
-                        entry->media_dir = 1;
-                        media_dir = 1;
-                        // both path and absolute path are under /media
-                        if (strncmp(fname, "/media/", 7) != 0) {
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/mnt/", 5) == 0) {
-                        entry->mnt_dir = 1;
-                        mnt_dir = 1;
-                        // both path and absolute path are under /mnt
-                        if (strncmp(fname, "/mnt/", 5) != 0) {
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/var/", 5) == 0) {
-                        entry->var_dir = 1;
-                        var_dir = 1;
-                        // both path and absolute path are under /var
-                        // exceptions: /var/run and /var/lock
-                        if (strcmp(new_name, "/var/run")== 0)
-                                ;
-                        else if (strcmp(new_name, "/var/lock")== 0)
-                                ;
-                        else if (strncmp(fname, "/var/", 5) != 0) {
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/dev/", 5) == 0) {
-                        entry->dev_dir = 1;
-                        dev_dir = 1;
-
-                        // special handling for /dev/shm
-                        // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
-                        if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
-                        else {
-                                // both path and absolute path are under /dev
-                                if (strncmp(fname, "/dev/", 5) != 0) {
-                                        goto errexit;
-                                }
-                        }
-                }
-                else if (strncmp(new_name, "/opt/", 5) == 0) {
-                        entry->opt_dir = 1;
-                        opt_dir = 1;
-                        // both path and absolute path are under /dev
-                        if (strncmp(fname, "/opt/", 5) != 0) {
-                                goto errexit;
-                        }
-                }
-                else if (strncmp(new_name, "/srv/", 5) == 0) {
-                        entry->srv_dir = 1;
-                        srv_dir = 1;
-                        // both path and absolute path are under /srv
-                        if (strncmp(fname, "/srv/", 5) != 0) {
-                                goto errexit;
-                        }
-                }
                 else {
-                        goto errexit;
-                }
-
-                // check if the path is in nowhitelist array
-                if (nowhitelist_flag == 0) {
+                        // check if the path is in nowhitelist array
                         size_t i;
                         int found = 0;
                         for (i = 0; i < nowhitelist_c; i++) {
@@ -552,277 +683,80 @@ void fs_whitelist(void) {
                         if (found) {
                                 if (arg_debug || arg_debug_whitelists)
                                         printf("Skip nowhitelisted path %s\n", fname);
-                                entry->data = EMPTY_STRING;
+                                entry = entry->next;
+                                free(new_name);
                                 free(fname);
                                 continue;
                         }
                 }
 
-                // mark symbolic links
+                // attach whitelist parameters to profile entry
+                entry->wparam = calloc(1, sizeof(struct wparam_t));
+                if (!entry->wparam)
+                        errExit("calloc");
+
+                assert(current_top);
+                entry->wparam->top = current_top;
+                entry->wparam->file = fname;
+
+                // mark link
                 if (is_link(new_name))
-                        entry->link = new_name;
-                else {
+                        entry->wparam->link = new_name;
+                else
                         free(new_name);
-                        new_name = NULL;
-                }
 
-                // change file name in entry->data
-                if (strcmp(fname, entry->data + 10) != 0) {
-                        char *newdata;
-                        if (asprintf(&newdata, "whitelist %s", fname) == -1)
-                                errExit("asprintf");
-                        entry->data = newdata;
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Replaced whitelist path: %s\n", entry->data);
-                }
-                free(fname);
                 entry = entry->next;
         }
 
         // release nowhitelist memory
-        assert(nowhitelist);
         free(nowhitelist);
 
-        // /home/user
-        if (home_dir) {
-                // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
-                mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid());
-                if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-
-                // mount a tmpfs and initialize /home/user
-                 fs_private();
-        }
-
-        // /tmp mountpoint
-        if (tmp_dir) {
-                // keep a copy of real /tmp directory in
-                mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0);
-                if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-
-                // mount tmpfs on /tmp
-                if (arg_debug || arg_debug_whitelists)
-                        printf("Mounting tmpfs on /tmp directory\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                        errExit("mounting tmpfs on /tmp");
-                fs_logger("tmpfs /tmp");
-        }
-
-        // /media mountpoint
-        if (media_dir) {
-                // some distros don't have a /media directory
-                struct stat s;
-                if (stat("/media", &s) == 0) {
-                        // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                        mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0);
-                        if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /media
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /media directory\n");
-                        if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /media");
-                        fs_logger("tmpfs /media");
-                }
-                else
-                        media_dir = 0;
-        }
-
-        // /mnt mountpoint
-        if (mnt_dir) {
-                // check if /mnt directory exists
-                struct stat s;
-                if (stat("/mnt", &s) == 0) {
-                        // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR
-                        mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0);
-                        if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /mnt
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /mnt directory\n");
-                        if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /mnt");
-                        fs_logger("tmpfs /mnt");
-                }
-                else
-                        mnt_dir = 0;
-        }
-
-
-        // /var mountpoint
-        if (var_dir) {
-                // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
-                mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0);
-                if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-
-                // mount tmpfs on /var
-                if (arg_debug || arg_debug_whitelists)
-                        printf("Mounting tmpfs on /var directory\n");
-                if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting tmpfs on /var");
-                fs_logger("tmpfs /var");
-        }
-
-        // /dev mountpoint
-        if (dev_dir) {
-                // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
-                mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0);
-                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount bind");
-
-                // mount tmpfs on /dev
-                if (arg_debug || arg_debug_whitelists)
-                        printf("Mounting tmpfs on /dev directory\n");
-                if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting tmpfs on /dev");
-                fs_logger("tmpfs /dev");
-        }
-
-        // /opt mountpoint
-        if (opt_dir) {
-                // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
-                mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0);
-                if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-
-                // mount tmpfs on /opt
-                if (arg_debug || arg_debug_whitelists)
-                        printf("Mounting tmpfs on /opt directory\n");
-                if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mounting tmpfs on /opt");
-                fs_logger("tmpfs /opt");
-        }
-
-        // /srv mountpoint
-        if (srv_dir) {
-                // check if /srv directory exists
-                struct stat s;
-                if (stat("/srv", &s) == 0) {
-                        // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
-                        mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0);
-                        if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind");
-
-                        // mount tmpfs on /srv
-                        if (arg_debug || arg_debug_whitelists)
-                                printf("Mounting tmpfs on /srv directory\n");
-                        if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                                errExit("mounting tmpfs on /srv");
-                        fs_logger("tmpfs /srv");
-                }
-                else
-                        srv_dir = 0;
-        }
-
+        // mount tmpfs on all top level directories
+        EUID_ROOT();
+        tmpfs_topdirs(topdirs);
 
         // go through profile rules again, and interpret whitelist commands
         entry = cfg.profile;
         while (entry) {
-                // handle only whitelist commands
-                if (strncmp(entry->data, "whitelist ", 10)) {
-                        entry = entry->next;
-                        continue;
-                }
+                if (entry->wparam) {
+                        char *file = entry->wparam->file;
+                        char *link = entry->wparam->link;
+                        const char *topdir = entry->wparam->top->path;
+                        size_t topdir_len = strlen(topdir);
+                        int dirfd = entry->wparam->top->fd;
+
+                        // top level directories of link and file can differ
+                        // whitelist the file only if it is in same top level directory
+                        if (strncmp(file, topdir, topdir_len) == 0 && file[topdir_len] == '/') {
+                                // get path relative to top level directory
+                                const char *rel = file + topdir_len + 1;
 
-//printf("here %d#%s#\n", __LINE__, entry->data);
-                // whitelist the real file
-                if (strcmp(entry->data, "whitelist /run") == 0 &&
-                    (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) {
-                        int rv = symlink(entry->data + 10, entry->link);
-                        if (rv)
-                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
-                        else if (arg_debug || arg_debug_whitelists)
-                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                }
-                else {
-                        whitelist_path(entry);
+                                if (arg_debug || arg_debug_whitelists)
+                                        printf("Debug %d: file: %s; dirfd: %d; topdir: %s; rel: %s\n", __LINE__, file, dirfd, topdir, rel);
+                                whitelist_file(dirfd, rel, file);
+                        }
 
                         // create the link if any
-                        if (entry->link) {
-                                // if the link is already there, do not bother
-                                struct stat s;
-                                if (stat(entry->link, &s) != 0) {
-                                        // create the path if necessary
-                                        mkpath(entry->link, s.st_mode);
-
-                                        int rv = symlink(entry->data + 10, entry->link);
-                                        if (rv)
-                                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
-                                        else if (arg_debug || arg_debug_whitelists)
-                                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                                }
+                        if (link) {
+                                whitelist_symlink(link, file);
+                                free(link);
                         }
+
+                        free(file);
+                        free(entry->wparam);
+                        entry->wparam = NULL;
                 }
 
                 entry = entry->next;
         }
 
-        // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR
-        if (home_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR);
-        }
-
-        // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR
-        if (tmp_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR);
-        }
-
-        // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR
-        if (var_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR);
-        }
-
-        // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR
-        if (opt_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR);
-        }
-
-        // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR
-        if (dev_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR);
-        }
+        // release resources
+        free(runuser);
 
-        // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR
-        if (media_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR);
+        size_t i;
+        for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
+                free(topdirs[i].path);
+                close(topdirs[i].fd);
         }
-
-        // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR
-        if (mnt_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
-        }
-
-        // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
-        if (srv_dir) {
-                if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                        errExit("mount tmpfs");
-                fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
-        }
-
-        if (new_name)
-                free(new_name);
-
-        return;
-
-errexit:
-        fprintf(stderr, "Error: invalid whitelist path %s\n", new_name);
-        exit(1);
+        free(topdirs);
 }
diff --git a/src/firejail/git.c b/src/firejail/git.c
deleted file mode 100644
index ae28f7ec1..000000000
--- a/src/firejail/git.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifdef HAVE_GIT_INSTALL
-
-#include "firejail.h"
-#include <sys/utsname.h>
-#include <sched.h>
-#include <sys/mount.h>
-
-// install a very simple mount namespace sandbox with a tmpfs on top of /tmp
-// and drop privileges
-static void sbox_ns(void) {
-        if (unshare(CLONE_NEWNS) < 0)
-                errExit("unshare");
-
-        // mount events are not forwarded between the host the sandbox
-        if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) {
-                errExit("mount");
-        }
-
-        // mount a tmpfs on top of /tmp
-        if (mount(NULL, "/tmp", "tmpfs", 0, NULL) < 0)
-                errExit("mount");
-
-
-        // drop privileges
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
-        assert(getenv("LD_PRELOAD") == NULL);
-
-        printf("Running as "); fflush(0);
-        int rv = system("whoami");
-        (void) rv;
-        printf("/tmp directory: "); fflush(0);
-        rv = system("ls -l /tmp");
-        (void) rv;
-}
-
-
-void git_install(void) {
-        // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
-        EUID_ASSERT();
-        EUID_ROOT();
-
-        // install a mount namespace with a tmpfs on top of /tmp
-        sbox_ns();
-
-        // run command
-        const char *cmd = LIBDIR "/firejail/fgit-install.sh";
-        int rv = system(cmd);
-        (void) rv;
-        exit(0);
-}
-
-void git_uninstall(void) {
-        // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
-        EUID_ASSERT();
-        EUID_ROOT();
-
-        // install a mount namespace with a tmpfs on top of /tmp
-        sbox_ns();
-
-        // run command
-        const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
-        int rv = system(cmd);
-        (void) rv;
-        exit(0);
-}
-
-#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
new file mode 100644
index 000000000..59acdb1fe
--- /dev/null
+++ b/src/firejail/ids.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+static void ids_init(void) {
+        // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+        char *fname;
+        if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+                errExit("asprintf");
+
+        int rv = unlink(fname);
+        (void) rv;
+        int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0600);
+        if (fd < 0) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+
+        // redirect output
+        close(STDOUT_FILENO);
+        if (dup(fd) != STDOUT_FILENO)
+                errExit("dup");
+        close(fd);
+
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
+}
+
+static void ids_check(void) {
+        // store checksums as root in /var/lib/firejail/${USERNAME}.ids
+        char *fname;
+        if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1)
+                errExit("asprintf");
+
+        int fd = open(fname, O_RDONLY);
+        if (fd < 0) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+
+        // redirect input
+        close(STDIN_FILENO);
+        if (dup(fd) != STDIN_FILENO)
+                errExit("dup");
+        close(fd);
+
+        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
+}
+
+void run_ids(int argc, char **argv) {
+        if (argc != 2) {
+                fprintf(stderr, "Error: only one IDS command expected\n");
+                exit(1);
+        }
+
+        EUID_ROOT();
+        struct stat s;
+        if (stat(VARDIR, &s)) // /var/lib/firejail
+                create_empty_dir_as_root(VARDIR, 0700);
+
+        if (strcmp(argv[1], "--ids-init") == 0)
+                ids_init();
+        else if (strcmp(argv[1], "--ids-check") == 0)
+                ids_check();
+        else
+                fprintf(stderr, "Error: unrecognized IDS command\n");
+
+        exit(0);
+}
\ No newline at end of file
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 9f52d4565..a869f6b64 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,36 +20,95 @@
 #include "firejail.h"
 #include <sys/stat.h>
 #include <sys/wait.h>
-#include <fcntl.h>
 #include <unistd.h>
-#include <sys/prctl.h>
 #include <errno.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#include <sys/prctl.h>
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
+
 static int apply_caps = 0;
 static uint64_t caps = 0;
-static int apply_seccomp = 0;
 static unsigned display = 0;
 #define BUFLEN 4096
 
 static void signal_handler(int sig){
         flush_stdin();
 
-        exit(sig);
+        exit(128 + sig);
 }
 
+static void install_handler(void) {
+        struct sigaction sga;
 
+        // handle SIGTERM
+        sigemptyset(&sga.sa_mask);
+        sga.sa_handler = signal_handler;
+        sga.sa_flags = 0;
+        sigaction(SIGTERM, &sga, NULL);
+}
+
+#ifdef HAVE_APPARMOR
+static void extract_apparmor(pid_t pid) {
+        if (checkcfg(CFG_APPARMOR)) {
+                EUID_USER();
+                if (aa_is_enabled() == 1) {
+                        // get pid of next child process
+                        pid_t child;
+                        if (find_child(pid, &child) == 1)
+                                child = pid; // no child, proceed with current pid
+
+                        // get name of AppArmor profile
+                        char *fname;
+                        if (asprintf(&fname, "/proc/%d/attr/current", child) == -1)
+                                errExit("asprintf");
+                        EUID_ROOT();
+                        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+                        EUID_USER();
+                        free(fname);
+                        if (fd == -1)
+                                goto errexit;
+                        char buf[BUFLEN];
+                        ssize_t rv = read(fd, buf, sizeof(buf) - 1);
+                        close(fd);
+                        if (rv < 0)
+                                goto errexit;
+                        buf[rv] = '\0';
+                        // process confined by Firejail's AppArmor policy?
+                        if (strncmp(buf, "firejail-default", 16) == 0)
+                                arg_apparmor = 1;
+                }
+                EUID_ROOT();
+        }
+        return;
+
+errexit:
+        fprintf(stderr, "Error: cannot read /proc file\n");
+        exit(1);
+}
+#endif // HAVE_APPARMOR
 
 static void extract_x11_display(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
                 errExit("asprintf");
 
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         free(fname);
         if (!fp)
                 return;
 
-        if (1 != fscanf(fp, "%d", &display)) {
+        if (1 != fscanf(fp, "%u", &display)) {
                 fprintf(stderr, "Error: cannot read X11 display file\n");
                 fclose(fp);
                 return;
@@ -64,7 +123,7 @@ static void extract_x11_display(pid_t pid) {
 
         // store the display number for join process in /run/firejail/x11
         EUID_ROOT();
-        set_x11_file(getpid(), display);
+        set_x11_run_file(getpid(), display);
         EUID_USER();
 }
 
@@ -88,10 +147,7 @@ static void extract_command(int argc, char **argv, int index) {
         }
 
         // build command
-        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
-
-        if (arg_debug)
-                printf("Extracted command #%s#\n", cfg.command_line);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true);
 }
 
 static void extract_nogroups(pid_t pid) {
@@ -100,21 +156,40 @@ static void extract_nogroups(pid_t pid) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(fname, &s) == -1)
+        if (stat(fname, &s) == -1) {
+                free(fname);
                 return;
+        }
 
         arg_nogroups = 1;
         free(fname);
 }
 
+static void extract_nonewprivs(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_NONEWPRIVS_CFG) == -1)
+                errExit("asprintf");
+
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                free(fname);
+                return;
+        }
+
+        arg_nonewprivs = 1;
+        free(fname);
+}
+
 static void extract_cpu(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1)
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(fname, &s) == -1)
+        if (stat(fname, &s) == -1) {
+                free(fname);
                 return;
+        }
 
         // there is a CPU_CFG file, load it!
         load_cpu(fname);
@@ -127,48 +202,53 @@ static void extract_cgroup(pid_t pid) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(fname, &s) == -1)
+        if (stat(fname, &s) == -1) {
+                free(fname);
                 return;
+        }
 
         // there is a cgroup file CGROUP_CFG, load it!
         load_cgroup(fname);
         free(fname);
 }
 
-static void extract_caps_seccomp(pid_t pid) {
+static void extract_caps(pid_t pid) {
         // open stat file
         char *file;
         if (asprintf(&file, "/proc/%u/status", pid) == -1) {
                 perror("asprintf");
                 exit(1);
         }
-        FILE *fp = fopen(file, "r");
-        if (!fp) {
-                free(file);
-                fprintf(stderr, "Error: cannot open stat file for process %u\n", pid);
-                exit(1);
-        }
+        FILE *fp = fopen(file, "re");
+        if (!fp)
+                goto errexit;
 
         char buf[BUFLEN];
         while (fgets(buf, BUFLEN - 1, fp)) {
-                if (strncmp(buf, "Seccomp:", 8) == 0) {
-                        char *ptr = buf + 8;
-                        int val;
-                        sscanf(ptr, "%d", &val);
-                        if (val == 2)
-                                apply_seccomp = 1;
-                        break;
-                }
-                else if (strncmp(buf, "CapBnd:", 7) == 0) {
+                if (strncmp(buf, "CapBnd:", 7) == 0) {
                         char *ptr = buf + 7;
                         unsigned long long val;
-                        sscanf(ptr, "%llx", &val);
+                        if (sscanf(ptr, "%llx", &val) != 1)
+                                goto errexit;
                         apply_caps = 1;
                         caps = val;
                 }
+                else if (strncmp(buf, "NoNewPrivs:", 11) == 0) {
+                        char *ptr = buf + 11;
+                        int val;
+                        if (sscanf(ptr, "%d", &val) != 1)
+                                goto errexit;
+                        if (val)
+                                arg_nonewprivs = 1;
+                }
         }
         fclose(fp);
         free(file);
+        return;
+
+errexit:
+        fprintf(stderr, "Error: cannot read stat file for process %u\n", pid);
+        exit(1);
 }
 
 static void extract_user_namespace(pid_t pid) {
@@ -186,7 +266,7 @@ static void extract_user_namespace(pid_t pid) {
         char *uidmap;
         if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1)
                 errExit("asprintf");
-        FILE *fp = fopen(uidmap, "r");
+        FILE *fp = fopen(uidmap, "re");
         if (!fp) {
                 free(uidmap);
                 return;
@@ -205,30 +285,80 @@ static void extract_user_namespace(pid_t pid) {
         free(uidmap);
 }
 
-void join(pid_t pid, int argc, char **argv, int index) {
+static void extract_umask(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_UMASK_FILE) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(fname, "re");
+        free(fname);
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open umask file\n");
+                exit(1);
+        }
+        if (fscanf(fp, "%3o", &orig_umask) != 1) {
+                fprintf(stderr, "Error: cannot read umask\n");
+                exit(1);
+        }
+        fclose(fp);
+}
+
+static int open_shell(void) {
         EUID_ASSERT();
-        char *homedir = cfg.homedir;
-        pid_t parent = pid;
+        assert(cfg.shell);
 
-        extract_command(argc, argv, index);
-        signal (SIGTERM, signal_handler);
+        if (arg_debug)
+                printf("Opening shell %s\n", cfg.shell);
+        // file descriptor will leak if not opened with O_CLOEXEC !!
+        int fd = open(cfg.shell, O_PATH|O_CLOEXEC);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell);
+                exit(1);
+        }
+        return fd;
+}
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
+// return false if the sandbox identified by pid is not fully set up yet or if
+// it is no firejail sandbox at all, return true if the sandbox is complete
+bool is_ready_for_join(const pid_t pid) {
+        EUID_ASSERT();
+        // check if a file /run/firejail/mnt/join exists
+        char *fname;
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_JOIN_FILE) == -1)
+                errExit("asprintf");
         EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
         EUID_USER();
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                                if (!arg_quiet)
-                                        printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid);
-                        }
-                }
-                free(comm);
+        free(fname);
+        if (fd == -1)
+                return false;
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) {
+                close(fd);
+                return false;
+        }
+        char status;
+        if (read(fd, &status, 1) == 1 && status == SANDBOX_DONE) {
+                close(fd);
+                return true;
         }
+        close(fd);
+        return false;
+}
 
+#define SNOOZE 10000 // sleep interval in microseconds
+void check_join_permission(pid_t pid) {
+        // check if pid belongs to a fully set up firejail sandbox
+        unsigned long i;
+        for (i = SNOOZE; is_ready_for_join(pid) == false; i += SNOOZE) { // give sandbox some time to start up
+                if (i > join_timeout) {
+                        fprintf(stderr, "Error: no valid sandbox\n");
+                        exit(1);
+                }
+                usleep(SNOOZE);
+        }
         // check privileges for non-root users
         uid_t uid = getuid();
         if (uid != 0) {
@@ -238,17 +368,65 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         exit(1);
                 }
         }
+}
+
+pid_t switch_to_child(pid_t pid) {
+        EUID_ASSERT();
+        EUID_ROOT();
+        pid_t rv = pid;
+        errno = 0;
+        char *comm = pid_proc_comm(pid);
+        if (!comm) {
+                if (errno == ENOENT)
+                        fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
+                else
+                        fprintf(stderr, "Error: cannot read /proc file\n");
+                exit(1);
+        }
+        EUID_USER();
+
+        if (strcmp(comm, "firejail") == 0) {
+                if (find_child(pid, &rv) == 1) {
+                        fprintf(stderr, "Error: no valid sandbox\n");
+                        exit(1);
+                }
+                fmessage("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) rv);
+        }
+        free(comm);
+        return rv;
+}
+
+
+
+void join(pid_t pid, int argc, char **argv, int index) {
+        EUID_ASSERT();
+
+        pid_t parent = pid;
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
+
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         extract_x11_display(parent);
 
+        int shfd = -1;
+        if (!arg_shell_none)
+                shfd = open_shell();
+
         EUID_ROOT();
         // in user mode set caps seccomp, cpu, cgroup, etc
         if (getuid() != 0) {
-                extract_caps_seccomp(pid);
+                extract_nonewprivs(pid);  // redundant on Linux >= 4.10; duplicated in function extract_caps
+                extract_caps(pid);
                 extract_cpu(pid);
                 extract_cgroup(pid);
                 extract_nogroups(pid);
                 extract_user_namespace(pid);
+                extract_umask(pid);
+#ifdef HAVE_APPARMOR
+                extract_apparmor(pid);
+#endif
         }
 
         // set cgroup
@@ -279,7 +457,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
         if (child == 0) {
                 // drop discretionary access control capabilities for root sandboxes
                 caps_drop_dac_override();
-                
+
                 // chroot into /proc/PID/root directory
                 char *rootdir;
                 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -292,37 +470,24 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                 printf("changing root to %s\n", rootdir);
                 }
 
-                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+                EUID_USER();
                 if (chdir("/") < 0)
                         errExit("chdir");
-                if (homedir) {
+                if (cfg.homedir) {
                         struct stat s;
-                        if (stat(homedir, &s) == 0) {
+                        if (stat(cfg.homedir, &s) == 0) {
                                 /* coverity[toctou] */
-                                if (chdir(homedir) < 0)
+                                if (chdir(cfg.homedir) < 0)
                                         errExit("chdir");
                         }
                 }
 
-                // set cpu affinity
-                if (cfg.cpus)   // not available for uid 0
-                        set_cpu_affinity();
-
                 // set caps filter
+                EUID_ROOT();
                 if (apply_caps == 1)    // not available for uid 0
                         caps_set(caps);
-#ifdef HAVE_SECCOMP
-                // read cfg.protocol from file
                 if (getuid() != 0)
-                        protocol_filter_load(RUN_PROTOCOL_CFG);
-                if (cfg.protocol) {     // not available for uid 0
-                        seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter
-                }
-
-                // set seccomp filter
-                if (apply_seccomp == 1) // not available for uid 0
-                        seccomp_load(RUN_SECCOMP_CFG);
-#endif
+                        seccomp_load_file_list();
 
                 // mount user namespace or drop privileges
                 if (arg_noroot) {       // not available for uid 0
@@ -336,37 +501,15 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         if (apply_caps == 1)    // not available for uid 0
                                 caps_set(caps);
                 }
-                else
-                        drop_privs(arg_nogroups);       // nogroups not available for uid 0
-
 
-                // set nice
-                if (arg_nice) {
-                        errno = 0;
-                        int rv = nice(cfg.nice);
-                        (void) rv;
-                        if (errno) {
-                                fwarning("cannot set nice value\n");
-                                errno = 0;
-                        }
-                }
-
-                // set environment, add x11 display
-                env_defaults();
-                if (display) {
-                        char *display_str;
-                        if (asprintf(&display_str, ":%d", display) == -1)
-                                errExit("asprintf");
-                        setenv("DISPLAY", display_str, 1);
-                        free(display_str);
-                }
-
-                if (cfg.command_line == NULL) {
-                        assert(cfg.shell);
-                        cfg.command_line = cfg.shell;
-                        cfg.window_title = cfg.shell;
+                // set nonewprivs
+                if (arg_nonewprivs == 1) {      // not available for uid 0
+                        int rv = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                        if (arg_debug && rv == 0)
+                                printf("NO_NEW_PRIVS set\n");
                 }
 
+                EUID_USER();
                 int cwd = 0;
                 if (cfg.cwd) {
                         if (chdir(cfg.cwd) == 0)
@@ -386,13 +529,84 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         }
                 }
 
-                start_application(0);
+                // drop privileges
+                drop_privs(arg_nogroups);
+
+                // kill the child in case the parent died
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 
-                // it will never get here!!!
+#ifdef HAVE_APPARMOR
+                set_apparmor();
+#endif
+
+                extract_command(argc, argv, index);
+                if (cfg.command_line == NULL) {
+                        assert(cfg.shell);
+                        cfg.window_title = cfg.shell;
+                }
+                else if (arg_debug)
+                        printf("Extracted command #%s#\n", cfg.command_line);
+
+                // set cpu affinity
+                if (cfg.cpus)   // not available for uid 0
+                        set_cpu_affinity();
+
+                // add x11 display
+                if (display) {
+                        char *display_str;
+                        if (asprintf(&display_str, ":%d", display) == -1)
+                                errExit("asprintf");
+                        env_store_name_val("DISPLAY", display_str, SETENV);
+                        free(display_str);
+                }
+
+#ifdef HAVE_DBUSPROXY
+                // set D-Bus environment variables
+                struct stat s;
+                if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)
+                        dbus_set_session_bus_env();
+                if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)
+                        dbus_set_system_bus_env();
+#endif
+
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
+                start_application(0, shfd, NULL);
+
+                __builtin_unreachable();
         }
+        EUID_USER();
+        if (shfd != -1)
+                close(shfd);
+
+        int status = 0;
+        //*****************************
+        // following code is signal-safe
+
+        install_handler();
 
         // wait for the child to finish
-        waitpid(child, NULL, 0);
+        waitpid(child, &status, 0);
+
+        // restore default signal action
+        signal(SIGTERM, SIG_DFL);
+
+        // end of signal-safe code
+        //*****************************
+
+        if (WIFEXITED(status)) {
+                // if we had a proper exit, return that exit status
+                status = WEXITSTATUS(status);
+        } else if (WIFSIGNALED(status)) {
+                // distinguish fatal signals by adding 128
+                status = 128 + WTERMSIG(status);
+        } else {
+                status = -1;
+        }
+
         flush_stdin();
-        exit(0);
+        exit(status);
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 7b994b835..70985ba9e 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -26,6 +27,7 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <grp.h>
+#include <fcntl.h>
 //#include <dirent.h>
 //#include <stdio.h>
 //#include <stdlib.h>
@@ -34,18 +36,12 @@
 static uid_t c_uid = 0;
 static char *c_uid_name = NULL;
 
-static void print_file_or_dir(const char *path, const char *fname, int separator) {
+static void print_file_or_dir(const char *path, const char *fname) {
         assert(fname);
 
         char *name;
-        if (separator) {
-                if (asprintf(&name, "%s/%s", path, fname) == -1)
-                        errExit("asprintf");
-        }
-        else {
-                if (asprintf(&name, "%s%s", path, fname) == -1)
-                        errExit("asprintf");
-        }
+        if (asprintf(&name, "%s/%s", path, fname) == -1)
+                errExit("asprintf");
 
         struct stat s;
         if (stat(name, &s) == -1) {
@@ -54,6 +50,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
                         return;
                 }
         }
+        free(name);
 
         // permissions
         if (S_ISLNK(s.st_mode))
@@ -177,14 +174,83 @@ static void print_directory(const char *path) {
         if (n < 0)
                         errExit("scandir");
         else {
-                for (i = 0; i < n; i++) {
-                        print_file_or_dir(path, namelist[i]->d_name, 0);
+                for (i = 0; i < n; i++)
+                        print_file_or_dir(path, namelist[i]->d_name);
+                // get rid of false psitive reported by GCC -fanalyze
+                for (i = 0; i < n; i++)
                         free(namelist[i]);
-                }
         }
         free(namelist);
 }
 
+void ls(const char *path) {
+        EUID_ASSERT();
+        assert(path);
+
+        char *rp = realpath(path, NULL);
+        if (!rp || access(rp, R_OK) == -1) {
+                fprintf(stderr, "Error: cannot access %s\n", path);
+                exit(1);
+        }
+        if (arg_debug)
+                printf("ls %s\n", rp);
+
+        // list directory contents
+        struct stat s;
+        if (stat(rp, &s) == -1) {
+                fprintf(stderr, "Error: cannot access %s\n", rp);
+                exit(1);
+        }
+        if (S_ISDIR(s.st_mode))
+                print_directory(rp);
+        else {
+                char *split = strrchr(rp, '/');
+                if (split) {
+                        *split = '\0';
+                        char *rp2 = split + 1;
+                        if (arg_debug)
+                                printf("path %s, file %s\n", rp, rp2);
+                        print_file_or_dir(rp, rp2);
+                }
+        }
+        free(rp);
+}
+
+void cat(const char *path) {
+        EUID_ASSERT();
+        assert(path);
+
+        if (arg_debug)
+                printf("cat %s\n", path);
+        FILE *fp = fopen(path, "re");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot read %s\n", path);
+                exit(1);
+        }
+        int fd = fileno(fp);
+        if (fd == -1)
+                errExit("fileno");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                fprintf(stderr, "Error: %s is not a regular file\n", path);
+                exit(1);
+        }
+        bool tty = isatty(STDOUT_FILENO);
+
+        int c;
+        while ((c = fgetc(fp)) != EOF) {
+                // file is untrusted
+                // replace control characters when printing to a terminal
+                if (tty && c != '\t' && c != '\n' && iscntrl((unsigned char) c))
+                        c = '?';
+                fputc(c, stdout);
+        }
+        fflush(stdout);
+        fclose(fp);
+}
+
 char *expand_path(const char *path) {
         char *fname = NULL;
         if (*path == '/') {
@@ -198,6 +264,10 @@ char *expand_path(const char *path) {
         }
         else {
                 // assume the file is in current working directory
+                if (!cfg.cwd) {
+                        fprintf(stderr, "Error: current working directory has been deleted\n");
+                        exit(1);
+                }
                 if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1)
                         errExit("asprintf");
         }
@@ -206,40 +276,58 @@ char *expand_path(const char *path) {
 
 void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
         EUID_ASSERT();
+        assert(path1);
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // expand paths
-        char *fname1 = expand_path(path1);;
+        char *fname1 = expand_path(path1);
         char *fname2 = NULL;
         if (path2 != NULL) {
                 fname2 = expand_path(path2);
         }
         if (arg_debug) {
                 printf("file1 %s\n", fname1);
-                printf("file2 %s\n", fname2);
+                printf("file2 %s\n", fname2 ? fname2 : "(null)");
+        }
+
+        // get file from sandbox and store it in the current directory
+        // implemented using --cat
+        if (op == SANDBOX_FS_GET) {
+                char *dest_fname = strrchr(fname1, '/');
+                if (!dest_fname || *(++dest_fname) == '\0') {
+                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
+                        exit(1);
+                }
+                // create destination file if necessary
+                EUID_ASSERT();
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
+                        exit(1);
+                }
+                struct stat s;
+                if (fstat(fd, &s) == -1)
+                        errExit("fstat");
+                if (!S_ISREG(s.st_mode)) {
+                        fprintf(stderr, "Error: %s is no regular file\n", dest_fname);
+                        exit(1);
+                }
+                if (ftruncate(fd, 0) == -1)
+                        errExit("ftruncate");
+                // go quiet - messages on stdout will corrupt the file
+                arg_debug = 0;
+                arg_quiet = 1;
+                // redirection
+                if (dup2(fd, STDOUT_FILENO) == -1)
+                        errExit("dup2");
+                assert(fd != STDOUT_FILENO);
+                close(fd);
+                op = SANDBOX_FS_CAT;
         }
 
         // sandbox root directory
@@ -247,7 +335,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
         if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
                 errExit("asprintf");
 
-        if (op == SANDBOX_FS_LS) {
+        if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) {
                 EUID_ROOT();
                 // chroot
                 if (chroot(rootdir) < 0)
@@ -258,130 +346,12 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 // drop privileges
                 drop_privs(0);
 
-                // check access
-                if (access(fname1, R_OK) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
-                        exit(1);
-                }
-                /* coverity[toctou] */
-                char *rp = realpath(fname1, NULL);
-                if (!rp) {
-                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
-                        exit(1);
-                }
-                if (arg_debug)
-                        printf("realpath %s\n", rp);
-
+                if (op == SANDBOX_FS_LS)
+                        ls(fname1);
+                else
+                        cat(fname1);
 
-                // list directory contents
-                struct stat s;
-                if (stat(rp, &s) == -1) {
-                        fprintf(stderr, "Error: Cannot access %s\n", rp);
-                        exit(1);
-                }
-                if (S_ISDIR(s.st_mode)) {
-                        char *dir;
-                        if (asprintf(&dir, "%s/", rp) == -1)
-                                errExit("asprintf");
-
-                        print_directory(dir);
-                        free(dir);
-                }
-                else {
-                        char *split = strrchr(rp, '/');
-                        if (split) {
-                                *split = '\0';
-                                char *rp2 = split + 1;
-                                if (arg_debug)
-                                        printf("path %s, file %s\n", rp, rp2);
-                                print_file_or_dir(rp, rp2, 1);
-                        }
-                }
-                free(rp);
-        }
-
-        // get file from sandbox and store it in the current directory
-        else if (op == SANDBOX_FS_GET) {
-                char *src_fname =fname1;
-                char *dest_fname = strrchr(fname1, '/');
-                if (!dest_fname || *(++dest_fname) == '\0') {
-                        fprintf(stderr, "Error: invalid file name %s\n", fname1);
-                        exit(1);
-                }
-
-                EUID_ROOT();
-                if (arg_debug)
-                        printf("copy %s to %s\n", src_fname, dest_fname);
-
-                // create a user-owned temporary file in /run/firejail directory
-                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
-                int fd = mkstemp(tmp_fname);
-                if (fd != -1) {
-                        SET_PERMS_FD(fd, getuid(), getgid(), 0600);
-                        close(fd);
-                }
-
-                // copy the source file into the temporary file - we need to chroot
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // chroot
-                        if (chroot(rootdir) < 0)
-                                errExit("chroot");
-                        if (chdir("/") < 0)
-                                errExit("chdir");
-
-                        // drop privileges
-                        drop_privs(0);
-
-                        // copy the file
-                        if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
-                                _exit(1);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-
-                // wait for the child to finish
-                int status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else {
-                        unlink(tmp_fname);
-                        exit(1);
-                }
-
-                // copy the temporary file into the destionation file
-                child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        // copy the file
-                        if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
-                                _exit(1);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-
-                // wait for the child to finish
-                status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else {
-                        unlink(tmp_fname);
-                        exit(1);
-                }
-
-                // remove the temporary file
-                unlink(tmp_fname);
-                EUID_USER();
+                __gcov_flush();
         }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
@@ -413,9 +383,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -428,7 +398,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         exit(1);
                 }
 
-                // copy the temporary file into the destionation file
+                // copy the temporary file into the destination file
                 child = fork();
                 if (child < 0)
                         errExit("fork");
@@ -445,9 +415,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
new file mode 100644
index 000000000..cd29d8f85
--- /dev/null
+++ b/src/firejail/macros.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <sys/stat.h>
+#define MAXBUF 4098
+
+typedef struct macro_t {
+        char *name;     // macro name
+        char *xdg;              // xdg line in ~/.config/user-dirs.dirs
+#define MAX_TRANSLATIONS 3      // several translations in case ~/.config/user-dirs.dirs not found
+        char *translation[MAX_TRANSLATIONS];
+} Macro;
+
+Macro macro[] = {
+        {
+                "${DOWNLOADS}",
+                "XDG_DOWNLOAD_DIR=\"$HOME/",
+                { "Downloads", "Загрузки", "Téléchargement" }
+        },
+
+        {
+                "${MUSIC}",
+                "XDG_MUSIC_DIR=\"$HOME/",
+                {"Music", "Музыка", "Musique"}
+        },
+
+        {
+                "${VIDEOS}",
+                "XDG_VIDEOS_DIR=\"$HOME/",
+                {"Videos", "Видео", "Vidéos"}
+        },
+
+        {
+                "${PICTURES}",
+                "XDG_PICTURES_DIR=\"$HOME/",
+                {"Pictures", "Изображения", "Photos"}
+        },
+
+        {
+                "${DESKTOP}",
+                "XDG_DESKTOP_DIR=\"$HOME/",
+                {"Desktop", "Рабочий стол", "Bureau"}
+        },
+
+        {
+                "${DOCUMENTS}",
+                "XDG_DOCUMENTS_DIR=\"$HOME/",
+                {"Documents", "Документы", "Documents"}
+        },
+
+        { 0 }
+};
+
+// return -1 if not found
+int macro_id(const char *name) {
+        int i = 0;
+        while (macro[i].name != NULL) {
+                if (strcmp(name, macro[i].name) == 0)
+                        return i;
+                i++;
+        }
+
+        return -1;
+}
+
+int is_macro(const char *name) {
+        assert(name);
+        int len = strlen(name);
+        if (len <= 4)
+                return 0;
+        if (*name == '$' && name[1] == '{' && name[len - 1] == '}')
+                return 1;
+        return 0;
+}
+
+// returns mallocated memory
+static char *resolve_xdg(const char *var) {
+        EUID_ASSERT();
+        char *fname;
+        struct stat s;
+        size_t length = strlen(var);
+
+        if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(fname, "re");
+        if (!fp) {
+                free(fname);
+                return NULL;
+        }
+        free(fname);
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = buf;
+
+                // skip blanks
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\0' || *ptr == '\n' || *ptr == '#')
+                        continue;
+
+                if (strncmp(ptr, var, length) == 0) {
+                        char *ptr1 = ptr + length;
+                        char *ptr2 = strchr(ptr1, '"');
+                        if (ptr2) {
+                                fclose(fp);
+                                *ptr2 = '\0';
+                                if (strlen(ptr1) != 0) {
+                                        if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
+                                                errExit("asprintf");
+
+                                        if (stat(fname, &s) == -1) {
+                                                free(fname);
+                                                return NULL;
+                                        }
+                                        free(fname);
+
+                                        char *rv = strdup(ptr1);
+                                        if (!rv)
+                                                errExit(ptr1);
+                                        return rv;
+                                }
+                                else
+                                        return NULL;
+                        }
+                }
+        }
+
+        fclose(fp);
+        return NULL;
+}
+
+// returns mallocated memory
+static char *resolve_hardcoded(char *entries[]) {
+        EUID_ASSERT();
+        char *fname;
+        struct stat s;
+
+        int i = 0;
+        while (entries[i] != NULL) {
+                if (asprintf(&fname, "%s/%s", cfg.homedir, entries[i]) == -1)
+                        errExit("asprintf");
+
+                if (stat(fname, &s) == 0) {
+                        free(fname);
+                        char *rv = strdup(entries[i]);
+                        if (!rv)
+                                errExit("strdup");
+                        return rv;
+                }
+                free(fname);
+                i++;
+        }
+
+        return NULL;
+}
+
+// returns mallocated memory
+char *resolve_macro(const char *name) {
+        char *rv = NULL;
+        int id = macro_id(name);
+        if (id == -1)
+                return NULL;
+
+        rv = resolve_xdg(macro[id].xdg);
+        if (rv == NULL)
+                rv = resolve_hardcoded(macro[id].translation);
+        if (rv && arg_debug)
+                printf("Directory %s resolved as %s\n", name, rv);
+
+        return rv;
+}
+
+// This function takes a pathname supplied by the user and expands '~' and
+// '${HOME}' at the start, to refer to a path relative to the user's home
+// directory (supplied).
+// The return value is allocated using malloc and must be freed by the caller.
+// The function returns NULL if there are any errors.
+char *expand_macros(const char *path) {
+        assert(path);
+
+        int called_as_root = 0;
+
+        if(geteuid() == 0)
+                called_as_root = 1;
+
+        if(called_as_root) {
+                EUID_USER();
+        }
+
+        EUID_ASSERT();
+
+        // Replace home macro
+        char *new_name = NULL;
+        if (strncmp(path, "$HOME", 5) == 0) {
+                fprintf(stderr, "Error: $HOME is not allowed in profile files, please replace it with ${HOME}\n");
+                exit(1);
+        }
+        else if (strncmp(path, "${HOME}", 7) == 0) {
+                if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1)
+                        errExit("asprintf");
+                if(called_as_root)
+                        EUID_ROOT();
+                return new_name;
+        }
+        else if (*path == '~') {
+                if (asprintf(&new_name, "%s%s", cfg.homedir, path + 1) == -1)
+                        errExit("asprintf");
+                if(called_as_root)
+                        EUID_ROOT();
+                return new_name;
+        }
+        else if (strncmp(path, "${CFG}", 6) == 0) {
+                if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1)
+                        errExit("asprintf");
+                if(called_as_root)
+                        EUID_ROOT();
+                return new_name;
+        }
+        else if (strncmp(path, "${RUNUSER}", 10) == 0) {
+                if (asprintf(&new_name, "/run/user/%u%s", getuid(), path + 10) == -1)
+                        errExit("asprintf");
+                if(called_as_root)
+                        EUID_ROOT();
+                return new_name;
+        }
+        else {
+                char *directory = resolve_macro(path);
+                if (directory) {
+                        if (asprintf(&new_name, "%s/%s", cfg.homedir, directory) == -1)
+                                errExit("asprintf");
+                        if(called_as_root)
+                                EUID_ROOT();
+                        free(directory);
+                        return new_name;
+                }
+        }
+
+        char *rv = strdup(path);
+        if (!rv)
+                errExit("strdup");
+
+        if(called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+// replace control characters with a '?'
+static char *fix_control_chars(const char *fname) {
+        assert(fname);
+
+        size_t len = strlen(fname);
+        char *rv = malloc(len + 1);
+        if (!rv)
+                errExit("malloc");
+
+        size_t i = 0;
+        while (fname[i] != '\0') {
+                if (iscntrl((unsigned char) fname[i]))
+                        rv[i] = '?';
+                else
+                        rv[i] = fname[i];
+                i++;
+        }
+        rv[i] = '\0';
+
+        return rv;
+}
+
+void invalid_filename(const char *fname, int globbing) {
+//      EUID_ASSERT();
+        assert(fname);
+        const char *ptr = fname;
+
+        if (strncmp(ptr, "${HOME}", 7) == 0)
+                ptr = fname + 7;
+        else if (strncmp(ptr, "${PATH}", 7) == 0)
+                ptr = fname + 7;
+        else if (strncmp(ptr, "${RUNUSER}", 10) == 0)
+                ptr = fname + 10;
+        else {
+                int id = macro_id(fname);
+                if (id != -1)
+                        return;
+        }
+
+        size_t i = 0;
+        while (ptr[i] != '\0') {
+                if (iscntrl((unsigned char) ptr[i])) {
+                        char *new = fix_control_chars(fname);
+                        fprintf(stderr, "Error: \"%s\" is an invalid filename: no control characters allowed\n", new);
+                        exit(1);
+                }
+                i++;
+        }
+
+        char *reject;
+        if (globbing)
+                reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed
+        else
+                reject = "\\&!?\"'<>%^{};,*[]";
+        char *c = strpbrk(ptr, reject);
+        if (c) {
+                fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
+                exit(1);
+        }
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e83bc899f..81d148257 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,17 +19,20 @@
  */
 #include "firejail.h"
 #include "../include/pid.h"
+#include "../include/firejail_user.h"
+#include "../include/gcov_wrapper.h"
+#include "../include/syscall.h"
+#include "../include/seccomp.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
-#include <fcntl.h>
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
-#include <limits.h>
+//#include <limits.h>
 #include <sys/file.h>
 #include <sys/prctl.h>
 #include <signal.h>
@@ -37,18 +40,34 @@
 #include <net/if.h>
 #include <sys/utsname.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#ifdef __ia64__
+/* clone(2) has a different interface on ia64, as it needs to know
+   the size of the stack */
+int __clone2(int (*fn)(void *),
+             void *child_stack_base, size_t stack_size,
+             int flags, void *arg, ...
+              /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ );
+#endif
+
 uid_t firejail_uid = 0;
 gid_t firejail_gid = 0;
 
 #define STACK_SIZE (1024 * 1024)
-static char child_stack[STACK_SIZE];            // space for child's stack
+#define STACK_ALIGNMENT 16
+static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT)));          // space for child's stack
+
 Config cfg;                                     // configuration
 int arg_private = 0;                            // mount private /home and /tmp directoryu
-int arg_private_template = 0; // mount private /home using a template
+int arg_private_cache = 0;              // mount private home/.cache
 int arg_debug = 0;                              // print debug messages
-int arg_debug_check_filename = 0;               // print debug messages for filename checking
 int arg_debug_blacklists = 0;                   // print debug messages for blacklists
 int arg_debug_whitelists = 0;                   // print debug messages for whitelists
+int arg_debug_private_lib = 0;                  // print debug messages for private-lib
 int arg_nonetwork = 0;                          // --net=none
 int arg_command = 0;                            // -c
 int arg_overlay = 0;                            // overlay option
@@ -56,8 +75,10 @@ int arg_overlay_keep = 0;			// place overlay diff in a known directory
 int arg_overlay_reuse = 0;                      // allow the reuse of overlays
 
 int arg_seccomp = 0;                            // enable default seccomp filter
+int arg_seccomp32 = 0;                          // enable default seccomp filter for 32 bit arch
 int arg_seccomp_postexec = 0;                   // need postexec ld.preload library?
 int arg_seccomp_block_secondary = 0;            // block any secondary architectures
+int arg_seccomp_error_action = 0;
 
 int arg_caps_default_filter = 0;                        // enable default capabilities filter
 int arg_caps_drop = 0;                          // drop list
@@ -66,11 +87,14 @@ int arg_caps_keep = 0;			// keep list
 char *arg_caps_list = NULL;                     // optional caps list
 
 int arg_trace = 0;                              // syscall tracing support
+char *arg_tracefile = NULL;                     // syscall tracing file
 int arg_tracelog = 0;                           // blacklist tracing support
+int arg_rlimit_cpu = 0;                         // rlimit max cpu time
 int arg_rlimit_nofile = 0;                      // rlimit nofile
 int arg_rlimit_nproc = 0;                       // rlimit nproc
 int arg_rlimit_fsize = 0;                               // rlimit fsize
 int arg_rlimit_sigpending = 0;                  // rlimit fsize
+int arg_rlimit_as = 0;                          // rlimit as
 int arg_nogroups = 0;                           // disable supplementary groups
 int arg_nonewprivs = 0;                 // set the NO_NEW_PRIVS prctl
 int arg_noroot = 0;                             // create a new user namespace and disable root user
@@ -82,14 +106,16 @@ char *arg_netns = NULL;			// "ip netns"-created network namespace to use
 int arg_doubledash = 0;                 // double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
+int arg_keep_dev_shm = 0;                       // preserve /dev/shm
 int arg_private_etc = 0;                        // private etc directory
 int arg_private_opt = 0;                        // private opt directory
 int arg_private_srv = 0;                        // private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
 int arg_private_lib = 0;                        // private lib directory
+int arg_private_cwd = 0;                        // private working directory
 int arg_scan = 0;                               // arp-scan all interfaces
-int arg_whitelist = 0;                          // whitelist commad
+int arg_whitelist = 0;                          // whitelist command
 int arg_nosound = 0;                            // disable sound
 int arg_novideo = 0;                    //disable video devices in /dev
 int arg_no3d;                                   // disable 3d hardware acceleration
@@ -99,16 +125,16 @@ int arg_join_filesystem = 0;			// join only the mount namespace
 int arg_nice = 0;                               // nice value configured
 int arg_ipc = 0;                                        // enable ipc namespace
 int arg_writable_etc = 0;                       // writable etc
+int arg_keep_config_pulse = 0;                  // disable automatic ~/.config/pulse init
 int arg_writable_var = 0;                       // writable var
+int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
-int arg_audit = 0;                              // audit
-char *arg_audit_prog = NULL;                    // audit
 int arg_apparmor = 0;                           // apparmor
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
-int arg_x11_xorg = 0;                           // use X11 security extention
+int arg_x11_xorg = 0;                           // use X11 security extension
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
 int arg_allow_private_blacklist = 0;            // blacklist things in private directories
@@ -117,9 +143,16 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
+int arg_nou2f = 0; // --nou2f
+int arg_noinput = 0; // --noinput
+int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
+DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
+DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
+const char *arg_dbus_log_file = NULL;
+int arg_dbus_log_user = 0;
+int arg_dbus_log_system = 0;
 int login_shell = 0;
 
-
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
 
@@ -127,84 +160,65 @@ char *fullargv[MAX_ARGS];			// expanded argv for restricted shell
 int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
-unsigned long long start_timestamp;
-
-static void set_name_file(pid_t pid);
-static void delete_name_file(pid_t pid);
-static void delete_profile_file(pid_t pid);
-static void delete_x11_file(pid_t pid);
-
-void clear_run_files(pid_t pid) {
-        bandwidth_del_run_file(pid);            // bandwidth file
-        network_del_run_file(pid);              // network map file
-        delete_name_file(pid);
-        delete_profile_file(pid);
-        delete_x11_file(pid);
-}
+mode_t orig_umask = 022;
 
 static void clear_atexit(void) {
         EUID_ROOT();
-        clear_run_files(getpid());
+        delete_run_files(getpid());
 }
 
 static void myexit(int rv) {
         logmsg("exiting...");
-        if (!arg_command && !arg_quiet)
-                printf("\nParent is shutting down, bye...\n");
+        if (!arg_command)
+                fmessage("\nParent is shutting down, bye...\n");
 
 
         // delete sandbox files in shared memory
+#ifdef HAVE_DBUSPROXY
+        dbus_proxy_stop();
+#endif
         EUID_ROOT();
-        clear_run_files(sandbox_pid);
+        delete_run_files(sandbox_pid);
         appimage_clear();
         flush_stdin();
         exit(rv);
 }
 
-static void my_handler(int s){
-        EUID_ROOT();
-        if (!arg_quiet) {
-                printf("\nParent received signal %d, shutting down the child process...\n", s);
-                fflush(0);
-        }
+static void my_handler(int s) {
+        fmessage("\nParent received signal %d, shutting down the child process...\n", s);
         logsignal(s);
-        kill(child, SIGTERM);
-        myexit(1);
-}
-
-static pid_t extract_pid(const char *name) {
-        EUID_ASSERT();
-        if (!name || strlen(name) == 0) {
-                fprintf(stderr, "Error: invalid sandbox name\n");
-                exit(1);
-        }
 
-        pid_t pid;
-        EUID_ROOT();
-        if (name2pid(name, &pid)) {
-                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
-                exit(1);
+        if (waitpid(child, NULL, WNOHANG) == 0) {
+                // child is pid 1 of a pid namespace:
+                // signals are not delivered if there is no handler yet
+                if (has_handler(child, s))
+                        kill(child, s);
+                else
+                        kill(child, SIGKILL);
+                waitpid(child, NULL, 0);
         }
-        EUID_USER();
-        return pid;
+        myexit(128 + s);
 }
 
-
-static pid_t read_pid(const char *str) {
-        char *endptr;
-        errno = 0;
-        long int pidtmp = strtol(str, &endptr, 10);
-        if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN))
-                || (errno != 0 && pidtmp == 0)) {
-                return extract_pid(str);
-        }
-        // endptr points to '\0' char in str if the entire string is valid
-        if (endptr == NULL || endptr[0]!='\0') {
-                return extract_pid(str);
-        }
-        return (pid_t)pidtmp;
+static void install_handler(void) {
+        struct sigaction sga;
+
+        // block SIGTERM while handling SIGINT
+        sigemptyset(&sga.sa_mask);
+        sigaddset(&sga.sa_mask, SIGTERM);
+        sga.sa_handler = my_handler;
+        sga.sa_flags = 0;
+        sigaction(SIGINT, &sga, NULL);
+
+        // block SIGINT while handling SIGTERM
+        sigemptyset(&sga.sa_mask);
+        sigaddset(&sga.sa_mask, SIGINT);
+        sga.sa_handler = my_handler;
+        sga.sa_flags = 0;
+        sigaction(SIGTERM, &sga, NULL);
 }
 
+
 // init configuration
 static void init_cfg(int argc, char **argv) {
         EUID_ASSERT();
@@ -227,23 +241,55 @@ static void init_cfg(int argc, char **argv) {
         if (!cfg.username)
                 errExit("strdup");
 
-        // build home directory name
-        cfg.homedir = NULL;
-        if (pw->pw_dir != NULL) {
-                cfg.homedir = strdup(pw->pw_dir);
-                if (!cfg.homedir)
-                        errExit("strdup");
+        // check user database
+        if (!firejail_user_check(cfg.username)) {
+                fprintf(stderr, "Error: the user is not allowed to use Firejail.\n"
+                        "Please add the user in %s/firejail.users file,\n"
+                        "either by running \"sudo firecfg\", or by editing the file directly.\n"
+                        "See \"man firejail-users\" for more details.\n\n", SYSCONFDIR);
+
+                // attempt to run the program as is
+                run_symlink(argc, argv, 1);
+                exit(1);
         }
-        else {
+
+        cfg.cwd = getcwd(NULL, 0);
+        if (!cfg.cwd && errno != ENOENT)
+                errExit("getcwd");
+
+        // build home directory name
+        if (pw->pw_dir == NULL) {
                 fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                 exit(1);
         }
-        cfg.cwd = getcwd(NULL, 0);
+        check_homedir(pw->pw_dir);
+        cfg.homedir = clean_pathname(pw->pw_dir);
 
         // initialize random number generator
         sandbox_pid = getpid();
         time_t t = time(NULL);
         srand(t ^ sandbox_pid);
+
+        arg_seccomp_error_action = EPERM;
+        cfg.seccomp_error_action = "EPERM";
+}
+
+static void fix_single_std_fd(int fd, const char *file, int flags) {
+        struct stat s;
+        if (fstat(fd, &s) == -1 && errno == EBADF) {
+                // something is wrong with fd, probably it is not opened
+                int nfd = open(file, flags);
+                if (nfd != fd || fstat(fd, &s) != 0)
+                        _exit(1); // no further attempts to fix the situation
+        }
+}
+
+// glibc does this automatically if Firejail was started by a regular user
+// run this for root user and as a fallback
+static void fix_std_streams(void) {
+        fix_single_std_fd(0, "/dev/full", O_RDONLY|O_NOFOLLOW);
+        fix_single_std_fd(1, "/dev/null", O_WRONLY|O_NOFOLLOW);
+        fix_single_std_fd(2, "/dev/null", O_WRONLY|O_NOFOLLOW);
 }
 
 static void check_network(Bridge *br) {
@@ -253,7 +299,7 @@ static void check_network(Bridge *br) {
         else if (br->ipsandbox) { // for macvlan check network range
                 char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
                 if (rv) {
-                        fprintf(stderr, "%s", rv);
+                        fprintf(stderr, "%s\n", rv);
                         exit(1);
                 }
         }
@@ -314,16 +360,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifdef HAVE_OVERLAYFS
         else if (strcmp(argv[i], "--overlay-clean") == 0) {
                 if (checkcfg(CFG_OVERLAYFS)) {
-                        char *path;
-                        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
-                                errExit("asprintf");
-                        EUID_ROOT();
-                        if (setreuid(0, 0) < 0 ||
-                            setregid(0, 0) < 0)
-                                errExit("setreuid/setregid");
-                        errno = 0;
-                        if (remove_directory(path))
-                                errExit("remove_directory");
+                        if (remove_overlay_directory()) {
+                                fprintf(stderr, "Error: cannot remove overlay directory\n");
+                                exit(1);
+                        }
                 }
                 else
                         exit_err_feature("overlayfs");
@@ -419,21 +459,40 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         }
 
                         // extract pid or sandbox name
-                        pid_t pid = read_pid(argv[i] + 12);
+                        pid_t pid = require_pid(argv[i] + 12);
                         bandwidth_pid(pid, cmd, dev, down, up);
                 }
                 else
                         exit_err_feature("networking");
                 exit(0);
         }
+        else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) {
+                // extract pid or sandbox name
+                pid_t pid = require_pid(argv[i] + 18);
+                netfilter_print(pid, 0);
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) {
+                // extract pid or sandbox name
+                pid_t pid = require_pid(argv[i] + 19);
+                netfilter_print(pid, 1);
+                exit(0);
+        }
 #endif
         //*************************************
         // independent commands - the program will exit!
         //*************************************
-#ifdef HAVE_SECCOMP
         else if (strcmp(argv[i], "--debug-syscalls") == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
-                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls");
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls");
+                        exit(rv);
+                }
+                else
+                        exit_err_feature("seccomp");
+        }
+        else if (strcmp(argv[i], "--debug-syscalls32") == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls32");
                         exit(rv);
                 }
                 else
@@ -441,7 +500,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
         else if (strcmp(argv[i], "--debug-errnos") == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
-                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos");
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-errnos");
                         exit(rv);
                 }
                 else
@@ -451,7 +510,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid = read_pid(argv[i] + 16);
+                        pid_t pid = require_pid(argv[i] + 16);
                         seccomp_print_filter(pid);
                 }
                 else
@@ -459,28 +518,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
         else if (strcmp(argv[i], "--debug-protocols") == 0) {
-                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols");
+                int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-protocols");
                 exit(rv);
         }
         else if (strncmp(argv[i], "--protocol.print=", 17) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         // print seccomp filter for a sandbox specified by pid or by name
-                        pid_t pid = read_pid(argv[i] + 17);
+                        pid_t pid = require_pid(argv[i] + 17);
                         protocol_print_filter(pid);
                 }
                 else
                         exit_err_feature("seccomp");
                 exit(0);
         }
-#endif
         else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
-                pid_t pid = read_pid(argv[i] + 16);
+                pid_t pid = require_pid(argv[i] + 16);
 
                 // print /run/firejail/profile/<PID> file
                 char *fname;
                 if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1)
                         errExit("asprintf");
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 if (!fp) {
                         fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16);
                         exit(1);
@@ -491,29 +549,39 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         printf("%s", buf);
                 fclose(fp);
                 exit(0);
-                
+
         }
         else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
                 // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 12);
+                pid_t pid = require_pid(argv[i] + 12);
                 cpu_print_filter(pid);
                 exit(0);
         }
+        else if (strncmp(argv[i], "--apparmor.print=", 17) == 0) {
+                // join sandbox by pid or by name
+                pid_t pid = require_pid(argv[i] + 17);
+                char *pidstr;
+                if (asprintf(&pidstr, "%u", pid) == -1)
+                        errExit("asprintf");
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIREMON, "--apparmor", pidstr);
+                free(pidstr);
+                exit(0);
+        }
         else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                 // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 13);
+                pid_t pid = require_pid(argv[i] + 13);
                 caps_print_filter(pid);
                 exit(0);
         }
         else if (strncmp(argv[i], "--fs.print=", 11) == 0) {
                 // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 11);
+                pid_t pid = require_pid(argv[i] + 11);
                 fs_logger_print_log(pid);
                 exit(0);
         }
         else if (strncmp(argv[i], "--dns.print=", 12) == 0) {
                 // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 12);
+                pid_t pid = require_pid(argv[i] + 12);
                 net_dns_print(pid);
                 exit(0);
         }
@@ -523,21 +591,21 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
         else if (strcmp(argv[i], "--list") == 0) {
                 if (pid_hidepid())
-                        sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                        sbox_run(SBOX_ROOT| SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                 else
                         sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
                 exit(0);
         }
         else if (strcmp(argv[i], "--tree") == 0) {
                 if (pid_hidepid())
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                 else
                         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
                 exit(0);
         }
         else if (strcmp(argv[i], "--top") == 0) {
                 if (pid_hidepid())
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                 2, PATH_FIREMON, "--top");
                 else
                         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
@@ -549,7 +617,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 if (checkcfg(CFG_NETWORK)) {
                         struct stat s;
                         if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
-                                sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                sbox_run(SBOX_ROOT | SBOX_CAPS_HIDEPID | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                         2, PATH_FIREMON, "--netstats");
                         else
                                 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
@@ -559,11 +627,25 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 else
                         exit_err_feature("networking");
         }
+        else if (strncmp(argv[i], "--net.print=", 12) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        // extract pid or sandbox name
+                        pid_t pid = require_pid(argv[i] + 12);
+                        net_print(pid);
+                        exit(0);
+                }
+                else
+                        exit_err_feature("networking");
+        }
 #endif
 #ifdef HAVE_FILE_TRANSFER
         else if (strncmp(argv[i], "--get=", 6) == 0) {
                 if (checkcfg(CFG_FILE_TRANSFER)) {
                         logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --get and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
 
                         // verify path
                         if ((i + 2) != argc) {
@@ -571,14 +653,14 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 exit(1);
                         }
                         char *path = argv[i + 1];
-                         invalid_filename(path);
+                         invalid_filename(path, 0); // no globbing
                          if (strstr(path, "..")) {
                                 fprintf(stderr, "Error: invalid file name %s\n", path);
                                 exit(1);
                          }
 
                         // get file
-                        pid_t pid = read_pid(argv[i] + 6);
+                        pid_t pid = require_pid(argv[i] + 6);
                         sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
                         exit(0);
                 }
@@ -588,6 +670,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         else if (strncmp(argv[i], "--put=", 6) == 0) {
                 if (checkcfg(CFG_FILE_TRANSFER)) {
                         logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --put and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
 
                         // verify path
                         if ((i + 3) != argc) {
@@ -595,20 +681,20 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 exit(1);
                         }
                         char *path1 = argv[i + 1];
-                         invalid_filename(path1);
+                         invalid_filename(path1, 0); // no globbing
                          if (strstr(path1, "..")) {
                                 fprintf(stderr, "Error: invalid file name %s\n", path1);
                                 exit(1);
                          }
                         char *path2 = argv[i + 2];
-                         invalid_filename(path2);
+                         invalid_filename(path2, 0); // no globbing
                          if (strstr(path2, "..")) {
                                 fprintf(stderr, "Error: invalid file name %s\n", path2);
                                 exit(1);
                          }
 
                         // get file
-                        pid_t pid = read_pid(argv[i] + 6);
+                        pid_t pid = require_pid(argv[i] + 6);
                         sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
                         exit(0);
                 }
@@ -618,6 +704,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         else if (strncmp(argv[i], "--ls=", 5) == 0) {
                 if (checkcfg(CFG_FILE_TRANSFER)) {
                         logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --ls and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
 
                         // verify path
                         if ((i + 2) != argc) {
@@ -625,20 +715,51 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 exit(1);
                         }
                         char *path = argv[i + 1];
-                         invalid_filename(path);
+                         invalid_filename(path, 0); // no globbing
                          if (strstr(path, "..")) {
                                 fprintf(stderr, "Error: invalid file name %s\n", path);
                                 exit(1);
                          }
 
                         // list directory contents
-                        pid_t pid = read_pid(argv[i] + 5);
+                        if (!arg_debug)
+                                 arg_quiet = 1;
+                        pid_t pid = require_pid(argv[i] + 5);
                         sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
                         exit(0);
                 }
                 else
                         exit_err_feature("file transfer");
         }
+        else if (strncmp(argv[i], "--cat=", 6) == 0) {
+                if (checkcfg(CFG_FILE_TRANSFER)) {
+                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --cat and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
+
+                        if ((i + 2) != argc) {
+                                fprintf(stderr, "Error: invalid --cat option, path expected\n");
+                                exit(1);
+                        }
+                        char *path = argv[i + 1];
+                        invalid_filename(path, 0); // no globbing
+                        if (strstr(path, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", path);
+                                exit(1);
+                        }
+
+                        // write file contents to stdout
+                        if (!arg_debug)
+                                 arg_quiet = 1;
+                        pid_t pid = require_pid(argv[i] + 6);
+                        sandboxfs(SANDBOX_FS_CAT, pid, path, NULL);
+                        exit(0);
+                }
+                else
+                        exit_err_feature("file transfer");
+        }
 #endif
         else if (strncmp(argv[i], "--join=", 7) == 0) {
                 if (checkcfg(CFG_JOIN) || getuid() == 0) {
@@ -656,7 +777,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 cfg.shell = guess_shell();
 
                         // join sandbox by pid or by name
-                        pid_t pid = read_pid(argv[i] + 7);
+                        pid_t pid = require_pid(argv[i] + 7);
                         join(pid, argc, argv, i + 1);
                         exit(0);
                 }
@@ -667,28 +788,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
                 // NOTE: this is first part of option handler,
                 //               sandbox name is set in other part
-                logargs(argc, argv);
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
+                        logargs(argc, argv);
 
-                if (arg_shell_none) {
-                        if (argc <= (i+1)) {
-                                fprintf(stderr, "Error: --shell=none set, but no command specified\n");
-                                exit(1);
+                        if (arg_shell_none) {
+                                if (argc <= (i+1)) {
+                                        fprintf(stderr, "Error: --shell=none set, but no command specified\n");
+                                        exit(1);
+                                }
+                                cfg.original_program_index = i + 1;
                         }
-                        cfg.original_program_index = i + 1;
-                }
 
-#if 0 // todo: redo it
-                // try to join by name only
-                pid_t pid;
-                if (!name2pid(argv[i] + 16, &pid)) {
-                        if (!cfg.shell && !arg_shell_none)
-                                cfg.shell = guess_shell();
+                        // try to join by name only
+                        pid_t pid;
+                        if (!read_pid(argv[i] + 16, &pid)) {
+                                if (!cfg.shell && !arg_shell_none)
+                                        cfg.shell = guess_shell();
 
-                        join(pid, argc, argv, i + 1);
-                        exit(0);
+                                join(pid, argc, argv, i + 1);
+                                exit(0);
+                        }
+                        // if there no such sandbox continue argument processing
                 }
-#endif
-                // if there no such sandbox continue argument processing
+                else
+                        exit_err_feature("join");
         }
 #ifdef HAVE_NETWORK
         else if (strncmp(argv[i], "--join-network=", 15) == 0) {
@@ -704,7 +827,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 cfg.shell = guess_shell();
 
                         // join sandbox by pid or by name
-                        pid_t pid = read_pid(argv[i] + 15);
+                        pid_t pid = require_pid(argv[i] + 15);
                         join(pid, argc, argv, i + 1);
                 }
                 else
@@ -724,7 +847,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         cfg.shell = guess_shell();
 
                 // join sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 18);
+                pid_t pid = require_pid(argv[i] + 18);
                 join(pid, argc, argv, i + 1);
                 exit(0);
         }
@@ -732,111 +855,63 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 logargs(argc, argv);
 
                 // shutdown sandbox by pid or by name
-                pid_t pid = read_pid(argv[i] + 11);
+                pid_t pid = require_pid(argv[i] + 11);
                 shut(pid);
                 exit(0);
         }
 
 }
 
-static void set_name_file(pid_t pid) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
-                errExit("asprintf");
-
-        // the file is deleted first
-        FILE *fp = fopen(fname, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create %s\n", fname);
-                exit(1);
-        }
-        fprintf(fp, "%s\n", cfg.name);
-
-        // mode and ownership
-        SET_PERMS_STREAM(fp, 0, 0, 0644);
-        fclose(fp);
-}
-
-static void delete_name_file(pid_t pid) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
-                errExit("asprintf");
-        int rv = unlink(fname);
-        (void) rv;
-        free(fname);
-}
-
-static void delete_profile_file(pid_t pid) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
-                errExit("asprintf");
-        int rv = unlink(fname);
-        (void) rv;
-        free(fname);
-}
-
-void set_x11_file(pid_t pid, int display) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
-                errExit("asprintf");
-
-        // the file is deleted first
-        FILE *fp = fopen(fname, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create %s\n", fname);
-                exit(1);
-        }
-        fprintf(fp, "%d\n", display);
-
-        // mode and ownership
-        SET_PERMS_STREAM(fp, 0, 0, 0644);
-        fclose(fp);
-}
-
-static void delete_x11_file(pid_t pid) {
-        char *fname;
-        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
-                errExit("asprintf");
-        int rv = unlink(fname);
-        (void) rv;
-        free(fname);
-}
-
 char *guess_shell(void) {
-        char *shell = NULL;
-        struct stat s;
+        const char *shell;
+        char *retval;
 
-        shell = getenv("SHELL");
+        shell = env_get("SHELL");
         if (shell) {
-                // TODO: handle rogue shell variables?
-                if (stat(shell, &s) == 0 && access(shell, R_OK) == 0) {
-                        return shell;
-                }
+                invalid_filename(shell, 0); // no globbing
+                if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
+                    strcmp(shell, PATH_FIREJAIL) != 0)
+                        goto found;
         }
 
         // shells in order of preference
-        char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
+        static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL };
 
         int i = 0;
         while (shells[i] != NULL) {
                 // access call checks as real UID/GID, not as effective UID/GID
-                if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) {
+                if (access(shells[i], X_OK) == 0) {
                         shell = shells[i];
-                        break;
+                        goto found;
                 }
                 i++;
         }
 
-        return shell;
+        return NULL;
+
+ found:
+        retval = strdup(shell);
+        if (!retval)
+                errExit("strdup");
+        return retval;
 }
 
-static int check_arg(int argc, char **argv, const char *argument) {
+// return argument index
+static int check_arg(int argc, char **argv, const char *argument, int strict) {
         int i;
         int found = 0;
         for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], argument) == 0) {
-                        found = 1;
-                        break;
+                if (strict) {
+                        if (strcmp(argv[i], argument) == 0) {
+                                found = i;
+                                break;
+                        }
+                }
+                else {
+                        if (strncmp(argv[i], argument, strlen(argument)) == 0) {
+                                found = i;
+                                break;
+                        }
                 }
 
                 // detect end of firejail params
@@ -851,14 +926,21 @@ static int check_arg(int argc, char **argv, const char *argument) {
 
 static void run_builder(int argc, char **argv) {
         EUID_ASSERT();
+        (void) argc;
 
         // drop privileges
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
+
+        assert(env_get("LD_PRELOAD") == NULL);
         assert(getenv("LD_PRELOAD") == NULL);
-        
+        umask(orig_umask);
+
+        // restore original environment variables
+        env_apply_all();
+
         argv[0] = LIBDIR "/firejail/fbuilder";
         execvp(argv[0], argv);
 
@@ -866,127 +948,161 @@ static void run_builder(int argc, char **argv) {
         exit(1);
 }
 
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+
+static int check_postexec(const char *list) {
+        char *prelist, *postlist;
+
+        if (list && list[0]) {
+                syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
+                if (postlist)
+                        return 1;
+        }
+        return 0;
+}
 
 //*******************************************
 // Main program
 //*******************************************
-int main(int argc, char **argv) {
+int main(int argc, char **argv, char **envp) {
         int i;
         int prog_index = -1;                      // index in argv where the program command starts
-        int lockfd = -1;
+        int lockfd_network = -1;
+        int lockfd_directory = -1;
         int option_cgroup = 0;
-        int option_force = 0;
         int custom_profile = 0; // custom profile loaded
-        char *custom_profile_dir = NULL; // custom profile directory
+        int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
+        char **ptr;
 
+        // sanitize the umask
+        orig_umask = umask(022);
 
-        atexit(clear_atexit);
+        // drop permissions by default and rise them when required
+        EUID_INIT();
+        EUID_USER();
 
-        // get starting timestamp
-        start_timestamp = getticks();
+        // check standard streams before opening any file
+        fix_std_streams();
 
-        // build /run/firejail directory structure
-        preproc_build_firejail_dir();
-        preproc_clean_run();
+        // argument count should be larger than 0
+        if (argc == 0 || !argv || strlen(argv[0]) == 0) {
+                fprintf(stderr, "Error: argv is invalid\n");
+                exit(1);
+        } else if (argc >= MAX_ARGS) {
+                fprintf(stderr, "Error: too many arguments\n");
+                exit(1);
+        }
 
-        if (check_arg(argc, argv, "--quiet"))
-                arg_quiet = 1;
-        if (check_arg(argc, argv, "--allow-debuggers")) {
-                // check kernel version
-                struct utsname u;
-                int rv = uname(&u);
-                if (rv != 0)
-                        errExit("uname");
-                int major;
-                int minor;
-                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+        // sanity check for arguments
+        for (i = 0; i < argc; i++) {
+                if (*argv[i] == 0) {
+                        fprintf(stderr, "Error: too short arguments\n");
                         exit(1);
                 }
-                if (major < 4 || (major == 4 && minor < 8)) {
-                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
-                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
-                                "Your current kernel version is %d.%d.\n", major, minor);
+                if (strlen(argv[i]) >= MAX_ARG_LEN) {
+                        fprintf(stderr, "Error: too long arguments\n");
                         exit(1);
                 }
+        }
 
-                arg_allow_debuggers = 1;
+        // Stash environment variables
+        for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++)
+                env_store(*ptr, SETENV);
+
+        // sanity check for environment variables
+        if (i >= MAX_ENVS) {
+                fprintf(stderr, "Error: too many environment variables\n");
+                exit(1);
         }
 
-        // drop permissions by default and rise them when required
-        EUID_INIT();
-        EUID_USER();
+        // Reapply a minimal set of environment variables
+        env_apply_whitelist();
 
-#ifdef HAVE_GIT_INSTALL
-        // process git-install and git-uninstall
-        if (check_arg(argc, argv, "--git-install"))
-                git_install(); // this function will not return
-        if (check_arg(argc, argv, "--git-uninstall"))
-                git_uninstall(); // this function will not return
-#endif
+        // process --quiet
+        const char *env_quiet = env_get("FIREJAIL_QUIET");
+        if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
+                arg_quiet = 1;
+
+        // check if the user is allowed to use firejail
+        init_cfg(argc, argv);
+
+        // get starting timestamp
+        timetrace_start();
 
-        // profile builder
-        if (check_arg(argc, argv, "--build"))
-                run_builder(argc, argv); // this function will not return
-                
         // check argv[0] symlink wrapper if this is not a login shell
         if (*argv[0] != '-')
-                run_symlink(argc, argv); // if symlink detected, this function will not return
+                run_symlink(argc, argv, 0); // if symlink detected, this function will not return
 
         // check if we already have a sandbox running
         // If LXC is detected, start firejail sandbox
         // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
-        //      - if --force flag is set, start firejail sandbox
-        //      -- if --force flag is not set, start the application in a /bin/bash shell
+        //      - start the application in a /bin/bash shell
         if (check_namespace_virt() == 0) {
                 EUID_ROOT();
                 int rv = check_kernel_procs();
                 EUID_USER();
                 if (rv == 0) {
-                        // if --force option is passed to the program, disregard the existing sandbox
-                        if (check_arg(argc, argv, "--force"))
-                                option_force = 1;
-                        else {
-                                if (check_arg(argc, argv, "--version")) {
-                                        printf("firejail version %s\n", VERSION);
-                                        exit(0);
-                                }
-
-                                // start the program directly without sandboxing
-                                run_no_sandbox(argc, argv);
-                                // it will never get here!
-                                assert(0);
+                        if (check_arg(argc, argv, "--version", 1)) {
+                                printf("firejail version %s\n", VERSION);
+                                exit(0);
                         }
-                }
-        }
 
-        // check root/suid
-        EUID_ROOT();
-        if (geteuid()) {
-                // only --version is supported without SUID support
-                if (check_arg(argc, argv, "--version")) {
-                        printf("firejail version %s\n", VERSION);
-                        exit(0);
+                        // start the program directly without sandboxing
+                        run_no_sandbox(argc, argv);
+                        __builtin_unreachable();
                 }
-
-                fprintf(stderr, "Error: cannot rise privileges\n");
-                exit(1);
         }
-        EUID_USER();
 
-        // initialize globals
-        init_cfg(argc, argv);
+        // profile builder
+        if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
+                run_builder(argc, argv); // this function will not return
+
+        // intrusion detection system
+        if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check
+                run_ids(argc, argv); // this function will not return
 
-        // check firejail directories
         EUID_ROOT();
-        bandwidth_del_run_file(sandbox_pid);
-        network_del_run_file(sandbox_pid);
-        delete_name_file(sandbox_pid);
-        delete_x11_file(sandbox_pid);
+#ifndef HAVE_SUID
+        if (geteuid() != 0) {
+                fprintf(stderr, "Error: Firejail needs to be SUID.\n");
+                fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n");
+                fprintf(stderr, "  chmod u+s /usr/bin/firejail\n");
+        }
+#endif
 
+        // build /run/firejail directory structure
+        preproc_build_firejail_dir();
+        const char *container_name = env_get("container");
+        if (!container_name || strcmp(container_name, "firejail")) {
+                lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (lockfd_directory != -1) {
+                        int rv = fchown(lockfd_directory, 0, 0);
+                        (void) rv;
+                        flock(lockfd_directory, LOCK_EX);
+                }
+                preproc_clean_run();
+                flock(lockfd_directory, LOCK_UN);
+                close(lockfd_directory);
+        }
+
+        delete_run_files(getpid());
+        atexit(clear_atexit);
         EUID_USER();
 
-        //check if the parent is sshd daemon
+        // check if the parent is sshd daemon
         int parent_sshd = 0;
         {
                 pid_t ppid = getppid();
@@ -1000,7 +1116,7 @@ int main(int argc, char **argv) {
 
 #ifdef DEBUG_RESTRICTED_SHELL
                                 {EUID_ROOT();
-                                FILE *fp = fopen("/firelog", "w");
+                                FILE *fp = fopen("/firelog", "we");
                                 if (fp) {
                                         int i;
                                         fprintf(fp, "argc %d: ", argc);
@@ -1019,7 +1135,7 @@ int main(int argc, char **argv) {
                                                     strncmp(argv[2], "scp ", 4) == 0) {
 #ifdef DEBUG_RESTRICTED_SHELL
                                                         {EUID_ROOT();
-                                                        FILE *fp = fopen("/firelog", "a");
+                                                        FILE *fp = fopen("/firelog", "ae");
                                                         if (fp) {
                                                                 fprintf(fp, "run without a sandbox\n");
                                                                 fclose(fp);
@@ -1027,9 +1143,13 @@ int main(int argc, char **argv) {
                                                         EUID_USER();}
 #endif
 
-                                                        drop_privs(1);
-                                                        int rv = system(argv[2]);
-                                                        exit(rv);
+                                                        drop_privs(1);
+                                                        umask(orig_umask);
+
+                                                        // restore original environment variables
+                                                        env_apply_all();
+                                                        int rv = system(argv[2]);
+                                                        exit(rv);
                                                 }
                                         }
                                 }
@@ -1037,8 +1157,10 @@ int main(int argc, char **argv) {
                         free(comm);
                 }
         }
+        EUID_ASSERT();
 
-        // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users
+        // is this a login shell, or a command passed by sshd,
+        // insert command line options from /etc/firejail/login.users
         if (*argv[0] == '-' || parent_sshd) {
                 if (argc == 1)
                         login_shell = 1;
@@ -1047,7 +1169,7 @@ int main(int argc, char **argv) {
 
 #ifdef DEBUG_RESTRICTED_SHELL
                         {EUID_ROOT();
-                        FILE *fp = fopen("/firelog", "a");
+                        FILE *fp = fopen("/firelog", "ae");
                         if (fp) {
                                 fprintf(fp, "fullargc %d: ",  fullargc);
                                 int i;
@@ -1069,7 +1191,7 @@ int main(int argc, char **argv) {
 
 #ifdef DEBUG_RESTRICTED_SHELL
                         {EUID_ROOT();
-                        FILE *fp = fopen("/firelog", "a");
+                        FILE *fp = fopen("/firelog", "ae");
                         if (fp) {
                                 fprintf(fp, "argc %d: ", argc);
                                 int i;
@@ -1082,46 +1204,77 @@ int main(int argc, char **argv) {
 #endif
                 }
         }
+#ifdef HAVE_OUTPUT
         else {
                 // check --output option and execute it;
                 check_output(argc, argv); // the function will not return if --output or --output-stderr option was found
         }
+#endif
+        EUID_ASSERT();
 
+        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+        // these paths are disabled in disable-common.inc
+        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+                        profile_add("noblacklist /sbin");
+                        profile_add("noblacklist /usr/sbin");
+                }
+        }
 
-        // check for force-nonewprivs in /etc/firejail/firejail.config file
-        if (checkcfg(CFG_FORCE_NONEWPRIVS))
-                arg_nonewprivs = 1;
+        // process allow-debuggers
+        if (check_arg(argc, argv, "--allow-debuggers", 1)) {
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+                if (major < 4 || (major == 4 && minor < 8)) {
+                        fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. "
+                                "A bug in ptrace call allows a full bypass of the seccomp filter. "
+                                "Your current kernel version is %d.%d.\n", major, minor);
+                        exit(1);
+                }
 
-        if (arg_allow_debuggers) {
+                arg_allow_debuggers = 1;
                 char *cmd = strdup("noblacklist ${PATH}/strace");
                 if (!cmd)
                         errExit("strdup");
                 profile_add(cmd);
         }
 
+        // for appimages we need to remove "include disable-shell.inc from the profile
+        // a --profile command can show up before --appimage
+        if (check_arg(argc, argv, "--appimage", 1))
+                arg_appimage = 1;
+
+        // check for force-nonewprivs in /etc/firejail/firejail.config file
+        if (checkcfg(CFG_FORCE_NONEWPRIVS))
+                arg_nonewprivs = 1;
+
         // parse arguments
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
 
                 if (strcmp(argv[i], "--debug") == 0) {
-                        if (!arg_quiet) {
-                                arg_debug = 1;
-                                if (option_force)
-                                        printf("Entering sandbox-in-sandbox mode\n");
-                        }
+                        arg_debug = 1;
+                        arg_quiet = 0;
                 }
-                else if (strcmp(argv[i], "--debug-check-filename") == 0)
-                        arg_debug_check_filename = 1;
                 else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
                 else if (strcmp(argv[i], "--debug-whitelists") == 0)
                         arg_debug_whitelists = 1;
+                else if (strcmp(argv[i], "--debug-private-lib") == 0)
+                        arg_debug_private_lib = 1;
                 else if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        arg_debug = 0;
+                        if (!arg_debug)
+                                arg_quiet = 1;
                 }
-                else if (strcmp(argv[i], "--force") == 0)
-                        ;
                 else if (strcmp(argv[i], "--allow-debuggers") == 0) {
                         // already handled
                 }
@@ -1132,7 +1285,7 @@ int main(int argc, char **argv) {
                 //*************************************
 
 #ifdef HAVE_X11
-                else if (strncmp(argv[i], "--xephyr-screen=", 14) == 0) {
+                else if (strncmp(argv[i], "--xephyr-screen=", 16) == 0) {
                         if (checkcfg(CFG_X11))
                                 ; // the processing is done directly in x11.c
                         else
@@ -1146,18 +1299,12 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--apparmor") == 0)
                         arg_apparmor = 1;
 #endif
-#ifdef HAVE_SECCOMP
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
-                                if (cfg.protocol) {
-                                        fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11);
-                                }
-                                else {
-                                        // store list
-                                        cfg.protocol = strdup(argv[i] + 11);
-                                        if (!cfg.protocol)
-                                                errExit("strdup");
-                                }
+                                const char *add = argv[i] + 11;
+                                profile_list_augment(&cfg.protocol, add);
+                                if (arg_debug)
+                                        fprintf(stderr, "[option] combined protocol list: \"%s\"\n", cfg.protocol);
                         }
                         else
                                 exit_err_feature("seccomp");
@@ -1185,6 +1332,18 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp.32=", 13) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list32 = seccomp_check_list(argv[i] + 13);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (arg_seccomp) {
@@ -1197,6 +1356,18 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp.32.drop=", 18) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list_drop32 = seccomp_check_list(argv[i] + 18);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (arg_seccomp) {
@@ -1209,8 +1380,24 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp.32.keep=", 18) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list_keep32 = seccomp_check_list(argv[i] + 18);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                 else if (strcmp(argv[i], "--seccomp.block-secondary") == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 conflicts with block-secondary\n");
+                                        exit(1);
+                                }
                                 arg_seccomp_block_secondary = 1;
                         }
                         else
@@ -1222,9 +1409,32 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
-#endif
-                else if (strcmp(argv[i], "--caps") == 0)
+                else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
+                                if (config_seccomp_error_action == -1) {
+                                        if (strcmp(argv[i] + 23, "kill") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                        else if (strcmp(argv[i] + 23, "log") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_LOG;
+                                        else {
+                                                arg_seccomp_error_action = errno_find_name(argv[i] + 23);
+                                                if (arg_seccomp_error_action == -1)
+                                                        errExit("seccomp-error-action: unknown errno");
+                                        }
+                                        cfg.seccomp_error_action = strdup(argv[i] + 23);
+                                        if (!cfg.seccomp_error_action)
+                                                errExit("strdup");
+                                } else
+                                        exit_err_feature("seccomp-error-action");
+
+                        } else
+                                exit_err_feature("seccomp");
+                }
+                else if (strcmp(argv[i], "--caps") == 0) {
                         arg_caps_default_filter = 1;
+                        arg_caps_cmdline = 1;
+                }
                 else if (strcmp(argv[i], "--caps.drop=all") == 0)
                         arg_caps_drop_all = 1;
                 else if (strncmp(argv[i], "--caps.drop=", 12) == 0) {
@@ -1234,6 +1444,7 @@ int main(int argc, char **argv) {
                                 errExit("strdup");
                         // verify caps list and exit if problems
                         caps_check_list(arg_caps_list, NULL);
+                        arg_caps_cmdline = 1;
                 }
                 else if (strncmp(argv[i], "--caps.keep=", 12) == 0) {
                         arg_caps_keep = 1;
@@ -1242,13 +1453,37 @@ int main(int argc, char **argv) {
                                 errExit("strdup");
                         // verify caps list and exit if problems
                         caps_check_list(arg_caps_list, NULL);
+                        arg_caps_cmdline = 1;
                 }
-
-
                 else if (strcmp(argv[i], "--trace") == 0)
                         arg_trace = 1;
+                else if (strncmp(argv[i], "--trace=", 8) == 0) {
+                        arg_trace = 1;
+                        arg_tracefile = argv[i] + 8;
+                        if (*arg_tracefile == '\0') {
+                                fprintf(stderr, "Error: invalid trace option\n");
+                                exit(1);
+                        }
+                        invalid_filename(arg_tracefile, 0); // no globbing
+                        if (strstr(arg_tracefile, "..")) {
+                                fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile);
+                                exit(1);
+                        }
+                        // if the filename starts with ~, expand the home directory
+                        if (*arg_tracefile == '~') {
+                                char *tmp;
+                                if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1)
+                                        errExit("asprintf");
+                                arg_tracefile = tmp;
+                        }
+                }
                 else if (strcmp(argv[i], "--tracelog") == 0)
                         arg_tracelog = 1;
+                else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) {
+                        check_unsigned(argv[i] + 13, "Error: invalid rlimit");
+                        sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu);
+                        arg_rlimit_cpu = 1;
+                }
                 else if (strncmp(argv[i], "--rlimit-nofile=", 16) == 0) {
                         check_unsigned(argv[i] + 16, "Error: invalid rlimit");
                         sscanf(argv[i] + 16, "%llu", &cfg.rlimit_nofile);
@@ -1260,8 +1495,11 @@ int main(int argc, char **argv) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1269,6 +1507,14 @@ int main(int argc, char **argv) {
                         sscanf(argv[i] + 20, "%llu", &cfg.rlimit_sigpending);
                         arg_rlimit_sigpending = 1;
                 }
+                else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
+                        arg_rlimit_as = 1;
+                }
                 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
                         arg_ipc = 1;
                 else if (strncmp(argv[i], "--cpu=", 6) == 0)
@@ -1280,16 +1526,20 @@ int main(int argc, char **argv) {
                         arg_nice = 1;
                 }
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
-                        if (option_cgroup) {
-                                fprintf(stderr, "Error: only a cgroup can be defined\n");
-                                exit(1);
-                        }
+                        if (checkcfg(CFG_CGROUP)) {
+                                if (option_cgroup) {
+                                        fprintf(stderr, "Error: only a cgroup can be defined\n");
+                                        exit(1);
+                                }
 
-                        option_cgroup = 1;
-                        cfg.cgroup = strdup(argv[i] + 9);
-                        if (!cfg.cgroup)
-                                errExit("strdup");
-                        set_cgroup(cfg.cgroup);
+                                option_cgroup = 1;
+                                cfg.cgroup = strdup(argv[i] + 9);
+                                if (!cfg.cgroup)
+                                        errExit("strdup");
+                                set_cgroup(cfg.cgroup);
+                        }
+                        else
+                                exit_err_feature("cgroup");
                 }
 
                 //*************************************
@@ -1297,7 +1547,6 @@ int main(int argc, char **argv) {
                 //*************************************
                 else if (strcmp(argv[i], "--allusers") == 0)
                         arg_allusers = 1;
-#ifdef HAVE_BIND
                 else if (strncmp(argv[i], "--bind=", 7) == 0) {
                         if (checkcfg(CFG_BIND)) {
                                 char *line;
@@ -1310,7 +1559,6 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("bind");
                 }
-#endif
                 else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
                         char *line;
                         if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)
@@ -1319,6 +1567,8 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+
+                // blacklist/deny
                 else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1327,6 +1577,14 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--deny=", 7) == 0) {
+                        char *line;
+                        if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
                 else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
                         char *line;
                         if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1335,19 +1593,31 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
+                        char *line;
+                        if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
 
-#ifdef HAVE_WHITELIST
+                // whitelist
                 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-                        if (checkcfg(CFG_WHITELIST)) {
-                                char *line;
-                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-                                        errExit("asprintf");
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                errExit("asprintf");
 
-                                profile_check_line(line, 0, NULL);      // will exit if something wrong
-                                profile_add(line);
-                        }
-                        else
-                                exit_err_feature("whitelist");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--allow=", 8) == 0) {
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
                 }
                 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                         char *line;
@@ -1357,8 +1627,36 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-#endif
+                else if (strncmp(argv[i], "--noallow=", 10) == 0) {
+                        char *line;
+                        if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
+                                errExit("asprintf");
 
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+
+
+                else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
+                        char *line;
+                        if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
+                                errExit("asprintf");
+                        /* Note: Applied both immediately in profile_check_line()
+                         *       and later on via fs_blacklist().
+                         */
+                        profile_check_line(line, 0, NULL);
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--mkfile=", 9) == 0) {
+                        char *line;
+                        if (asprintf(&line, "mkfile %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        /* Note: Applied both immediately in profile_check_line()
+                         *       and later on via fs_blacklist().
+                         */
+                        profile_check_line(line, 0, NULL);
+                        profile_add(line);
+                }
                 else if (strncmp(argv[i], "--read-only=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
@@ -1388,6 +1686,11 @@ int main(int argc, char **argv) {
 #ifdef HAVE_OVERLAYFS
                 else if (strcmp(argv[i], "--overlay") == 0) {
                         if (checkcfg(CFG_OVERLAYFS)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                        exit(1);
+                                }
+
                                 if (cfg.chrootdir) {
                                         fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                         exit(1);
@@ -1412,6 +1715,10 @@ int main(int argc, char **argv) {
                 }
                 else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
                         if (checkcfg(CFG_OVERLAYFS)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                        exit(1);
+                                }
                                 if (cfg.chrootdir) {
                                         fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                         exit(1);
@@ -1432,7 +1739,7 @@ int main(int argc, char **argv) {
                                 }
 
                                 // check name
-                                invalid_filename(subdirname);
+                                invalid_filename(subdirname, 0); // no globbing
                                 if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
                                         fprintf(stderr, "Error: invalid overlay name\n");
                                         exit(1);
@@ -1444,6 +1751,10 @@ int main(int argc, char **argv) {
                 }
                 else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
                         if (checkcfg(CFG_OVERLAYFS)) {
+                                if (arg_overlay) {
+                                        fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                        exit(1);
+                                }
                                 if (cfg.chrootdir) {
                                         fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                         exit(1);
@@ -1459,39 +1770,105 @@ int main(int argc, char **argv) {
                                 exit_err_feature("overlayfs");
                 }
 #endif
-                else if (strncmp(argv[i], "--profile=", 10) == 0) {
-                        // multiple profile files are allowed!
-
-                        if (arg_noprofile) {
-                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
+#ifdef HAVE_FIRETUNNEL
+                else if (strcmp(argv[i], "--tunnel") == 0) {
+                        // try to connect to the default client side of the tunnel
+                        // if this fails, try the default server side of the tunnel
+                        if (access("/run/firetunnel/ftc", R_OK) == 0)
+                                profile_read("/run/firetunnel/ftc");
+                        else if (access("/run/firetunnel/fts", R_OK) == 0)
+                                profile_read("/run/firetunnel/fts");
+                        else {
+                                fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
                                 exit(1);
                         }
+                }
+                else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
+                        char *fname;
 
-                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
+                        if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        invalid_filename(fname, 0); // no globbing
+                        if (access(fname, R_OK) == 0)
+                                profile_read(fname);
+                        else {
+                                fprintf(stderr, "Error: tunnel not found\n");
+                                exit(1);
+                        }
+                }
+#endif
+                else if (strncmp(argv[i], "--include=", 10) == 0) {
+                        char *ppath = expand_macros(argv[i] + 10);
                         if (!ppath)
                                 errExit("strdup");
 
-                        profile_read(ppath);
-                        custom_profile = 1;
+                        char *ptr = ppath;
+                        while (*ptr != '/' && *ptr != '\0')
+                                ptr++;
+                        if (*ptr == '\0') {
+                                if (access(ppath, R_OK)) {
+                                        profile_read(ppath);
+                                }
+                                else {
+                                        // ppath contains no '/' and is not a local file, assume it's a name
+                                        int rv = profile_find_firejail(ppath, 0);
+                                        if (!rv) {
+                                                fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath);
+                                                exit(1);
+                                        }
+                                }
+                        }
+                        else {
+                                // ppath contains a '/', assume it's a path
+                                profile_read(ppath);
+                        }
+
                         free(ppath);
                 }
-                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
+                else if (strncmp(argv[i], "--profile=", 10) == 0) {
+                        // multiple profile files are allowed!
+
                         if (arg_noprofile) {
-                                fprintf(stderr, "Error: --noprofile and --profile-path options are mutually exclusive\n");
-                                exit(1);
-                        }
-                        custom_profile_dir = expand_home(argv[i] + 15, cfg.homedir);
-                        invalid_filename(custom_profile_dir);
-                        if (!is_dir(custom_profile_dir) || is_link(custom_profile_dir) || strstr(custom_profile_dir, "..")) {
-                                fprintf(stderr, "Error: invalid profile path\n");
+                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                 exit(1);
                         }
 
-                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(custom_profile_dir, R_OK)) {
-                                fprintf(stderr, "Error: cannot access profile directory\n");
-                                return 1;
+                        char *ppath = expand_macros(argv[i] + 10);
+                        if (!ppath)
+                                errExit("strdup");
+
+                        // checking for strange chars in the file name, no globbing
+                        invalid_filename(ppath, 0);
+
+                        if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) {
+                                int has_colon = (*ppath == ':');
+                                char *ptr = ppath;
+                                while (*ptr != '/' && *ptr != '.' && *ptr != '\0')
+                                        ptr++;
+                                // profile path contains no / or . chars,
+                                // assume its a profile name
+                                if (*ptr != '\0') {
+                                        fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath);
+                                        exit(1);
+                                }
+
+                                // profile was not read in previously, try to see if
+                                // we were given a profile name.
+                                if (!profile_find_firejail(ppath + has_colon, 1)) {
+                                        // do not fall through to default profile,
+                                        // because the user should be notified that
+                                        // given profile arg could not be used.
+                                        fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath);
+                                        exit(1);
+                                }
+                                else
+                                        custom_profile = 1;
                         }
+                        else {
+                                profile_read(ppath);
+                                custom_profile = 1;
+                        }
+                        free(ppath);
                 }
                 else if (strcmp(argv[i], "--noprofile") == 0) {
                         if (custom_profile) {
@@ -1499,31 +1876,15 @@ int main(int argc, char **argv) {
                                 exit(1);
                         }
                         arg_noprofile = 1;
+                        // force keep-config-pulse in order to keep ~/.config/pulse as is
+                        arg_keep_config_pulse = 1;
                 }
                 else if (strncmp(argv[i], "--ignore=", 9) == 0) {
                         if (custom_profile) {
                                 fprintf(stderr, "Error: please use --profile after --ignore\n");
                                 exit(1);
                         }
-
-                        if (*(argv[i] + 9) == '\0') {
-                                fprintf(stderr, "Error: invalid ignore option\n");
-                                exit(1);
-                        }
-
-                        // find an empty entry in profile_ignore array
-                        int j;
-                        for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
-                                if (cfg.profile_ignore[j] == NULL)
-                                        break;
-                        }
-                        if (j >= MAX_PROFILE_IGNORE) {
-                                fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
-                                exit(1);
-                        }
-                        // ... and configure it
-                        else
-                                cfg.profile_ignore[j] = argv[i] + 9;
+                        profile_add_ignore(argv[i] + 9);
                 }
 #ifdef HAVE_CHROOT
                 else if (strncmp(argv[i], "--chroot=", 9) == 0) {
@@ -1538,12 +1899,14 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n");
                                         exit(1);
                                 }
-
-
-                                invalid_filename(argv[i] + 9);
-
                                 // extract chroot dirname
                                 cfg.chrootdir = argv[i] + 9;
+                                if (*cfg.chrootdir == '\0') {
+                                        fprintf(stderr, "Error: invalid chroot option\n");
+                                        exit(1);
+                                }
+                                invalid_filename(cfg.chrootdir, 0); // no globbing
+
                                 // if the directory starts with ~, expand the home directory
                                 if (*cfg.chrootdir == '~') {
                                         char *tmp;
@@ -1551,23 +1914,8 @@ int main(int argc, char **argv) {
                                                 errExit("asprintf");
                                         cfg.chrootdir = tmp;
                                 }
-
-                                // check chroot dirname exists
-                                if (strstr(cfg.chrootdir, "..") || !is_dir(cfg.chrootdir) || is_link(cfg.chrootdir)) {
-                                        fprintf(stderr, "Error: invalid directory %s\n", cfg.chrootdir);
-                                        return 1;
-                                }
-
-                                // don't allow "--chroot=/"
-                                char *rpath = realpath(cfg.chrootdir, NULL);
-                                if (rpath == NULL || strcmp(rpath, "/") == 0) {
-                                        fprintf(stderr, "Error: invalid chroot directory\n");
-                                        exit(1);
-                                }
-                                cfg.chrootdir = rpath;
-
-                                // check chroot directory structure
-                                fs_check_chroot_dir(cfg.chrootdir);
+                                // check chroot directory
+                                fs_check_chroot_dir();
                         }
                         else
                                 exit_err_feature("chroot");
@@ -1580,9 +1928,15 @@ int main(int argc, char **argv) {
                         }
                         arg_writable_etc = 1;
                 }
+                else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
+                        arg_keep_config_pulse = 1;
+                }
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
+                else if (strcmp(argv[i], "--keep-var-tmp") == 0) {
+                        arg_keep_var_tmp = 1;
+                }
                 else if (strcmp(argv[i], "--writable-run-user") == 0) {
                         arg_writable_run_user = 1;
                 }
@@ -1592,9 +1946,6 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--machine-id") == 0) {
                         arg_machineid = 1;
                 }
-                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
-                        arg_allow_private_blacklist = 1;
-                }
                 else if (strcmp(argv[i], "--private") == 0) {
                         arg_private = 1;
                 }
@@ -1646,62 +1997,81 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--private-dev") == 0) {
                         arg_private_dev = 1;
                 }
+                else if (strcmp(argv[i], "--keep-dev-shm") == 0) {
+                        arg_keep_dev_shm = 1;
+                }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        if (arg_writable_etc) {
-                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                                exit(1);
-                        }
+                        if (checkcfg(CFG_PRIVATE_ETC)) {
+                                if (arg_writable_etc) {
+                                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                        exit(1);
+                                }
 
-                        // extract private etc list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-etc option\n");
-                                exit(1);
+                                // extract private etc list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-etc option\n");
+                                        exit(1);
+                                }
+                                if (cfg.etc_private_keep) {
+                                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.etc_private_keep = argv[i] + 14;
+                                arg_private_etc = 1;
                         }
-                        if (cfg.etc_private_keep) {
-                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.etc_private_keep = argv[i] + 14;
-                        arg_private_etc = 1;
+                        else
+                                exit_err_feature("private-etc");
                 }
                 else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-                        // extract private opt list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-opt option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_OPT)) {
+                                // extract private opt list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-opt option\n");
+                                        exit(1);
+                                }
+                                if (cfg.opt_private_keep) {
+                                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.opt_private_keep = argv[i] + 14;
+                                arg_private_opt = 1;
                         }
-                        if (cfg.opt_private_keep) {
-                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.opt_private_keep = argv[i] + 14;
-                        arg_private_opt = 1;
+                        else
+                                exit_err_feature("private-opt");
                 }
                 else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
-                        // extract private srv list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-etc option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_SRV)) {
+                                // extract private srv list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-srv option\n");
+                                        exit(1);
+                                }
+                                if (cfg.srv_private_keep) {
+                                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.srv_private_keep = argv[i] + 14;
+                                arg_private_srv = 1;
                         }
-                        if (cfg.srv_private_keep) {
-                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.srv_private_keep = argv[i] + 14;
-                        arg_private_srv = 1;
+                        else
+                                exit_err_feature("private-srv");
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private bin list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-bin option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_BIN)) {
+                                // extract private bin list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-bin option\n");
+                                        exit(1);
+                                }
+                                if (cfg.bin_private_keep) {
+                                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.bin_private_keep = argv[i] + 14;
+                                arg_private_bin = 1;
                         }
-                        if (cfg.bin_private_keep) {
-                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.bin_private_keep = argv[i] + 14;
-                        arg_private_bin = 1;
+                        else
+                                exit_err_feature("private-bin");
                 }
                 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                         if (checkcfg(CFG_PRIVATE_LIB)) {
@@ -1721,6 +2091,27 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--private-tmp") == 0) {
                         arg_private_tmp = 1;
                 }
+#ifdef HAVE_USERTMPFS
+                else if (strcmp(argv[i], "--private-cache") == 0) {
+                        if (checkcfg(CFG_PRIVATE_CACHE))
+                                arg_private_cache = 1;
+                        else
+                                exit_err_feature("private-cache");
+                }
+#endif
+                else if (strcmp(argv[i], "--private-cwd") == 0) {
+                        cfg.cwd = NULL;
+                        arg_private_cwd = 1;
+                }
+                else if (strncmp(argv[i], "--private-cwd=", 14) == 0) {
+                        if (*(argv[i] + 14) == '\0') {
+                                fprintf(stderr, "Error: invalid private-cwd option\n");
+                                exit(1);
+                        }
+
+                        fs_check_private_cwd(argv[i] + 14);
+                        arg_private_cwd = 1;
+                }
 
                 //*************************************
                 // hostname, etc
@@ -1757,6 +2148,8 @@ int main(int argc, char **argv) {
                         env_store(argv[i] + 8, RMENV);
                 else if (strcmp(argv[i], "--nosound") == 0)
                         arg_nosound = 1;
+                else if (strcmp(argv[i], "--noautopulse") == 0)
+                        arg_keep_config_pulse = 1;
                 else if (strcmp(argv[i], "--novideo") == 0)
                         arg_novideo = 1;
                 else if (strcmp(argv[i], "--no3d") == 0)
@@ -1765,26 +2158,176 @@ int main(int argc, char **argv) {
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
                         arg_nodvd = 1;
+                else if (strcmp(argv[i], "--nou2f") == 0)
+                        arg_nou2f = 1;
+                else if (strcmp(argv[i], "--noinput") == 0)
+                        arg_noinput = 1;
+                else if (strcmp(argv[i], "--nodbus") == 0) {
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                }
 
                 //*************************************
-                // network
+                // D-BUS proxy
                 //*************************************
-#ifdef HAVE_NETWORK
-                else if (strncmp(argv[i], "--interface=", 12) == 0) {
-                        if (checkcfg(CFG_NETWORK)) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                                // compile time restricted networking
-                                if (getuid() != 0) {
-                                        fprintf(stderr, "Error: --interface is allowed only to root user\n");
+#ifdef HAVE_DBUSPROXY
+                else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
+                        if (strcmp("filter", argv[i] + 12) == 0) {
+                                if (arg_dbus_user == DBUS_POLICY_BLOCK) {
+                                        fprintf(stderr, "Warning: Cannot relax --dbus-user policy, it is already set to block\n");
+                                } else {
+                                        arg_dbus_user = DBUS_POLICY_FILTER;
+                                }
+                        } else if (strcmp("none", argv[i] + 12) == 0) {
+                                if (arg_dbus_log_user) {
+                                        fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
                                         exit(1);
                                 }
-#endif
-                                // run time restricted networking
-                                if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                        fprintf(stderr, "Error: --interface is allowed only to root user\n");
+                                arg_dbus_user = DBUS_POLICY_BLOCK;
+                        } else {
+                                fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12);
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--dbus-user.see=", 16) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.see %s", argv[i] + 16) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.talk=", 17) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.talk %s", argv[i] + 17) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.own=", 16) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.own %s", argv[i] + 16) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.call=", 17) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.call %s", argv[i] + 17) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.broadcast=", 22) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.broadcast %s", argv[i] + 22) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp("--dbus-system=", argv[i], 14) == 0) {
+                        if (strcmp("filter", argv[i] + 14) == 0) {
+                                if (arg_dbus_system == DBUS_POLICY_BLOCK) {
+                                        fprintf(stderr, "Warning: Cannot relax --dbus-system policy, it is already set to block\n");
+                                } else {
+                                        arg_dbus_system = DBUS_POLICY_FILTER;
+                                }
+                        } else if (strcmp("none", argv[i] + 14) == 0) {
+                                if (arg_dbus_log_system) {
+                                        fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
                                         exit(1);
                                 }
+                                arg_dbus_system = DBUS_POLICY_BLOCK;
+                        } else {
+                                fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14);
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--dbus-system.see=", 18) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.see %s", argv[i] + 18) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.talk=", 19) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.talk %s", argv[i] + 19) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.own=", 18) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.own %s", argv[i] + 18) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.call=", 19) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.call %s", argv[i] + 19) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.broadcast=", 24) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.broadcast %s", argv[i] + 24) == -1)
+                                errExit("asprintf");
 
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-log=", 11) == 0) {
+                        if (arg_dbus_log_file != NULL) {
+                                fprintf(stderr, "Error: --dbus-log option already specified\n");
+                                exit(1);
+                        }
+                        arg_dbus_log_file = argv[i] + 11;
+                }
+                else if (strcmp(argv[i], "--dbus-user.log") == 0) {
+                        if (arg_dbus_user != DBUS_POLICY_FILTER) {
+                                fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_log_user = 1;
+                }
+                else if (strcmp(argv[i], "--dbus-system.log") == 0) {
+                        if (arg_dbus_system != DBUS_POLICY_FILTER) {
+                                fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_log_system = 1;
+                }
+#endif
+
+                //*************************************
+                // network
+                //*************************************
+                else if (strcmp(argv[i], "--net=none") == 0) {
+                        arg_nonetwork  = 1;
+                        cfg.bridge0.configured = 0;
+                        cfg.bridge1.configured = 0;
+                        cfg.bridge2.configured = 0;
+                        cfg.bridge3.configured = 0;
+                        cfg.interface0.configured = 0;
+                        cfg.interface1.configured = 0;
+                        cfg.interface2.configured = 0;
+                        cfg.interface3.configured = 0;
+                        continue;
+                }
+#ifdef HAVE_NETWORK
+                else if (strncmp(argv[i], "--interface=", 12) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
                                 // checks
                                 if (arg_nonetwork) {
                                         fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
@@ -1842,18 +2385,6 @@ int main(int argc, char **argv) {
                                         continue;
                                 }
 
-#ifdef HAVE_NETWORK_RESTRICTED
-                                // compile time restricted networking
-                                if (getuid() != 0) {
-                                        fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-                                        exit(1);
-                                }
-#endif
-                                // run time restricted networking
-                                if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                        fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-                                        exit(1);
-                                }
                                 if (strcmp(argv[i] + 6, "lo") == 0) {
                                         fprintf(stderr, "Error: cannot attach to lo device\n");
                                         exit(1);
@@ -1872,7 +2403,8 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: maximum 4 network devices are allowed\n");
                                         return 1;
                                 }
-                                net_configure_bridge(br, argv[i] + 6);
+                                br->dev = argv[i] + 6;
+                                br->configured = 1;
                         }
                         else
                                 exit_err_feature("networking");
@@ -1937,10 +2469,6 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: invalid IP range\n");
                                         return 1;
                                 }
-                                if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) {
-                                        fprintf(stderr, "Error: IP range addresses not in network range\n");
-                                        return 1;
-                                }
                         }
                         else
                                 exit_err_feature("networking");
@@ -1963,6 +2491,13 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: invalid MAC address\n");
                                         exit(1);
                                 }
+
+                                // check multicast address
+                                if (br->macsandbox[0] & 1) {
+                                        fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+                                        exit(1);
+                                }
+
                         }
                         else
                                 exit_err_feature("networking");
@@ -2000,7 +2535,10 @@ int main(int argc, char **argv) {
                                 // configure this IP address for the last bridge defined
                                 if (strcmp(argv[i] + 5, "none") == 0)
                                         br->arg_ip_none = 1;
-                                else {
+                                else if (strcmp(argv[i] + 5, "dhcp") == 0) {
+                                        br->arg_ip_none = 1;
+                                        br->arg_ip_dhcp = 1;
+                                } else {
                                         if (atoip(argv[i] + 5, &br->ipsandbox)) {
                                                 fprintf(stderr, "Error: invalid IP address\n");
                                                 exit(1);
@@ -2011,6 +2549,28 @@ int main(int argc, char **argv) {
                                 exit_err_feature("networking");
                 }
 
+                else if (strncmp(argv[i], "--netmask=", 10) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                Bridge *br = last_bridge_configured();
+                                if (br == NULL) {
+                                        fprintf(stderr, "Error: no network device configured\n");
+                                        exit(1);
+                                }
+                                if (br->arg_ip_none || br->mask) {
+                                        fprintf(stderr, "Error: cannot configure the network mask twice for the same interface\n");
+                                        exit(1);
+                                }
+
+                                // configure this network mask for the last bridge defined
+                                if (atoip(argv[i] + 10, &br->mask)) {
+                                        fprintf(stderr, "Error: invalid  network mask\n");
+                                        exit(1);
+                                }
+                        }
+                        else
+                                exit_err_feature("networking");
+                }
+
                 else if (strncmp(argv[i], "--ip6=", 6) == 0) {
                         if (checkcfg(CFG_NETWORK)) {
                                 Bridge *br = last_bridge_configured();
@@ -2018,18 +2578,24 @@ int main(int argc, char **argv) {
                                         fprintf(stderr, "Error: no network device configured\n");
                                         exit(1);
                                 }
-                                if (br->arg_ip_none || br->ip6sandbox) {
+                                if (br->arg_ip6_dhcp || br->ip6sandbox) {
                                         fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                         exit(1);
                                 }
 
                                 // configure this IP address for the last bridge defined
-                                // todo: verify ipv6 syntax
-                                br->ip6sandbox = argv[i] + 6;
-//                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
-//                                      fprintf(stderr, "Error: invalid IP address\n");
-//                                      exit(1);
-//                              }
+                                if (strcmp(argv[i] + 6, "dhcp") == 0)
+                                        br->arg_ip6_dhcp = 1;
+                                else {
+                                        if (check_ip46_address(argv[i] + 6) == 0) {
+                                                fprintf(stderr, "Error: invalid IPv6 address\n");
+                                                exit(1);
+                                        }
+
+                                        br->ip6sandbox = strdup(argv[i] + 6);
+                                        if (br->ip6sandbox == NULL)
+                                                errExit("strdup");
+                                }
                         }
                         else
                                 exit_err_feature("networking");
@@ -2048,21 +2614,25 @@ int main(int argc, char **argv) {
                 }
 #endif
                 else if (strncmp(argv[i], "--dns=", 6) == 0) {
-                        uint32_t dns;
-                        if (atoip(argv[i] + 6, &dns)) {
-                                fprintf(stderr, "Error: invalid DNS server IP address\n");
-                                return 1;
+                        if (check_ip46_address(argv[i] + 6) == 0) {
+                                fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n");
+                                exit(1);
                         }
+                        char *dns = strdup(argv[i] + 6);
+                        if (!dns)
+                                errExit("strdup");
 
-                        if (cfg.dns1 == 0)
+                        if (cfg.dns1 == NULL)
                                 cfg.dns1 = dns;
-                        else if (cfg.dns2 == 0)
+                        else if (cfg.dns2 == NULL)
                                 cfg.dns2 = dns;
-                        else if (cfg.dns3 == 0)
+                        else if (cfg.dns3 == NULL)
                                 cfg.dns3 = dns;
+                        else if (cfg.dns4 == NULL)
+                                cfg.dns4 = dns;
                         else {
-                                fprintf(stderr, "Error: up to 3 DNS servers can be specified\n");
-                                return 1;
+                                fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+                                free(dns);
                         }
                 }
 
@@ -2071,18 +2641,6 @@ int main(int argc, char **argv) {
 
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                        // compile time restricted networking
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
-#endif
-                        // run time restricted networking
-                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter = 1;
                         }
@@ -2091,18 +2649,6 @@ int main(int argc, char **argv) {
                 }
 
                 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                        // compile time restricted networking
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
-#endif
-                        // run time restricted networking
-                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
                         if (checkcfg(CFG_NETWORK)) {
                                 arg_netfilter = 1;
                                 arg_netfilter_file = argv[i] + 12;
@@ -2134,50 +2680,10 @@ int main(int argc, char **argv) {
                 //*************************************
                 // command
                 //*************************************
-                else if (strcmp(argv[i], "--audit") == 0) {
-                        arg_audit_prog = LIBDIR "/firejail/faudit";
-                        arg_audit = 1;
-                }
-                else if (strncmp(argv[i], "--audit=", 8) == 0) {
-                        if (strlen(argv[i] + 8) == 0) {
-                                fprintf(stderr, "Error: invalid audit program\n");
-                                exit(1);
-                        }
-                        arg_audit_prog = strdup(argv[i] + 8);
-                        if (!arg_audit_prog)
-                                errExit("strdup");
-
-                        struct stat s;
-                        if (stat(arg_audit_prog, &s) != 0) {
-                                fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
-                                exit(1);
-                        }
-                        arg_audit = 1;
-                }
-                else if (strcmp(argv[i], "--appimage") == 0)
-                        arg_appimage = 1;
-                else if (strcmp(argv[i], "--csh") == 0) {
-                        if (arg_shell_none) {
-
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/csh";
-                }
-                else if (strcmp(argv[i], "--zsh") == 0) {
-                        if (arg_shell_none) {
-                                fprintf(stderr, "Error: --shell=none was already specified.\n");
-                                return 1;
-                        }
-                        if (cfg.shell) {
-                                fprintf(stderr, "Error: only one default user shell can be specified\n");
-                                return 1;
-                        }
-                        cfg.shell = "/bin/zsh";
+                else if (strncmp(argv[i], "--timeout=", 10) == 0)
+                        cfg.timeout = extract_timeout(argv[i] + 10);
+                else if (strcmp(argv[i], "--appimage") == 0) {
+                        // already handled
                 }
                 else if (strcmp(argv[i], "--shell=none") == 0) {
                         arg_shell_none = 1;
@@ -2191,7 +2697,7 @@ int main(int argc, char **argv) {
                                 fprintf(stderr, "Error: --shell=none was already specified.\n");
                                 return 1;
                         }
-                        invalid_filename(argv[i] + 8);
+                        invalid_filename(argv[i] + 8, 0); // no globbing
 
                         if (cfg.shell) {
                                 fprintf(stderr, "Error: only one user shell can be specified\n");
@@ -2209,12 +2715,12 @@ int main(int argc, char **argv) {
                                 char *shellpath;
                                 if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
                                         errExit("asprintf");
-                                if (access(shellpath, R_OK)) {
+                                if (access(shellpath, X_OK)) {
                                         fprintf(stderr, "Error: cannot access shell file in chroot\n");
                                         exit(1);
                                 }
                                 free(shellpath);
-                        } else if (access(cfg.shell, R_OK)) {
+                        } else if (access(cfg.shell, X_OK)) {
                                 fprintf(stderr, "Error: cannot access shell file\n");
                                 exit(1);
                         }
@@ -2250,27 +2756,21 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
-                else if (strcmp(argv[i], "--git-install") == 0 ||
-                        strcmp(argv[i], "--git-uninstall") == 0) {
-                        fprintf(stderr, "This feature is not enabled in the current build\n");
-                        exit(1);
+                else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
+                        arg_deterministic_exit_code = 1;
                 }
-
-                else if (strcmp(argv[i], "--") == 0) {
+                else {
                         // double dash - positional params to follow
-                        arg_doubledash = 1;
-                        i++;
-                        if (i  >= argc) {
-                                fprintf(stderr, "Error: program name not found\n");
-                                exit(1);
+                        if (strcmp(argv[i], "--") == 0) {
+                                arg_doubledash = 1;
+                                i++;
+                                if (i  >= argc) {
+                                        fprintf(stderr, "Error: program name not found\n");
+                                        exit(1);
+                                }
                         }
-                        extract_command_name(i, argv);
-                        prog_index = i;
-                        break;
-                }
-                else {
                         // is this an invalid option?
-                        if (*argv[i] == '-') {
+                        else if (*argv[i] == '-') {
                                 fprintf(stderr, "Error: invalid %s command line option\n", argv[i]);
                                 return 1;
                         }
@@ -2280,6 +2780,9 @@ int main(int argc, char **argv) {
                                 cfg.command_name = strdup(argv[i]);
                                 if (!cfg.command_name)
                                         errExit("strdup");
+
+                                // disable shell=* for appimages
+                                arg_shell_none = 0;
                         }
                         else
                                 extract_command_name(i, argv);
@@ -2287,6 +2790,24 @@ int main(int argc, char **argv) {
                         break;
                 }
         }
+        EUID_ASSERT();
+
+        // exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line
+        if (getuid() != 0 && arg_caps_cmdline) {
+                char *opt = NULL;
+                if (arg_appimage)
+                        opt = "appimage";
+                else if (arg_overlay)
+                        opt = "overlay";
+                else if (cfg.chrootdir)
+                        opt = "chroot";
+
+                if (opt) {
+                        fprintf(stderr, "Error: all capabilities are dropped for %s by default.\n"
+                                "Please remove --caps options from the command line.\n", opt);
+                        exit(1);
+                }
+        }
 
         // prog_index could still be -1 if no program was specified
         if (prog_index == -1 && arg_shell_none) {
@@ -2302,12 +2823,12 @@ int main(int argc, char **argv) {
         // check user namespace (--noroot) options
         if (arg_noroot) {
                 if (arg_overlay) {
-                        fprintf(stderr, "Error: --overlay and --noroot are mutually exclusive.\n");
-                        exit(1);
+                        fwarning("--overlay and --noroot are mutually exclusive, --noroot disabled...\n");
+                        arg_noroot = 0;
                 }
                 else if (cfg.chrootdir) {
-                        fprintf(stderr, "Error: --chroot and --noroot are mutually exclusive.\n");
-                        exit(1);
+                        fwarning("--chroot and --noroot are mutually exclusive, --noroot disabled...\n");
+                        arg_noroot = 0;
                 }
         }
 
@@ -2338,7 +2859,12 @@ int main(int argc, char **argv) {
 
         // build the sandbox command
         if (prog_index == -1 && cfg.shell) {
-                cfg.command_line = cfg.shell;
+                assert(cfg.command_line == NULL); // runs cfg.shell
+                if (arg_appimage) {
+                        fprintf(stderr, "Error: no appimage archive specified\n");
+                        exit(1);
+                }
+
                 cfg.window_title = cfg.shell;
                 cfg.command_name = cfg.shell;
         }
@@ -2346,10 +2872,11 @@ int main(int argc, char **argv) {
                 if (arg_debug)
                         printf("Configuring appimage environment\n");
                 appimage_set(cfg.command_name);
-                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line);
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
         else {
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                // Only add extra quotes if we were not launched by sshd.
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd);
         }
 /*      else {
                 fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
@@ -2362,66 +2889,35 @@ int main(int argc, char **argv) {
 
 
         // load the profile
-        if (!arg_noprofile) {
-                if (!custom_profile) {
-                        // look for a profile in ~/.config/firejail directory
-                        char *usercfgdir;
-                        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
-                                errExit("asprintf");
-                        int rv = profile_find(cfg.command_name, usercfgdir);
-                        free(usercfgdir);
-                        custom_profile = rv;
-                }
-                if (!custom_profile) {
-                        // look for a user profile in /etc/firejail directory
-                        int rv;
-                        if (custom_profile_dir)
-                                rv = profile_find(cfg.command_name, custom_profile_dir);
-                        else
-                                rv = profile_find(cfg.command_name, SYSCONFDIR);
-                        custom_profile = rv;
+        if (!arg_noprofile && !custom_profile) {
+                if (arg_appimage) {
+                        custom_profile = appimage_find_profile(cfg.command_name);
+                        // disable shell=* for appimages
+                        arg_shell_none = 0;
                 }
+                else
+                        custom_profile = profile_find_firejail(cfg.command_name, 1);
         }
 
         // use default.profile as the default
         if (!custom_profile && !arg_noprofile) {
-                if (cfg.chrootdir) {
-                        fwarning("default profile disabled by --chroot option\n");
-                }
-//              else if (arg_overlay) {
-//                      fwarning("default profile disabled by --overlay option\n");
-//              }
-                else {
-                        // try to load a default profile
-                        char *profile_name = DEFAULT_USER_PROFILE;
-                        if (getuid() == 0)
-                                profile_name = DEFAULT_ROOT_PROFILE;
-                        if (arg_debug)
-                                printf("Attempting to find %s.profile...\n", profile_name);
+                char *profile_name = DEFAULT_USER_PROFILE;
+                if (getuid() == 0)
+                        profile_name = DEFAULT_ROOT_PROFILE;
+                if (arg_debug)
+                        printf("Attempting to find %s.profile...\n", profile_name);
 
-                        // look for the profile in ~/.config/firejail directory
-                        char *usercfgdir;
-                        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
-                                errExit("asprintf");
-                        custom_profile = profile_find(profile_name, usercfgdir);
-                        free(usercfgdir);
+                custom_profile = profile_find_firejail(profile_name, 1);
 
-                        if (!custom_profile) {
-                                // look for the profile in /etc/firejail directory
-                                if (custom_profile_dir)
-                                        custom_profile = profile_find(profile_name, custom_profile_dir);
-                                else
-                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
-                        }
-                        if (!custom_profile) {
-                                fprintf(stderr, "Error: no default.profile installed\n");
-                                exit(1);
-                        }
-
-                        if (custom_profile && !arg_quiet)
-                                printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
+                if (!custom_profile) {
+                        fprintf(stderr, "Error: no %s installed\n", profile_name);
+                        exit(1);
                 }
+
+                if (custom_profile)
+                        fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name);
         }
+        EUID_ASSERT();
 
         // block X11 sockets
         if (arg_x11_block)
@@ -2430,31 +2926,46 @@ int main(int argc, char **argv) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
+        // customization of default seccomp filter
+        if (config_seccomp_filter_add) {
+                if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+                        profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+
+                if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+                        profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+        }
+
+        if (arg_seccomp)
+                arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
+
+        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
+        if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
+                fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
+
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
         if (any_bridge_configured()) {
                 EUID_ROOT();
-                lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
-                if (lockfd != -1) {
-                        int rv = fchown(lockfd, 0, 0);
+                lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (lockfd_network != -1) {
+                        int rv = fchown(lockfd_network, 0, 0);
                         (void) rv;
-                        flock(lockfd, LOCK_EX);
+                        flock(lockfd_network, LOCK_EX);
                 }
 
-                check_network(&cfg.bridge0);
-                check_network(&cfg.bridge1);
-                check_network(&cfg.bridge2);
-                check_network(&cfg.bridge3);
+                if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0)
+                        check_network(&cfg.bridge0);
+                if (cfg.bridge1.configured && cfg.bridge1.arg_ip_none == 0)
+                        check_network(&cfg.bridge1);
+                if (cfg.bridge2.configured && cfg.bridge2.arg_ip_none == 0)
+                        check_network(&cfg.bridge2);
+                if (cfg.bridge3.configured && cfg.bridge3.arg_ip_none == 0)
+                        check_network(&cfg.bridge3);
 
                 // save network mapping in shared memory
                 network_set_run_file(sandbox_pid);
                 EUID_USER();
         }
-
-        // create the parent-child communication pipe
-        if (pipe(parent_to_child_fds) < 0)
-                errExit("pipe");
-        if (pipe(child_to_parent_fds) < 0)
-                errExit("pipe");
+        EUID_ASSERT();
 
         if (arg_noroot && arg_overlay) {
                 fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n");
@@ -2466,15 +2977,43 @@ int main(int argc, char **argv) {
         }
 
 
-        // set name file
+        // set name and x11 run files
         EUID_ROOT();
+        lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (lockfd_directory != -1) {
+                int rv = fchown(lockfd_directory, 0, 0);
+                (void) rv;
+                flock(lockfd_directory, LOCK_EX);
+        }
         if (cfg.name)
-                set_name_file(sandbox_pid);
+                set_name_run_file(sandbox_pid);
         int display = x11_display();
         if (display > 0)
-                set_x11_file(sandbox_pid, display);
+                set_x11_run_file(sandbox_pid, display);
+        if (lockfd_directory != -1) {
+                flock(lockfd_directory, LOCK_UN);
+                close(lockfd_directory);
+        }
         EUID_USER();
 
+#ifdef HAVE_DBUSPROXY
+        if (checkcfg(CFG_DBUS)) {
+                dbus_check_profile();
+                if (arg_dbus_user == DBUS_POLICY_FILTER ||
+                        arg_dbus_system == DBUS_POLICY_FILTER) {
+                        EUID_ROOT();
+                        dbus_proxy_start();
+                        EUID_USER();
+                }
+        }
+#endif
+
+        // create the parent-child communication pipe
+        if (pipe2(parent_to_child_fds, O_CLOEXEC) < 0)
+                errExit("pipe");
+        if (pipe2(child_to_parent_fds, O_CLOEXEC) < 0)
+                errExit("pipe");
+
         // clone environment
         int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
 
@@ -2492,17 +3031,26 @@ int main(int argc, char **argv) {
         else if (arg_debug)
                 printf("Using the local network stack\n");
 
+        EUID_ASSERT();
         EUID_ROOT();
+#ifdef __ia64__
+        child = __clone2(sandbox,
+                child_stack,
+                STACK_SIZE,
+                flags,
+                NULL);
+#else
         child = clone(sandbox,
                 child_stack + STACK_SIZE,
                 flags,
                 NULL);
+#endif
         if (child == -1)
                 errExit("clone");
         EUID_USER();
 
         if (!arg_command && !arg_quiet) {
-                printf("Parent pid %u, child pid %u\n", sandbox_pid, child);
+                fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child);
                 // print the path of the new log directory
                 if (getuid() == 0) // only for root
                         printf("The new log directory is /proc/%d/root/var/log\n", child);
@@ -2522,9 +3070,9 @@ int main(int argc, char **argv) {
                         network_main(child);
                         if (arg_debug)
                                 printf("Host network configured\n");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -2532,6 +3080,7 @@ int main(int argc, char **argv) {
                 waitpid(net_child, NULL, 0);
                 EUID_USER();
         }
+        EUID_ASSERT();
 
         // close each end of the unused pipes
         close(parent_to_child_fds[0]);
@@ -2574,8 +3123,15 @@ int main(int argc, char **argv) {
                 ptr += strlen(ptr);
 
                 if (!arg_nogroups) {
+                        //  add firejail group
+                        gid_t g = get_group_id("firejail");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+
                         //  add tty group
-                        gid_t g = get_group_id("tty");
+                        g = get_group_id("tty");
                         if (g) {
                                 sprintf(ptr, "%d %d 1\n", g, g);
                                 ptr += strlen(ptr);
@@ -2607,45 +3163,66 @@ int main(int argc, char **argv) {
                 EUID_USER();
                 free(map_path);
         }
+        EUID_ASSERT();
 
         // notify child that UID/GID mapping is complete
         notify_other(parent_to_child_fds[1]);
         close(parent_to_child_fds[1]);
 
         EUID_ROOT();
-        if (lockfd != -1) {
-                flock(lockfd, LOCK_UN);
-                close(lockfd);
+        if (lockfd_network != -1) {
+                flock(lockfd_network, LOCK_UN);
+                close(lockfd_network);
         }
+        EUID_USER();
+
+        int status = 0;
+        //*****************************
+        // following code is signal-safe
 
         // handle CTRL-C in parent
-        signal (SIGINT, my_handler);
-        signal (SIGTERM, my_handler);
+        install_handler();
 
         // wait for the child to finish
-        EUID_USER();
-        int status = 0;
         waitpid(child, &status, 0);
 
+        // restore default signal actions
+        signal(SIGTERM, SIG_DFL);
+        signal(SIGINT, SIG_DFL);
+
+        // end of signal-safe code
+        //*****************************
+
+#if 0
+// at this point the sandbox was closed and we are on our way out
+// it would make sense to move this before waitpid above to free some memory
+// crash for now as of issue #3662 from dhcp code
         // free globals
         if (cfg.profile) {
                 ProfileEntry *prf = cfg.profile;
                 while (prf != NULL) {
                         ProfileEntry *next = prf->next;
-                        free(prf->data);
-                        free(prf->link);
+printf("data #%s#\n", prf->data);
+                        if (prf->data)
+                                free(prf->data);
+printf("link #%s#\n", prf->link);
+                        if (prf->link)
+                                free(prf->link);
                         free(prf);
                         prf = next;
                 }
         }
+#endif
+
 
         if (WIFEXITED(status)){
                 myexit(WEXITSTATUS(status));
         } else if (WIFSIGNALED(status)) {
-                myexit(WTERMSIG(status));
+                // distinguish fatal signals by adding 128
+                myexit(128 + WTERMSIG(status));
         } else {
-                myexit(0);
+                myexit(1);
         }
 
-        return 0;
+        return 1;
 }
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
new file mode 100644
index 000000000..64a94bd84
--- /dev/null
+++ b/src/firejail/mountinfo.c
@@ -0,0 +1,281 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "firejail.h"
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#define MAX_BUF 4096
+
+static char mbuf[MAX_BUF];
+static MountData mdata;
+
+
+// Convert octal escape sequence to decimal value
+static int read_oct(const char *path) {
+        int dec = 0;
+        int digit, i;
+        // there are always exactly three octal digits
+        for (i = 1; i < 4; i++) {
+                digit = *(path + i);
+                if (digit < '0' || digit > '7') {
+                        fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
+                        exit(1);
+                }
+                dec = (dec << 3) + (digit - '0');
+        }
+        return dec;
+}
+
+// Restore empty spaces in pathnames extracted from /proc/self/mountinfo
+static void unmangle_path(char *path) {
+        char *p = strchr(path, '\\');
+        if (p && read_oct(p) == ' ') {
+                *p = ' ';
+                int i = 3;
+                do {
+                        p++;
+                        if (*(p + i) == '\\' && read_oct(p + i) == ' ') {
+                                *p = ' ';
+                                i += 3;
+                        }
+                        else
+                                *p = *(p + i);
+                } while (*p);
+        }
+}
+
+// Parse a line from /proc/self/mountinfo,
+// the function does an exit(1) if anything goes wrong.
+static void parse_line(char *line, MountData *output) {
+        assert(line && output);
+        memset(output, 0, sizeof(*output));
+        // extract mount id, filesystem name, directory and filesystem types
+        // examples:
+        //      587 543 8:1 /tmp /etc rw,relatime master:1 - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered
+        //              output.mountid: 587
+        //              output.fsname: /tmp
+        //              output.dir: /etc
+        //              output.fstype: ext4
+        //      585 564 0:76 / /home/netblue/.cache rw,nosuid,nodev - tmpfs tmpfs rw
+        //              output.mountid: 585
+        //              output.fsname: /
+        //              output.dir: /home/netblue/.cache
+        //              output.fstype: tmpfs
+
+        char *ptr = strtok(line, " ");
+        if (!ptr)
+                goto errexit;
+        if (ptr != line)
+                goto errexit;
+        output->mountid = atoi(ptr);
+        int cnt = 1;
+
+        while ((ptr = strtok(NULL, " ")) != NULL) {
+                cnt++;
+                if (cnt == 4)
+                        output->fsname = ptr;
+                else if (cnt == 5) {
+                        output->dir = ptr;
+                        break;
+                }
+        }
+
+        ptr = strtok(NULL, "-");
+        if (!ptr)
+                goto errexit;
+
+        ptr = strtok(NULL, " ");
+        if (!ptr)
+                goto errexit;
+        output->fstype = ptr++;
+
+
+        if (output->mountid == 0 ||
+            output->fsname == NULL ||
+            output->dir == NULL ||
+            output->fstype == NULL)
+                goto errexit;
+
+        // restore empty spaces
+        unmangle_path(output->fsname);
+        unmangle_path(output->dir);
+
+        return;
+
+errexit:
+        fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
+        exit(1);
+}
+
+// The return value points to a static area, and will be overwritten by subsequent calls.
+MountData *get_last_mount(void) {
+        // open /proc/self/mountinfo
+        FILE *fp = fopen("/proc/self/mountinfo", "re");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
+                exit(1);
+        }
+
+        mbuf[0] = '\0';
+        // go to the last line
+        while (fgets(mbuf, MAX_BUF, fp));
+        fclose(fp);
+        if (arg_debug)
+                printf("%s", mbuf);
+
+        parse_line(mbuf, &mdata);
+
+        if (arg_debug)
+                printf("mountid=%d fsname=%s dir=%s fstype=%s\n", mdata.mountid, mdata.fsname, mdata.dir, mdata.fstype);
+        return &mdata;
+}
+
+// Extract the mount id from /proc/self/fdinfo and return it.
+int get_mount_id(const char *path) {
+        EUID_ASSERT();
+        assert(path);
+
+        int fd = open(path, O_PATH|O_CLOEXEC);
+        if (fd == -1)
+                return -1;
+
+        char *fdinfo;
+        if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
+                errExit("asprintf");
+        EUID_ROOT();
+        FILE *fp = fopen(fdinfo, "re");
+        EUID_USER();
+        free(fdinfo);
+        if (!fp)
+                goto errexit;
+
+        // read the file
+        char buf[MAX_BUF];
+        if (fgets(buf, MAX_BUF, fp) == NULL)
+                goto errexit;
+        do {
+                if (strncmp(buf, "mnt_id:", 7) == 0) {
+                        char *ptr = buf + 7;
+                        while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
+                                ptr++;
+                        }
+                        if (*ptr == '\0')
+                                goto errexit;
+                        fclose(fp);
+                        close(fd);
+                        return atoi(ptr);
+                }
+        } while (fgets(buf, MAX_BUF, fp));
+
+        // fallback, kernels older than 3.15 don't expose the mount id in this place
+        fclose(fp);
+        close(fd);
+        return -2;
+
+errexit:
+        fprintf(stderr, "Error: cannot read proc file\n");
+        exit(1);
+}
+
+// Check /proc/self/mountinfo if path contains any mounts points.
+// Returns an array that can be iterated over for recursive remounting.
+char **build_mount_array(const int mount_id, const char *path) {
+        assert(path);
+
+        // open /proc/self/mountinfo
+        FILE *fp = fopen("/proc/self/mountinfo", "re");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
+                exit(1);
+        }
+
+        // array to be returned
+        size_t cnt = 0;
+        size_t size = 32;
+        char **rv = malloc(size * sizeof(*rv));
+        if (!rv)
+                errExit("malloc");
+
+        // read /proc/self/mountinfo
+        size_t pathlen = strlen(path);
+        char buf[MAX_BUF];
+        MountData mntp;
+        int found = 0;
+
+        if (fgets(buf, MAX_BUF, fp) == NULL) {
+                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
+                exit(1);
+        }
+        do {
+                parse_line(buf, &mntp);
+                // find mount point with mount id
+                if (!found) {
+                        if (mntp.mountid == mount_id) {
+                                // give up if mount id has been reassigned,
+                                // don't remount blacklisted path
+                                if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
+                                    strstr(mntp.fsname, "firejail.ro.dir") ||
+                                    strstr(mntp.fsname, "firejail.ro.file"))
+                                            break;
+
+                                rv[cnt] = strdup(path);
+                                if (rv[cnt] == NULL)
+                                        errExit("strdup");
+                                cnt++;
+                                found = 1;
+                                continue;
+                        }
+                        continue;
+                }
+                // from here on add all mount points below path,
+                // don't remount blacklisted paths
+                if (strncmp(mntp.dir, path, pathlen) == 0 &&
+                    mntp.dir[pathlen] == '/' &&
+                    strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
+                    strstr(mntp.fsname, "firejail.ro.file") == NULL) {
+
+                        if (cnt == size) {
+                                size *= 2;
+                                rv = realloc(rv, size * sizeof(*rv));
+                                if (!rv)
+                                        errExit("realloc");
+                        }
+                        rv[cnt] = strdup(mntp.dir);
+                        if (rv[cnt] == NULL)
+                                errExit("strdup");
+                        cnt++;
+                }
+        } while (fgets(buf, MAX_BUF, fp));
+
+        if (cnt == size) {
+                size++;
+                rv = realloc(rv, size * sizeof(*rv));
+                if (!rv)
+                        errExit("realloc");
+        }
+        rv[cnt] = NULL; // end of the array
+
+        fclose(fp);
+        return rv;
+}
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 14b3b54a6..fc79dddec 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,36 +24,25 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 
-static char *client_filter =
-"*filter\n"
-":INPUT DROP [0:0]\n"
-":FORWARD DROP [0:0]\n"
-":OUTPUT ACCEPT [0:0]\n"
-"-A INPUT -i lo -j ACCEPT\n"
-"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
-"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
-"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
-"# disable STUN\n"
-"-A OUTPUT -p udp --dport 3478 -j DROP\n"
-"-A OUTPUT -p udp --dport 3479 -j DROP\n"
-"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
-"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
-"COMMIT\n";
-
 void check_netfilter_file(const char *fname) {
         EUID_ASSERT();
-        invalid_filename(fname);
 
-        if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
-                fprintf(stderr, "Error: invalid network filter file %s\n", fname);
+        char *tmp = strdup(fname);
+        if (!tmp)
+                errExit("strdup");
+        char *ptr = strchr(tmp, ',');
+        if (ptr)
+                *ptr = '\0';
+
+        invalid_filename(tmp, 0); // no globbing
+
+        if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) {
+                fprintf(stderr, "Error: invalid network filter file %s\n", tmp);
                 exit(1);
         }
+        free(tmp);
 }
 
-
 void netfilter(const char *fname) {
         // find iptables command
         struct stat s;
@@ -72,41 +61,32 @@ void netfilter(const char *fname) {
                 return;
         }
 
-        // read filter
-        char *filter = client_filter;
-        int allocated = 0;
-        if (netfilter_default)
-                fname = netfilter_default;
-        if (fname) {
-                filter = read_text_file_or_exit(fname);
-                allocated = 1;
-        }
-
-        // create the filter file
-        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
-
-
-        // push filter
         if (arg_debug)
-                printf("Installing network filter:\n%s\n", filter);
+                printf("Installing firewall\n");
+
+        // create an empty user-owned SBOX_STDIN_FILE
+        create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
+        if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
+                errExit("set_perms");
+
+        if (fname == NULL) {
+                if (netfilter_default)
+                        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, netfilter_default, SBOX_STDIN_FILE);
+                else
+                        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE);
+        }
+        else
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
 
         // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
         // we run this command with caps and seccomp disabled in order to allow the loading of these modules
-        sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
+        sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
         unlink(SBOX_STDIN_FILE);
 
         // debug
         if (arg_debug)
                 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
 
-        if (allocated)
-                free(filter);
         return;
 }
 
@@ -131,29 +111,54 @@ void netfilter6(const char *fname) {
                 return;
         }
 
-        // create the filter file
-        char *filter = read_text_file_or_exit(fname);
-        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
-
-        // push filter
         if (arg_debug)
-                printf("Installing network filter:\n%s\n", filter);
+                printf("Installing IPv6 firewall\n");
+
+        // create an empty user-owned SBOX_STDIN_FILE
+        create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
+        if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
+                errExit("set_perms");
+
+        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
 
         // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
         // we run this command with caps and seccomp disabled in order to allow the loading of these modules
-        sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
+        sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
         unlink(SBOX_STDIN_FILE);
 
         // debug
         if (arg_debug)
                 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL");
 
-        free(filter);
         return;
 }
+
+void netfilter_print(pid_t pid, int ipv6) {
+        EUID_ASSERT();
+
+        enter_network_namespace(pid);
+
+        // find iptables executable
+        char *iptables = NULL;
+//      char *iptables_restore = NULL;
+        struct stat s;
+        if (ipv6) {
+                if (stat("/sbin/ip6tables", &s) == 0)
+                        iptables = "/sbin/ip6tables";
+                else if (stat("/usr/sbin/ip6tables", &s) == 0)
+                        iptables = "/usr/sbin/ip6tables";
+        }
+        else {
+                if (stat("/sbin/iptables", &s) == 0)
+                        iptables = "/sbin/iptables";
+                else if (stat("/usr/sbin/iptables", &s) == 0)
+                        iptables = "/usr/sbin/iptables";
+        }
+
+        if (iptables == NULL) {
+                fprintf(stderr, "Error: iptables command not found\n");
+                exit(1);
+        }
+
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
+}
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
index fdd108652..b5d6fb636 100644
--- a/src/firejail/netns.c
+++ b/src/firejail/netns.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Firejail Authors
+ * Copyright (C) 2020-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -49,7 +49,7 @@ void check_netns(const char *nsname) {
                 fprintf(stderr, "Error: invalid netns name %s\n", nsname);
                 exit(1);
         }
-        invalid_filename(nsname);
+        invalid_filename(nsname, 0); // no globbing
         char *control_file = netns_control_file(nsname);
 
         EUID_ASSERT();
@@ -60,7 +60,7 @@ void check_netns(const char *nsname) {
                         nsname, control_file, strerror(errno));
                 exit(1);
         }
-        if (!S_ISREG(st.st_mode)) {
+        if (!S_ISREG(st.st_mode) && !S_ISLNK(st.st_mode)) {
                 fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
                         nsname, control_file);
                 exit(1);
diff --git a/src/firejail/network.c b/src/firejail/network.c
index f7ddef917..289e164c6 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -28,6 +28,40 @@
 #include <net/route.h>
 #include <linux/if_bridge.h>
 
+// return 1 if addr is a IPv4 or IPv6 address
+int check_ip46_address(const char *addr) {
+        // check ipv4 address
+        uint32_t tmp;
+        if (atoip(addr, &tmp) == 0)
+                return 1;
+
+        // check ipv6 address
+        struct in6_addr result;
+
+        char *tmpstr = strdup(addr);
+        if (!tmpstr)
+                errExit("strdup");
+        char *ptr = strchr(tmpstr, '/');
+        if (ptr) {
+                *ptr = '\0';
+                ptr++;
+                int mask = atoi(ptr);
+                // check the network mask
+                if (mask < 0 || mask > 128) {
+                        free(tmpstr);
+                        return 0;
+                }
+        }
+        if (inet_pton(AF_INET6, tmpstr, &result) == 1) {
+                free(tmpstr);
+                return 1;
+        }
+
+        free(tmpstr);
+
+        // failed
+        return 0;
+}
 
 int net_get_mtu(const char *ifname) {
         int mtu = 0;
@@ -44,7 +78,7 @@ int net_get_mtu(const char *ifname) {
 
         memset(&ifr, 0, sizeof(ifr));
         ifr.ifr_addr.sa_family = AF_INET;
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
                 mtu = ifr.ifr_mtu;
         if (arg_debug)
@@ -72,7 +106,7 @@ void net_set_mtu(const char *ifname, int mtu) {
 
         memset(&ifr, 0, sizeof(ifr));
         ifr.ifr_addr.sa_family = AF_INET;
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_mtu = mtu;
         if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
                 fwarning("cannot set mtu for interface %s\n", ifname);
@@ -149,7 +183,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
         int sock;
         struct rtentry route;
         struct sockaddr_in *addr;
-        int err = 0;
 
         // create the socket
         if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
@@ -171,7 +204,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 
         route.rt_flags = RTF_UP | RTF_GATEWAY;
         route.rt_metric = 0;
-        if ((err = ioctl(sock, SIOCADDRT, &route)) != 0) {
+        if (ioctl(sock, SIOCADDRT, &route) != 0) {
                 close(sock);
                 return -1;
         }
@@ -184,7 +217,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 
 #define BUFSIZE 1024
 uint32_t network_get_defaultgw(void) {
-        FILE *fp = fopen("/proc/self/net/route", "r");
+        FILE *fp = fopen("/proc/self/net/route", "re");
         if (!fp)
                 errExit("fopen");
 
@@ -195,7 +228,7 @@ uint32_t network_get_defaultgw(void) {
                         continue;
 
                 char *ptr = buf;
-                while (*ptr != ' ' && *ptr != '\t')
+                while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
                         ptr++;
                 while (*ptr == ' ' || *ptr == '\t')
                         ptr++;
@@ -235,7 +268,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
                 errExit("socket");
 
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
 
         if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
deleted file mode 100644
index 75bdc346d..000000000
--- a/src/firejail/network.txt
+++ /dev/null
@@ -1,95 +0,0 @@
-struct Bridge {
-        char *dev;              // bridge device name
-        uint32_t ip;            // bridge device IP address
-        uint32_t mask;          // bridge device mask
-        uint32_t ipsandbox      // sandbox interface IP address
-}
-
-net_configure_bridge(br, device) {
-        br->dev  = devname;
-        br->ip = extracted from kernel device - using net_get_if_addr() in network.c
-        br->mask = extracted from kernel device - using net_get_if_addr() in network.c
-        check available network range; /31 networks are not supported
-}
-
-net_configure_sandbox_ip(br) {
-        if br->ip_sandbox
-                check br->ipsandbox inside the bridge network
-                arp_check(br->ipsandbox)        // send an arp req to check if anybody else is using this address
-        else
-                br->ipsandbox = arp_assign();
-}
-
-net_configure_veth_pair {
-        create a veth pair
-        place one interface end in the bridge
-        place the other end in the namespace of the child process
-}
-
-net_bridge_wait_ip {
-        arp_check br->ipsandbox address to come up
-        wait for not more than 5 seconds
-}
-
-main() {
-
-        foreach argv[i] {
-                if --net
-                        br = next bridge available
-                        net_configure_bridge(br, device name from argv[i]);
-                else if --ip
-                        br = last bridge configured
-                        br->ipsandbox = ip address extracted from argv[i]
-                else if --defaultgw
-                        cfg.defaultgw = ip address extracted from argv[i]
-        }
-
-        net_check_cfg(); // check the validity of network configuration so far
-
-        if (any bridge configured) {
-                lock /var/lock/firejail.lock file
-                for each bridge
-                        net_configure_sandbox_ip(br)
-        }
-
-        clone (new network namespace if any bridge configured or --net=none)
-
-        if (any bridge configured) {
-                for each bridge
-                        net_configure_veth_pair
-        }
-
-        notify child init is done
-
-        if (any bridge configured) {
-                for each bridge
-                        net_bridge_wait_ip
-                unlock /var/lock/firejail.lock file
-        }
-
-        wait on child
-        exit
-}
-
-
-******************************************************
-* macvlan notes
-******************************************************
-Configure a macvlan interface
-
-# ip link add virtual0 link eth0 type macvlan mode bridge
-(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
-
-Create a new network namespace and move the interface in the new network namespace
-
-# ip netns add dummy0
-# ip link set virtual0 netns dummy0
-
-Join the namespace and configure the interfaces
-
-# ip netns exec dummy0 bash
-# ifconfig lo up
-# ifconfig virtual0 192.168.1.52/24
-
-Investigate ipvlan interface - added to linux kernel 3.19
-https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 172395146..d3e75bbed 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,14 +24,13 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
+#include <sys/wait.h>
 
 // configure bridge structure
 // - extract ip address and mask from the bridge interface
-void net_configure_bridge(Bridge *br, char *dev_name) {
+static void net_configure_bridge(Bridge *br) {
         assert(br);
-        assert(dev_name);
-
-        br->dev = dev_name;
+        assert(br->dev);
 
         // check the bridge device exists
         char sysbridge[30 + strlen(br->dev)];
@@ -57,13 +56,13 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
                 }
         }
 
-        // allow unconfigured interfaces
-        if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) {
+        int mtu = br->mtu;      // preserve mtu value in case the user changed it with --mtu
+        if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu))
+                // allow unconfigured interfaces
                 fwarning("the network interface %s is not configured\n", br->dev);
-                br->configured = 1;
-                br->arg_ip_none = 1;
-                return;
-        }
+        if (mtu)
+                br->mtu = mtu;
+
         if (arg_debug) {
                 if (br->macvlan == 0)
                         printf("Bridge device %s at %d.%d.%d.%d/%d\n",
@@ -73,13 +72,40 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
                                 br->dev, PRINT_IP(br->ip), mask2bits(br->mask));
         }
 
-        uint32_t range = ~br->mask + 1;           // the number of potential addresses
-        // this software is not supported for /31 networks
-        if (range < 4) {
-                fprintf(stderr, "Error: the software is not supported for /31 networks\n");
+        if (br->mask) {
+                uint32_t range = ~br->mask + 1;           // the number of potential addresses
+                // this software is not supported for /31 networks
+                if (range < 4) {
+                        fprintf(stderr, "Error: the software is not supported for /31 networks\n");
+                        exit(1);
+                }
+        }
+
+
+        // no interface network mask - no ip address will be configured
+        if (br->mask == 0)
+                goto err_no_ip;
+        // no interface ip - extract the network address from the address configured by the user
+        else if (br->ip == 0 && br->ipsandbox)
+                br->ip = br->ipsandbox & br->mask;
+        // no interface ip - extract the network address from the default gateway configured by the user
+        else if (br->ip == 0 && cfg.defaultgw)
+                br->ip = cfg.defaultgw & br->mask;
+        // no ip address will be configured
+        else if (br->ip == 0)
+                goto err_no_ip;
+
+        if ((br->iprange_start && in_netrange(br->iprange_start, br->ip, br->mask)) ||
+            (br->iprange_end && in_netrange(br->iprange_end, br->ip, br->mask))) {
+                fprintf(stderr, "Error: IP range addresses not in network range\n");
                 exit(1);
         }
-        br->configured = 1;
+
+        return;
+
+err_no_ip:
+        br->arg_ip_none = 1;
+        fwarning("Not enough information to configure an IP address for\n   interface --net=%s\n", br->dev);
 }
 
 
@@ -94,7 +120,7 @@ void net_configure_sandbox_ip(Bridge *br) {
                 // check network range
                 char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
                 if (rv) {
-                        fprintf(stderr, "%s", rv);
+                        fprintf(stderr, "%s\n", rv);
                         exit(1);
                 }
                 // send an ARP request and check if there is anybody on this IP address
@@ -131,7 +157,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
         char *cstr;
         if (asprintf(&cstr, "%d", child) == -1)
                 errExit("asprintf");
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET_MAIN, "create", "veth", dev, ifname, br->dev, cstr);
         free(cstr);
 
         char *msg;
@@ -145,7 +171,6 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
 // the default address should be in the range of at least on of the bridge devices
 void check_default_gw(uint32_t defaultgw) {
         assert(defaultgw);
-
         if (cfg.bridge0.configured) {
                 char *rv = in_netrange(defaultgw, cfg.bridge0.ip, cfg.bridge0.mask);
                 if (rv == 0)
@@ -174,14 +199,22 @@ void check_default_gw(uint32_t defaultgw) {
 void net_check_cfg(void) {
         EUID_ASSERT();
         int net_configured = 0;
-        if (cfg.bridge0.configured)
+        if (cfg.bridge0.configured) {
+                net_configure_bridge(&cfg.bridge0);
                 net_configured++;
-        if (cfg.bridge1.configured)
+        }
+        if (cfg.bridge1.configured) {
+                net_configure_bridge(&cfg.bridge1);
                 net_configured++;
-        if (cfg.bridge2.configured)
+        }
+        if (cfg.bridge2.configured) {
+                net_configure_bridge(&cfg.bridge2);
                 net_configured++;
-        if (cfg.bridge3.configured)
+        }
+        if (cfg.bridge3.configured) {
+                net_configure_bridge(&cfg.bridge3);
                 net_configured++;
+        }
 
         int if_configured = 0;
         if (cfg.interface0.configured)
@@ -213,6 +246,10 @@ void net_check_cfg(void) {
         if (cfg.defaultgw)
                 check_default_gw(cfg.defaultgw);
         else {
+                // if the first network has no assigned address,
+                // do not try to set up a gateway, because it will fail
+                if (cfg.bridge0.arg_ip_none)
+                        return;
                 // first network is a regular bridge
                 if (cfg.bridge0.macvlan == 0)
                         cfg.defaultgw = cfg.bridge0.ip;
@@ -236,38 +273,42 @@ void net_dns_print(pid_t pid) {
         EUID_ASSERT();
         // drop privileges - will not be able to read /etc/resolv.conf for --noroot option
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        char *fname;
-        EUID_ROOT();
-        if (asprintf(&fname, "/proc/%d/root/etc/resolv.conf", pid) == -1)
-                errExit("asprintf");
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
-        // access /etc/resolv.conf
-        FILE *fp = fopen(fname, "r");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
+        EUID_ROOT();
+        if (join_namespace(pid, "mnt"))
                 exit(1);
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                caps_drop_all();
+                if (chdir("/") < 0)
+                        errExit("chdir");
+
+                // access /etc/resolv.conf
+                FILE *fp = fopen("/etc/resolv.conf", "re");
+                if (!fp) {
+                        fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
+                        exit(1);
+                }
+
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp))
+                        printf("%s", buf);
+                printf("\n");
+                fclose(fp);
+                exit(0);
         }
 
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp))
-                printf("%s", buf);
-        printf("\n");
-        fclose(fp);
-        free(fname);
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+        flush_stdin();
         exit(0);
 }
 
@@ -282,43 +323,50 @@ void network_main(pid_t child) {
                         net_configure_veth_pair(&cfg.bridge0, "eth0", child);
                 }
                 else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
         }
 
         if (cfg.bridge1.configured) {
                 if (cfg.bridge1.macvlan == 0)
                         net_configure_veth_pair(&cfg.bridge1, "eth1", child);
                 else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
         }
 
         if (cfg.bridge2.configured) {
                 if (cfg.bridge2.macvlan == 0)
                         net_configure_veth_pair(&cfg.bridge2, "eth2", child);
                 else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
         }
 
         if (cfg.bridge3.configured) {
                 if (cfg.bridge3.macvlan == 0)
                         net_configure_veth_pair(&cfg.bridge3, "eth3", child);
                 else
-                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET_MAIN, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
         }
 
         // move interfaces in sandbox
         if (cfg.interface0.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface0.dev, cstr);
         }
         if (cfg.interface1.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface1.dev, cstr);
         }
         if (cfg.interface2.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface2.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface2.dev, cstr);
         }
         if (cfg.interface3.configured) {
-                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET_MAIN, "moveif", cfg.interface3.dev, cstr);
         }
 
         free(cstr);
 }
+
+void net_print(pid_t pid) {
+        EUID_ASSERT();
+
+        enter_network_namespace(pid);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET_MAIN, "printif");
+}
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 83737c73d..0e5562d90 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <errno.h>
 #include <unistd.h>
 #include <grp.h>
 
@@ -41,13 +42,14 @@ int check_namespace_virt(void) {
         EUID_ASSERT();
 
         // check container environment variable
-        char *str = getenv("container");
+        const char *str = env_get("container");
         if (str && is_container(str))
                 return 1;
 
         // check PID 1 container environment variable
         EUID_ROOT();
-        FILE *fp = fopen("/proc/1/environ", "r");
+        FILE *fp = fopen("/proc/1/environ", "re");
+        EUID_USER();
         if (fp) {
                 int c = 0;
                 while (c != EOF) {
@@ -68,7 +70,6 @@ int check_namespace_virt(void) {
                                 // found it
                                 if (is_container(buf + 10)) {
                                         fclose(fp);
-                                        EUID_USER();
                                         return 1;
                                 }
                         }
@@ -78,7 +79,6 @@ int check_namespace_virt(void) {
                 fclose(fp);
         }
 
-        EUID_USER();
         return 0;
 }
 
@@ -89,7 +89,7 @@ int check_kernel_procs(void) {
         // only user processes are available in /proc when running grsecurity
         // EUID_ASSERT();
 
-        char *kern_proc[] = {
+        static char *kern_proc[] = {
                 "kthreadd",
                 "ksoftirqd",
                 "kworker",
@@ -105,20 +105,15 @@ int check_kernel_procs(void) {
         // look at the first 10 processes
         // if a kernel process is found, return 1
         for (i = 1; i <= 10; i++) {
-                struct stat s;
                 char *fname;
                 if (asprintf(&fname, "/proc/%d/comm", i) == -1)
                         errExit("asprintf");
-                if (stat(fname, &s) == -1) {
-                        free(fname);
-                        continue;
-                }
 
                 // open file
-                /* coverity[toctou] */
-                FILE *fp = fopen(fname, "r");
+                FILE *fp = fopen(fname, "re");
                 if (!fp) {
-                        fwarning("cannot open %s\n", fname);
+                        if (errno != ENOENT)
+                                fwarning("cannot open %s\n", fname);
                         free(fname);
                         continue;
                 }
@@ -161,41 +156,24 @@ int check_kernel_procs(void) {
 
 void run_no_sandbox(int argc, char **argv) {
         EUID_ASSERT();
+        // drop privileges
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
 
         // process limited subset of options
+        // and find first non option arg:
+        //      - first argument not starting with --,
+        //      - whatever follows after -c (example: firejail -c ls)
+        int prog_index = 0;
         int i;
-        for (i = 0; i < argc; i++) {
+        for (i = 1; i < argc; i++) {
                 if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--csh") == 0 ||
-                    strcmp(argv[i], "--zsh") == 0 ||
-                    strcmp(argv[i], "--shell=none") == 0 ||
-                    strncmp(argv[i], "--shell=", 8) == 0)
-                        fwarning("shell-related command line options are disregarded - using SHELL environment variable\n");
-        }
-
-        // use $SHELL to get shell used in sandbox
-        char *shell =  getenv("SHELL");
-        if (shell && access(shell, R_OK) == 0)
-                cfg.shell = shell;
-
-        // guess shell otherwise
-        if (!cfg.shell) {
-                cfg.shell = guess_shell();
-                if (arg_debug)
-                        printf("Autoselecting %s as shell\n", cfg.shell);
-        }
-        if (!cfg.shell) {
-                fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
-                exit(1);
-        }
-
-        int prog_index = 0;
-        // find first non option arg:
-        //      - first argument not starting wiht --,
-        //      - whatever follows after -c (example: firejail -c ls)
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "-c") == 0) {
+                else if (strncmp(argv[i], "--shell=", 8) == 0)
+                        fwarning("shell-related command line options are disregarded\n");
+                else if (strcmp(argv[i], "-c") == 0) {
                         prog_index = i + 1;
                         if (prog_index == argc) {
                                 fprintf(stderr, "Error: option -c requires an argument\n");
@@ -204,36 +182,37 @@ void run_no_sandbox(int argc, char **argv) {
                         break;
                 }
                 // check first argument not starting with --
-                if (strncmp(argv[i],"--",2) != 0) {
+                else if (strncmp(argv[i],"--",2) != 0) {
                         prog_index = i;
                         break;
                 }
         }
-        // if shell is /usr/bin/firejail, replace it with /bin/bash
-        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-                cfg.shell = "/bin/bash";
-                prog_index = 0;
-        }
 
         if (prog_index == 0) {
-                cfg.command_line = cfg.shell;
+                // got no command, require a shell and try to execute it
+                cfg.shell = guess_shell();
+                if (!cfg.shell) {
+                        fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
+                        exit(1);
+                }
+
+                assert(cfg.command_line == NULL);
                 cfg.window_title = cfg.shell;
         } else {
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                // this sandbox might not allow execution of a shell
+                // force --shell=none in order to not break firecfg symbolic links
+                arg_shell_none = 1;
+
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
 
+        fwarning("an existing sandbox was detected. "
+                "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell);
+
         cfg.original_argv = argv;
         cfg.original_program_index = prog_index;
 
-        char *command;
-        if (prog_index == 0)
-                command = cfg.shell;
-        else
-                command = argv[prog_index];
-        fwarning("an existing sandbox was detected. "
-                "%s will run without any additional sandboxing features\n", command);
-
         arg_quiet = 1;
 
-        start_application(1);
+        start_application(1, -1, NULL);
 }
diff --git a/src/firejail/output.c b/src/firejail/output.c
index b99604ec4..ce10ab157 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,14 +22,21 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+#ifdef HAVE_OUTPUT
 void check_output(int argc, char **argv) {
         EUID_ASSERT();
 
         int i;
         int outindex = 0;
         int enable_stderr = 0;
-        
+
         for (i = 1; i < argc; i++) {
+                if (strncmp(argv[i], "--", 2) != 0) {
+                        return;
+                }
+                if (strcmp(argv[i], "--") == 0) {
+                        return;
+                }
                 if (strncmp(argv[i], "--output=", 9) == 0) {
                         outindex = i;
                         break;
@@ -43,12 +50,20 @@ void check_output(int argc, char **argv) {
         if (!outindex)
                 return;
 
-
-        // check filename
         drop_privs(0);
         char *outfile = argv[outindex];
         outfile += (enable_stderr)? 16:9;
-        invalid_filename(outfile);
+
+        // check filename
+        invalid_filename(outfile, 0); // no globbing
+
+        // expand user home directory
+        if (outfile[0] == '~') {
+                char *full;
+                if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1)
+                        errExit("asprintf");
+                outfile = full;
+        }
 
         // do not accept directories, links, and files with ".."
         if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) {
@@ -71,39 +86,76 @@ void check_output(int argc, char **argv) {
                 }
         }
 
-        // build the new command line
-        int len = 0;
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
+        int pipefd[2];
+        if (pipe(pipefd) == -1) {
+                errExit("pipe");
         }
-        len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
-
-        char *cmd = malloc(len + 1); // + '\0'
-        if (!cmd)
-                errExit("malloc");
-
-        char *ptr = cmd;
-        for (i = 0; i < argc; i++) {
-                if (strncmp(argv[i], "--output=", 9) == 0)
-                        continue;
-                if (strncmp(argv[i], "--output-stderr=", 16) == 0)
-                        continue;
-                ptr += sprintf(ptr, "%s ", argv[i]);
+
+        pid_t pid = fork();
+        if (pid == -1) {
+                errExit("fork");
+        } else if (pid == 0) {
+                /* child */
+                if (dup2(pipefd[0], STDIN_FILENO) == -1) {
+                        errExit("dup2");
+                }
+                close(pipefd[1]);
+                if (pipefd[0] != STDIN_FILENO) {
+                        close(pipefd[0]);
+                }
+
+                // restore some environment variables
+                env_apply_whitelist_sbox();
+
+                char *args[3];
+                args[0] = LIBDIR "/firejail/ftee";
+                args[1] = outfile;
+                args[2] = NULL;
+                execv(args[0], args);
+                perror("execvp");
+                exit(1);
+        }
+
+        /* parent */
+        if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+                errExit("dup2");
+        }
+        if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
+                errExit("dup2");
+        }
+        close(pipefd[0]);
+        if (pipefd[1] != STDOUT_FILENO) {
+                close(pipefd[1]);
         }
-        
-        if (enable_stderr)
-                sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
-        else
-                sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
-
-        // run command
-        char *a[4];
-        a[0] = "/bin/bash";
-        a[1] = "-c";
-        a[2] = cmd;
-        a[3] = NULL;
-        execvp(a[0], a);
+
+        char **args = calloc(argc + 1, sizeof(char *));
+        if (!args) {
+                errExit("calloc");
+        }
+        bool found_separator = false;
+        /* copy argv into args, but drop --output(-stderr) arguments */
+        int j;
+        for (i = 0, j = 0; i < argc; i++) {
+                if (!found_separator && i > 0) {
+                        if (strncmp(argv[i], "--output=", 9) == 0) {
+                                continue;
+                        }
+                        if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
+                                continue;
+                        }
+                        if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) {
+                                found_separator = true;
+                        }
+                }
+                args[j++] = argv[i];
+        }
+
+        // restore original environment variables
+        env_apply_all();
+
+        execvp(args[0], args);
 
         perror("execvp");
         exit(1);
 }
+#endif
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index 454255717..d58a9d272 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,14 +24,15 @@ static char **paths = 0;
 static unsigned int path_cnt = 0;
 static unsigned int longest_path_elt = 0;
 
+static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning
 static void init_paths(void) {
-        char *path = getenv("PATH");
+        const char *env_path = env_get("PATH");
         char *p;
-        if (!path) {
-                path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin";
-                setenv("PATH", path, 1);
+        if (!env_path) {
+                env_path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin";
+                env_store_name_val("PATH", env_path, SETENV);
         }
-        path = strdup(path);
+        char *path = strdup(env_path);
         if (!path)
                 errExit("strdup");
 
@@ -44,12 +45,12 @@ static void init_paths(void) {
         paths = calloc(path_cnt, sizeof(char *));
         if (!paths)
                 errExit("calloc");
+        memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
 
         // fill in 'paths' with pointers to elements of 'path'
-        char *elt;
         unsigned int i = 0, j;
         unsigned int len;
-        while ((elt = strsep(&path, ":")) != 0) {
+        while ((elt = strsep(&path, ":")) != NULL) {
                 // skip any entry that is not absolute
                 if (elt[0] != '/')
                         goto skip;
@@ -73,7 +74,7 @@ static void init_paths(void) {
                 skip:;
         }
 
-        assert(paths[i] == 0);
+        assert(paths[i] == NULL);
         // path_cnt may be too big now, if entries were skipped above
         path_cnt = i+1;
 }
@@ -135,7 +136,7 @@ int program_in_path(const char *program) {
                         // ('x' permission means something different for directories).
                         // exec follows symlinks, so use stat, not lstat.
                         struct stat st;
-                        if (stat(scratch, &st)) {
+                        if (stat_as_user(scratch, &st)) {
                                 perror(scratch);
                                 exit(1);
                         }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 5039c6238..1aafd1ca2 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -58,10 +58,28 @@ void preproc_build_firejail_dir(void) {
                 create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
         }
 
+        if (stat(RUN_FIREJAIL_DBUS_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755);
+                if (arg_debug)
+                        printf("Remounting the " RUN_FIREJAIL_DBUS_DIR
+                                   " directory as noexec\n");
+                if (mount(RUN_FIREJAIL_DBUS_DIR, RUN_FIREJAIL_DBUS_DIR, NULL,
+                                  MS_BIND, NULL) == -1)
+                        errExit("mounting " RUN_FIREJAIL_DBUS_DIR);
+                if (mount(NULL, RUN_FIREJAIL_DBUS_DIR, NULL,
+                                  MS_REMOUNT | MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV,
+                                  "mode=755,gid=0") == -1)
+                        errExit("remounting " RUN_FIREJAIL_DBUS_DIR);
+        }
+
         if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
                 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
         }
 
+        if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
+        }
+
         if (stat(RUN_MNT_DIR, &s)) {
                 create_empty_dir_as_root(RUN_MNT_DIR, 0755);
         }
@@ -76,26 +94,33 @@ void preproc_mount_mnt_dir(void) {
         if (!tmpfs_mounted) {
                 if (arg_debug)
                         printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
-                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                         errExit("mounting /run/firejail/mnt");
                 tmpfs_mounted = 1;
                 fs_logger2("tmpfs", RUN_MNT_DIR);
 
-#ifdef HAVE_SECCOMP
+                // open and mount trace file while there are no user-writable files in RUN_MNT_DIR
+                if (arg_tracefile)
+                        fs_tracefile();
+
+                create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
+
                 if (arg_seccomp_block_secondary)
                         copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
                 else {
                         //copy default seccomp files
                         copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
-                        copy_file(PATH_SECCOMP_64, RUN_SECCOMP_64, getuid(), getgid(), 0644); // root needed
                 }
-                if (arg_allow_debuggers)
+                if (arg_allow_debuggers) {
                         copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
-                else
+                        copy_file(PATH_SECCOMP_DEBUG_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
+                } else
                         copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
 
-                if (arg_memory_deny_write_execute)
+                if (arg_memory_deny_write_execute) {
                         copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed
+                }
                 // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
                 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
@@ -103,19 +128,48 @@ void preproc_mount_mnt_dir(void) {
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
                         errExit("set_perms");
-#endif
+                create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
+                if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
+                        errExit("set_perms");
+        }
+}
+
+static void clean_dir(const char *name, int *pidarr, int start_pid, int max_pids) {
+        DIR *dir;
+        if (!(dir = opendir(name))) {
+                fwarning("cannot clean %s directory\n", name);
+                return; // we live to fight another day!
+        }
+
+        // clean leftover files
+        struct dirent *entry;
+        char *end;
+        while ((entry = readdir(dir)) != NULL) {
+                pid_t pid = strtol(entry->d_name, &end, 10);
+                pid %= max_pids;
+                if (end == entry->d_name || *end)
+                        continue;
+
+                if (pid < start_pid)
+                        continue;
+                if (pidarr[pid] == 0)
+                        delete_run_files(pid);
         }
+        closedir(dir);
 }
 
+
 // clean run directory
 void preproc_clean_run(void) {
         int max_pids=32769;
         int start_pid = 100;
         // extract real max_pids
-        FILE *fp = fopen("/proc/sys/kernel/pid_max", "r");
+        FILE *fp = fopen("/proc/sys/kernel/pid_max", "re");
         if (fp) {
                 int val;
                 if (fscanf(fp, "%d", &val) == 1) {
+                        if (val > 4194304)      // this is the max value supported on 64 bit Linux kernels
+                                val = 4194304;
                         if (val >= max_pids)
                                 max_pids = val + 1;
                 }
@@ -146,37 +200,16 @@ void preproc_clean_run(void) {
                 pid %= max_pids;
                 if (end == entry->d_name || *end)
                         continue;
-        
+
                 if (pid < start_pid)
                         continue;
                 pidarr[pid] = 1;
         }
         closedir(dir);
 
-        // open /run/firejail/profile directory
-        if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir(RUN_FIREJAIL_PROFILE_DIR))) {
-                        fprintf(stderr, "Error: cannot open %s directory\n", RUN_FIREJAIL_PROFILE_DIR);
-                        exit(1);
-                }
-        }
-
-        // read /run/firejail/profile directory and clean leftover files
-        while ((entry = readdir(dir)) != NULL) {
-                pid_t pid = strtol(entry->d_name, &end, 10);
-                pid %= max_pids;
-                if (end == entry->d_name || *end)
-                        continue;
-        
-                if (pid < start_pid)
-                        continue;
-                if (pidarr[pid] == 0)
-                        clear_run_files(pid);
-        }
-        closedir(dir);
+        // clean profile and name directories
+        clean_dir(RUN_FIREJAIL_PROFILE_DIR, pidarr, start_pid, max_pids);
+        clean_dir(RUN_FIREJAIL_NAME_DIR, pidarr, start_pid, max_pids);
 
         free(pidarr);
 }
-
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 6880bcaa7..059100fcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,33 +18,42 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include "../include/seccomp.h"
+#include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
+
 extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
 
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir) {
+// return  1 if a profile was found
+static int profile_find(const char *name, const char *dir, int add_ext) {
         EUID_ASSERT();
         assert(name);
         assert(dir);
 
         int rv = 0;
         DIR *dp;
-        char *pname;
-        if (asprintf(&pname, "%s.profile", name) == -1)
-                errExit("asprintf");
+        char *pname = NULL;
+        if (add_ext) {
+                if (asprintf(&pname, "%s.profile", name) == -1)
+                        errExit("asprintf");
+                else
+                        name = pname;
+        }
 
         dp = opendir (dir);
         if (dp != NULL) {
                 struct dirent *ep;
                 while ((ep = readdir(dp)) != NULL) {
-                        if (strcmp(ep->d_name, pname) == 0) {
+                        if (strcmp(ep->d_name, name) == 0) {
                                 if (arg_debug)
                                         printf("Found %s profile in %s directory\n", name, dir);
                                 char *etcpname;
-                                if (asprintf(&etcpname, "%s/%s", dir, pname) == -1)
+                                if (asprintf(&etcpname, "%s/%s", dir, name) == -1)
                                         errExit("asprintf");
                                 profile_read(etcpname);
                                 free(etcpname);
@@ -55,10 +64,27 @@ int profile_find(const char *name, const char *dir) {
                 (void) closedir (dp);
         }
 
-        free(pname);
+        if (pname)
+                free(pname);
         return rv;
 }
 
+// search and read the profile specified by name from firejail directories
+// return  1 if a profile was found
+int profile_find_firejail(const char *name, int add_ext) {
+        // look for a profile in ~/.config/firejail directory
+        char *usercfgdir;
+        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        int rv = profile_find(name, usercfgdir, add_ext);
+        free(usercfgdir);
+
+        if (!rv)
+                // look for a user profile in /etc/firejail directory
+                rv = profile_find(name, SYSCONFDIR, add_ext);
+
+        return rv;
+}
 
 //***************************************************
 // run-time profiles
@@ -69,13 +95,7 @@ static void warning_feature_disabled(const char *feature) {
 }
 
 
-
-// check profile line; if line == 0, this was generated from a command line option
-// return 1 if the command is to be added to the linked list of profile commands
-// return 0 if the command was already executed inside the function
-int profile_check_line(char *ptr, int lineno, const char *fname) {
-        EUID_ASSERT();
-
+static int is_in_ignore_list(char *ptr) {
         // check ignore list
         int i;
         for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
@@ -86,30 +106,182 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) {
                         // full word match
                         if (*(ptr + len) == '\0' || *(ptr + len) == ' ')
-                                return 0;       // ignore line
+                                return 1;       // ignore line
                 }
         }
 
-        if (strncmp(ptr, "ignore ", 7) == 0) {
-                char *str = strdup(ptr + 7);
-                if (*str == '\0') {
-                        fprintf(stderr, "Error: invalid ignore option\n");
-                        exit(1);
+        return 0;
+}
+
+void profile_add_ignore(const char *str) {
+        assert(str);
+        if (*str == '\0') {
+                fprintf(stderr, "Error: invalid ignore option\n");
+                exit(1);
+        }
+
+        // find an empty entry in profile_ignore array
+        int i;
+        for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
+                if (cfg.profile_ignore[i] == NULL)
+                        break;
+        }
+        if (i >= MAX_PROFILE_IGNORE) {
+                fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
+                exit(1);
+        }
+        // ... and configure it
+        else {
+                cfg.profile_ignore[i] = strdup(str);
+                if (!cfg.profile_ignore[i])
+                        errExit("strdup");
+        }
+}
+
+typedef struct cond_t {
+        const char *name;       // conditional name
+        int (*check)(void);     // true if set
+} Cond;
+
+static int check_appimage(void) {
+        return arg_appimage != 0;
+}
+
+static int check_netoptions(void) {
+        return (arg_nonetwork || any_bridge_configured());
+}
+
+static int check_nodbus(void) {
+        return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW;
+}
+
+static int check_nosound(void) {
+        return arg_nosound != 0;
+}
+
+static int check_private(void) {
+        return arg_private;
+}
+
+static int check_x11(void) {
+        return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11"));
+}
+
+static int check_disable_u2f(void) {
+        return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0;
+}
+
+static int check_allow_drm(void) {
+        return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
+}
+
+Cond conditionals[] = {
+        {"HAS_APPIMAGE", check_appimage},
+        {"HAS_NET", check_netoptions},
+        {"HAS_NODBUS", check_nodbus},
+        {"HAS_NOSOUND", check_nosound},
+        {"HAS_PRIVATE", check_private},
+        {"HAS_X11", check_x11},
+        {"BROWSER_DISABLE_U2F", check_disable_u2f},
+        {"BROWSER_ALLOW_DRM", check_allow_drm},
+        { NULL, NULL }
+};
+
+int profile_check_conditional(char *ptr, int lineno, const char *fname) {
+        char *tmp = ptr, *msg = NULL;
+
+        if (*ptr++ != '?')
+                return 1;
+
+        Cond *cond = conditionals;
+        while (cond->name) {
+                // continue if not this conditional
+                if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
+                        cond++;
+                        continue;
                 }
-                // find an empty entry in profile_ignore array
-                int j;
-                for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
-                        if (cfg.profile_ignore[j] == NULL)
-                                break;
+                ptr += strlen(cond->name);
+
+                if (*ptr == ' ')
+                        ptr++;
+                if (*ptr++ != ':') {
+                        msg = "invalid conditional syntax: colon must come after conditional";
+                        ptr = tmp;
+                        goto error;
                 }
-                if (j >= MAX_PROFILE_IGNORE) {
-                        fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
-                        exit(1);
+                if (*ptr == '\0') {
+                        msg = "invalid conditional syntax: no profile line after conditional";
+                        ptr = tmp;
+                        goto error;
                 }
-                // ... and configure it
-                else
-                        cfg.profile_ignore[j] = str;
+                if (*ptr == ' ')
+                        ptr++;
+
+                // if set, continue processing statement in caller
+                int value = cond->check();
+                if (value) {
+                        // move ptr to start of profile line
+                        ptr = strdup(ptr);
+                        if (!ptr)
+                                errExit("strdup");
+
+                        // check that the profile line does not contain either
+                        // quiet or include directives
+                        if ((strncmp(ptr, "quiet", 5) == 0) ||
+                            (strncmp(ptr, "include", 7) == 0)) {
+                                msg = "invalid conditional syntax: quiet and include not allowed in conditionals";
+                                ptr = tmp;
+                                goto error;
+                        }
+                        free(tmp);
+
+                        // verify syntax, exit in case of error
+                        if (arg_debug)
+                                printf("conditional %s, %s\n", cond->name, ptr);
+                        if (profile_check_line(ptr, lineno, fname))
+                                profile_add(ptr);
+                }
+                // tell caller to ignore
+                return 0;
+        }
+
+        tmp = ptr;
+        // get the conditional used
+        while (*tmp != ':' && *tmp != '\0')
+                tmp++;
+        *tmp = '\0';
+
+        // this was a '?' prefix, but didn't match any of the conditionals
+        msg = "invalid/unsupported conditional";
+
+error:
+        fprintf(stderr, "Error: %s (\"%s\"", msg, ptr);
+        if (lineno == 0) ;
+        else if (fname != NULL)
+                fprintf(stderr, " on line %d in %s", lineno, fname);
+        else
+                fprintf(stderr, " on line %d in the custom profile", lineno);
+        fprintf(stderr, ")\n");
+        exit(1);
+}
+
+
+// check profile line; if line == 0, this was generated from a command line option
+// return 1 if the command is to be added to the linked list of profile commands
+// return 0 if the command was already executed inside the function
+int profile_check_line(char *ptr, int lineno, const char *fname) {
+        EUID_ASSERT();
 
+        // check and process conditional profile lines
+        if (profile_check_conditional(ptr, lineno, fname) == 0)
+                return 0;
+
+        // check ignore list
+        if (is_in_ignore_list(ptr))
+                return 0;
+
+        if (strncmp(ptr, "ignore ", 7) == 0) {
+                profile_add_ignore(ptr + 7);
                 return 0;
         }
 
@@ -162,12 +334,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_seccomp = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         else if (strcmp(ptr, "caps") == 0) {
@@ -190,7 +360,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_private = 1;
                 return 0;
         }
-        if (strncmp(ptr, "private-home ", 13) == 0) {
+        else if (strncmp(ptr, "private-home ", 13) == 0) {
 #ifdef HAVE_PRIVATE_HOME
                 if (checkcfg(CFG_PRIVATE_HOME)) {
                         if (cfg.home_private_keep) {
@@ -205,26 +375,59 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
+        else if (strcmp(ptr, "private-cwd") == 0) {
+                cfg.cwd = NULL;
+                arg_private_cwd = 1;
+                return 0;
+        }
+        else if (strncmp(ptr, "private-cwd ", 12) == 0) {
+                fs_check_private_cwd(ptr + 12);
+                arg_private_cwd = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "allusers") == 0) {
                 arg_allusers = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "private-cache") == 0) {
+#ifdef HAVE_USERTMPFS
+                if (checkcfg(CFG_PRIVATE_CACHE))
+                        arg_private_cache = 1;
+                else
+                        warning_feature_disabled("private-cache");
+#endif
+                return 0;
+        }
         else if (strcmp(ptr, "private-dev") == 0) {
                 arg_private_dev = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "keep-dev-shm") == 0) {
+                arg_keep_dev_shm = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "private-tmp") == 0) {
                 arg_private_tmp = 1;
                 return 0;
         }
         else if (strcmp(ptr, "nogroups") == 0) {
-                arg_nogroups = 1;
+                // nvidia cards require video group; disable nogroups
+                if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                        fwarning("Warning: NVIDIA card detected, nogroups command disabled\n");
+                        arg_nogroups = 0;
+                }
+                else
+                        arg_nogroups = 1;
                 return 0;
         }
         else if (strcmp(ptr, "nosound") == 0) {
                 arg_nosound = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "noautopulse") == 0) {
+                arg_keep_config_pulse = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "notv") == 0) {
                 arg_notv = 1;
                 return 0;
@@ -241,8 +444,153 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
-        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
-                arg_allow_private_blacklist = 1;
+        else if (strcmp(ptr, "noinput") == 0) {
+                arg_noinput = 1;
+                return 0;
+        }
+        else if (strcmp(ptr, "nodbus") == 0) {
+#ifdef HAVE_DBUSPROXY
+                arg_dbus_user = DBUS_POLICY_BLOCK;
+                arg_dbus_system = DBUS_POLICY_BLOCK;
+#endif
+                return 0;
+        }
+        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+#ifdef HAVE_DBUSPROXY
+                ptr += 10;
+                if (strcmp("filter", ptr) == 0) {
+                        if (arg_dbus_user == DBUS_POLICY_BLOCK) {
+                                fprintf(stderr, "Error: Cannot relax dbus-user policy, it is already set to block\n");
+                        } else {
+                                arg_dbus_user = DBUS_POLICY_FILTER;
+                        }
+                } else if (strcmp("none", ptr) == 0) {
+                        if (arg_dbus_log_user) {
+                                fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
+                        exit(1);
+                }
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_name(ptr + 14)) {
+                        fprintf(stderr, "Invalid dbus-user.see name: %s\n", ptr + 15);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_name(ptr + 15)) {
+                        fprintf(stderr, "Error: Invalid dbus-user.talk name: %s\n", ptr + 15);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_name(ptr + 14)) {
+                        fprintf(stderr, "Error: Invalid dbus-user.own name: %s\n", ptr + 14);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_call_rule(ptr + 15)) {
+                        fprintf(stderr, "Error: Invalid dbus-user.call rule: %s\n", ptr + 15);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_call_rule(ptr + 20)) {
+                        fprintf(stderr, "Error: Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+#ifdef HAVE_DBUSPROXY
+                ptr += 12;
+                if (strcmp("filter", ptr) == 0) {
+                        if (arg_dbus_system == DBUS_POLICY_BLOCK) {
+                                fprintf(stderr, "Error: Cannot relax dbus-system policy, it is already set to block\n");
+                        } else {
+                                arg_dbus_system = DBUS_POLICY_FILTER;
+                        }
+                } else if (strcmp("none", ptr) == 0) {
+                        if (arg_dbus_log_system) {
+                                fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Error: Unknown dbus-system policy: %s\n", ptr);
+                        exit(1);
+                }
+#endif
+                return 0;
+        }
+        else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_name(ptr + 16)) {
+                        fprintf(stderr, "Error: Invalid dbus-system.see name: %s\n", ptr + 17);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_name(ptr + 17)) {
+                        fprintf(stderr, "Error: Invalid dbus-system.talk name: %s\n", ptr + 17);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_name(ptr + 16)) {
+                        fprintf(stderr, "Error: Invalid dbus-system.own name: %s\n", ptr + 16);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_call_rule(ptr + 17)) {
+                        fprintf(stderr, "Error: Invalid dbus-system.call rule: %s\n", ptr + 17);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {
+#ifdef HAVE_DBUSPROXY
+                if (!dbus_check_call_rule(ptr + 22)) {
+                        fprintf(stderr, "Error: Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
+                        exit(1);
+                }
+#endif
+                return 1;
+        }
+        else if (strcmp(ptr, "nou2f") == 0) {
+                arg_nou2f = 1;
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
@@ -282,40 +630,32 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strcmp(ptr, "net none") == 0) {
+        else if (strncmp(ptr, "netns  ", 6) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
-                        arg_nonetwork  = 1;
-                        cfg.bridge0.configured = 0;
-                        cfg.bridge1.configured = 0;
-                        cfg.bridge2.configured = 0;
-                        cfg.bridge3.configured = 0;
-                        cfg.interface0.configured = 0;
-                        cfg.interface1.configured = 0;
-                        cfg.interface2.configured = 0;
-                        cfg.interface3.configured = 0;
+                        arg_netns = ptr + 6;
+                        check_netns(arg_netns);
                 }
                 else
                         warning_feature_disabled("networking");
 #endif
                 return 0;
         }
+        else if (strcmp(ptr, "net none") == 0) {
+                arg_nonetwork  = 1;
+                cfg.bridge0.configured = 0;
+                cfg.bridge1.configured = 0;
+                cfg.bridge2.configured = 0;
+                cfg.bridge3.configured = 0;
+                cfg.interface0.configured = 0;
+                cfg.interface1.configured = 0;
+                cfg.interface2.configured = 0;
+                cfg.interface3.configured = 0;
+                return 0;
+        }
         else if (strncmp(ptr, "net ", 4) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                        // compile time restricted networking
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
-                                exit(1);
-                        }
-#endif
-                        // run time restricted networking
-                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
-                                exit(1);
-                        }
-
                         if (strcmp(ptr + 4, "lo") == 0) {
                                 fprintf(stderr, "Error: cannot attach to lo device\n");
                                 exit(1);
@@ -334,7 +674,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                 fprintf(stderr, "Error: maximum 4 network devices are allowed\n");
                                 exit(1);
                         }
-                        net_configure_bridge(br, ptr + 4);
+                        br->dev = ptr + 4;
+                        br->configured = 1;
                 }
                 else
                         warning_feature_disabled("networking");
@@ -399,10 +740,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                 fprintf(stderr, "Error: invalid IP range\n");
                                 exit(1);
                         }
-                        if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) {
-                                fprintf(stderr, "Error: IP range addresses not in network range\n");
-                                exit(1);
-                        }
                 }
                 else
                         warning_feature_disabled("networking");
@@ -430,6 +767,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                 fprintf(stderr, "Error: invalid MAC address\n");
                                 exit(1);
                         }
+
+                        // check multicast address
+                        if (br->macsandbox[0] & 1) {
+                                fprintf(stderr, "Error: invalid MAC address (multicast)\n");
+                                exit(1);
+                        }
                 }
                 else
                         warning_feature_disabled("networking");
@@ -457,6 +800,40 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        else if (strncmp(ptr, "netmask ", 8) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->arg_ip_none || br->masksandbox) {
+                                fprintf(stderr, "Error: cannot configure the network mask twice for the same interface\n");
+                                exit(1);
+                        }
+
+                        // configure this network mask for the last bridge defined
+                        if (atoip(ptr + 8, &br->masksandbox)) {
+                                fprintf(stderr, "Error: invalid  network mask\n");
+                                exit(1);
+                        }
+
+                        // if the bridge is not configured, use this mask as the bridge mask
+                        if (br->mask == 0)
+                                br->mask = br->masksandbox;
+                        else {
+                                fprintf(stderr, "Error: interface %s already has a network mask defined; "
+                                        "please remove --netmask\n",
+                                        br->dev);
+                                exit(1);
+                        }
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
         else if (strncmp(ptr, "ip ", 3) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
@@ -473,7 +850,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         // configure this IP address for the last bridge defined
                         if (strcmp(ptr + 3, "none") == 0)
                                 br->arg_ip_none = 1;
-                        else {
+                        else if (strcmp(ptr + 3, "dhcp") == 0) {
+                                br->arg_ip_none = 1;
+                                br->arg_ip_dhcp = 1;
+                        } else {
                                 if (atoip(ptr + 3, &br->ipsandbox)) {
                                         fprintf(stderr, "Error: invalid IP address\n");
                                         exit(1);
@@ -494,19 +874,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                 fprintf(stderr, "Error: no network device configured\n");
                                 exit(1);
                         }
-                        if (br->arg_ip_none || br->ip6sandbox) {
+                        if (br->arg_ip6_dhcp || br->ip6sandbox) {
                                 fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                 exit(1);
                         }
 
                         // configure this IP address for the last bridge defined
-                        // todo: verify ipv6 syntax
-                        br->ip6sandbox = ptr + 4;
-//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
-//                              fprintf(stderr, "Error: invalid IP address\n");
-//                              exit(1);
-//                      }
+                        if (strcmp(ptr + 4, "dhcp") == 0)
+                                br->arg_ip6_dhcp = 1;
+                        else {
+                                if (check_ip46_address(ptr + 4) == 0) {
+                                        fprintf(stderr, "Error: invalid IPv6 address\n");
+                                        exit(1);
+                                }
 
+                                br->ip6sandbox = strdup(ptr + 4);
+                                if (br->ip6sandbox == NULL)
+                                        errExit("strdup");
+                        }
                 }
                 else
                         warning_feature_disabled("networking");
@@ -536,21 +921,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         if (strncmp(ptr, "protocol ", 9) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
-                        if (cfg.protocol) {
-                                fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9);
-                                return 0;
-                        }
-
-                        // store list
-                        cfg.protocol = strdup(ptr + 9);
-                        if (!cfg.protocol)
-                                errExit("strdup");
+                        const char *add = ptr + 9;
+                        profile_list_augment(&cfg.protocol, add);
+                        if (arg_debug)
+                                fprintf(stderr, "[profile] combined protocol list: \"%s\"\n", cfg.protocol);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
@@ -565,62 +943,107 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list = seccomp_check_list(ptr + 8);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
+
+                return 0;
+        }
+        if (strncmp(ptr, "seccomp.32 ", 11) == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp32 = 1;
+                        cfg.seccomp_list32 = seccomp_check_list(ptr + 11);
+                }
+                else if (!arg_quiet)
+                        warning_feature_disabled("seccomp");
 
                 return 0;
         }
 
         if (strcmp(ptr, "seccomp.block-secondary") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp_block_secondary = 1;
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         // seccomp drop list without default list
         if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
+                return 0;
+        }
+        if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp32 = 1;
+                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+                }
+                else
+                        warning_feature_disabled("seccomp");
                 return 0;
         }
 
         // seccomp keep list
         if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
+                return 0;
+        }
+        if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp32 = 1;
+                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+                }
+                else
+                        warning_feature_disabled("seccomp");
                 return 0;
         }
 
         // memory deny write&execute
         if (strcmp(ptr, "memory-deny-write-execute") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_memory_deny_write_execute = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
+                return 0;
+        }
+
+        // seccomp error action
+        if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
+                        if (config_seccomp_error_action == -1) {
+                                if (strcmp(ptr + 21, "kill") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_LOG;
+                                else {
+                                        arg_seccomp_error_action = errno_find_name(ptr + 21);
+                                        if (arg_seccomp_error_action == -1)
+                                                errExit("seccomp-error-action: unknown errno");
+                                }
+                                cfg.seccomp_error_action = strdup(ptr + 21);
+                                if (!cfg.seccomp_error_action)
+                                        errExit("strdup");
+                        } else {
+                                arg_seccomp_error_action = config_seccomp_error_action;
+                                cfg.seccomp_error_action = config_seccomp_error_action_str;
+                                warning_feature_disabled("seccomp-error-action");
+                        }
+                } else
+                        warning_feature_disabled("seccomp");
                 return 0;
         }
 
@@ -660,21 +1083,26 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // dns
         if (strncmp(ptr, "dns ", 4) == 0) {
-                uint32_t dns;
-                if (atoip(ptr + 4, &dns)) {
-                        fprintf(stderr, "Error: invalid DNS server IP address\n");
-                        return 1;
+
+                if (check_ip46_address(ptr + 4) == 0) {
+                        fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n");
+                        exit(1);
                 }
+                char *dns = strdup(ptr + 4);
+                if (!dns)
+                        errExit("strdup");
 
-                if (cfg.dns1 == 0)
+                if (cfg.dns1 == NULL)
                         cfg.dns1 = dns;
-                else if (cfg.dns2 == 0)
+                else if (cfg.dns2 == NULL)
                         cfg.dns2 = dns;
-                else if (cfg.dns3 == 0)
+                else if (cfg.dns3 == NULL)
                         cfg.dns3 = dns;
+                else if (cfg.dns4 == NULL)
+                        cfg.dns4 = dns;
                 else {
-                        fprintf(stderr, "Error: up to 3 DNS servers can be specified\n");
-                        return 1;
+                        fwarning("Warning: up to 4 DNS servers can be specified, %s ignored\n", dns);
+                        free(dns);
                 }
                 return 0;
         }
@@ -686,7 +1114,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         // nice value
-        if (strncmp(ptr, "nice ", 4) == 0) {
+        if (strncmp(ptr, "nice ", 5) == 0) {
                 cfg.nice = atoi(ptr + 5);
                 if (getuid() != 0 &&cfg.nice < 0)
                         cfg.nice = 0;
@@ -696,7 +1124,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
-                set_cgroup(ptr + 7);
+                if (checkcfg(CFG_CGROUP))
+                        set_cgroup(ptr + 7);
+                else
+                        warning_feature_disabled("cgroup");
                 return 0;
         }
 
@@ -714,11 +1145,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_machineid = 1;
                 return 0;
         }
+
+        if (strcmp(ptr, "keep-config-pulse") == 0) {
+                arg_keep_config_pulse = 1;
+                return 0;
+        }
+
         // writable-var
         if (strcmp(ptr, "writable-var") == 0) {
                 arg_writable_var = 1;
                 return 0;
         }
+        // don't overwrite /var/tmp
+        if (strcmp(ptr, "keep-var-tmp") == 0) {
+                arg_keep_var_tmp = 1;
+                return 0;
+        }
         // writable-run-user
         if (strcmp(ptr, "writable-run-user") == 0) {
                 arg_writable_run_user = 1;
@@ -737,6 +1179,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "allow-debuggers") == 0) {
+                arg_allow_debuggers = 1;
+                return 0;
+        }
+
         if (strcmp(ptr, "x11 none") == 0) {
                 arg_x11_block = 1;
                 return 0;
@@ -745,7 +1192,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "x11 xephyr") == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
-                        char *x11env = getenv("FIREJAIL_X11");
+                        const char *x11env = env_get("FIREJAIL_X11");
                         if (x11env && strcmp(x11env, "yes") == 0) {
                                 return 0;
                         }
@@ -774,7 +1221,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "x11 xpra") == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
-                        char *x11env = getenv("FIREJAIL_X11");
+                        const char *x11env = env_get("FIREJAIL_X11");
                         if (x11env && strcmp(x11env, "yes") == 0) {
                                 return 0;
                         }
@@ -793,7 +1240,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "x11 xvfb") == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
-                        char *x11env = getenv("FIREJAIL_X11");
+                        const char *x11env = env_get("FIREJAIL_X11");
                         if (x11env && strcmp(x11env, "yes") == 0) {
                                 return 0;
                         }
@@ -812,7 +1259,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         if (strcmp(ptr, "x11") == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
-                        char *x11env = getenv("FIREJAIL_X11");
+                        const char *x11env = env_get("FIREJAIL_X11");
                         if (x11env && strcmp(x11env, "yes") == 0) {
                                 return 0;
                         }
@@ -830,56 +1277,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
-                if (arg_writable_etc) {
-                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                        exit(1);
-                }
-                if (cfg.etc_private_keep) {
-                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.etc_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_ETC)) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        if (cfg.etc_private_keep) {
+                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.etc_private_keep = ptr + 12;
+                        }
+                        arg_private_etc = 1;
                 }
-                arg_private_etc = 1;
-
+                else
+                        warning_feature_disabled("private-etc");
                 return 0;
         }
 
         // private /opt list of files and directories
         if (strncmp(ptr, "private-opt ", 12) == 0) {
-                if (cfg.opt_private_keep) {
-                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.opt_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_OPT)) {
+                        if (cfg.opt_private_keep) {
+                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.opt_private_keep = ptr + 12;
+                        }
+                        arg_private_opt = 1;
                 }
-                arg_private_opt = 1;
-
+                else
+                        warning_feature_disabled("private-opt");
                 return 0;
         }
 
         // private /srv list of files and directories
         if (strncmp(ptr, "private-srv ", 12) == 0) {
-                if (cfg.srv_private_keep) {
-                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.srv_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_SRV)) {
+                        if (cfg.srv_private_keep) {
+                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.srv_private_keep = ptr + 12;
+                        }
+                        arg_private_srv = 1;
                 }
-                arg_private_srv = 1;
-
+                else
+                        warning_feature_disabled("private-srv");
                 return 0;
         }
 
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
-                if (cfg.bin_private_keep) {
-                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.bin_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_BIN)) {
+                        if (cfg.bin_private_keep) {
+                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.bin_private_keep = ptr + 12;
+                        }
+                        arg_private_bin = 1;
                 }
-                arg_private_bin = 1;
+                else
+                        warning_feature_disabled("private-bin");
                 return 0;
         }
 
@@ -905,6 +1365,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #ifdef HAVE_OVERLAYFS
         if (strncmp(ptr, "overlay-named ", 14) == 0) {
                 if (checkcfg(CFG_OVERLAYFS)) {
+                        if (arg_overlay) {
+                                fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                exit(1);
+                        }
                         if (cfg.chrootdir) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
@@ -925,17 +1389,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         }
 
                         // check name
-                        invalid_filename(subdirname);
+                        invalid_filename(subdirname, 0); // no globbing
                         if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
                                 fprintf(stderr, "Error: invalid overlay name\n");
                                 exit(1);
                         }
                         cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
                 }
-
+                else
+                        warning_feature_disabled("overlayfs");
                 return 0;
+
         } else if (strcmp(ptr, "overlay-tmpfs") == 0) {
                 if (checkcfg(CFG_OVERLAYFS)) {
+                        if (arg_overlay) {
+                                fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                exit(1);
+                        }
                         if (cfg.chrootdir) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
@@ -946,11 +1416,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                 exit(1);
                         }
                         arg_overlay = 1;
-
-                        return 0;
                 }
+                else
+                        warning_feature_disabled("overlayfs");
+                return 0;
+
         } else if (strcmp(ptr, "overlay") == 0) {
                 if (checkcfg(CFG_OVERLAYFS)) {
+                        if (arg_overlay) {
+                                fprintf(stderr, "Error: only one overlay command is allowed\n");
+                                exit(1);
+                        }
                         if (cfg.chrootdir) {
                                 fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
                                 exit(1);
@@ -969,22 +1445,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
 
                         free(subdirname);
-
-                        return 0;
                 }
+                else
+                        warning_feature_disabled("overlayfs");
+                return 0;
         }
 #endif
 
         // filesystem bind
         if (strncmp(ptr, "bind ", 5) == 0) {
-#ifdef HAVE_BIND
                 if (checkcfg(CFG_BIND)) {
+                        // extract two directories
                         if (getuid() != 0) {
                                 fprintf(stderr, "Error: --bind option is available only if running as root\n");
                                 exit(1);
                         }
 
-                        // extract two directories
                         char *dname1 = ptr + 5;
                         char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
                         if (dname2 == NULL) {
@@ -993,8 +1469,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         }
 
                         // check directories
-                        invalid_filename(dname1);
-                        invalid_filename(dname2);
+                        invalid_filename(dname1, 0); // no globbing
+                        invalid_filename(dname2, 0); // no globbing
                         if (strstr(dname1, "..") || strstr(dname2, "..")) {
                                 fprintf(stderr, "Error: invalid file name.\n");
                                 exit(1);
@@ -1010,7 +1486,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 }
                 else
                         warning_feature_disabled("bind");
-#endif
                 return 0;
         }
 
@@ -1021,14 +1496,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         sscanf(ptr + 14, "%llu", &cfg.rlimit_nofile);
                         arg_rlimit_nofile = 1;
                 }
+                else if (strncmp(ptr, "rlimit-cpu ", 11) == 0) {
+                        check_unsigned(ptr + 11, "Error: invalid rlimit in profile file: ");
+                        sscanf(ptr + 11, "%llu", &cfg.rlimit_cpu);
+                        arg_rlimit_cpu = 1;
+                }
                 else if (strncmp(ptr, "rlimit-nproc ", 13) == 0) {
                         check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
                         sscanf(ptr + 13, "%llu", &cfg.rlimit_nproc);
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1036,35 +1519,55 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         sscanf(ptr + 18, "%llu", &cfg.rlimit_sigpending);
                         arg_rlimit_sigpending = 1;
                 }
+                else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
+                        arg_rlimit_as = 1;
+                }
                 else {
-                        fprintf(stderr, "Invalid rlimit option on line %d\n", lineno);
+                        fprintf(stderr, "Error: Invalid rlimit option on line %d\n", lineno);
                         exit(1);
                 }
 
                 return 0;
         }
 
-        if (strncmp(ptr, "join-or-start ", 14) == 0) {
-                // try to join by name only
-                pid_t pid;
-                if (!name2pid(ptr + 14, &pid)) {
-                        if (!cfg.shell && !arg_shell_none)
-                                cfg.shell = guess_shell();
-
-                        // find first non-option arg
-                        int i;
-                        for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
+        if (strncmp(ptr, "timeout ", 8) == 0) {
+                cfg.timeout = extract_timeout(ptr +8);
+                return 0;
+        }
 
-                        join(pid, cfg.original_argc,cfg.original_argv, i + 1);
-                        exit(0);
-                }
+        if (strncmp(ptr, "join-or-start ", 14) == 0) {
+                if (checkcfg(CFG_JOIN) || getuid() == 0) {
+                        // try to join by name only
+                        pid_t pid;
+                        EUID_ROOT();
+                        int r = name2pid(ptr + 14, &pid);
+                        EUID_USER();
+                        if (!r) {
+                                if (!cfg.shell && !arg_shell_none)
+                                        cfg.shell = guess_shell();
+
+                                // find first non-option arg
+                                int i;
+                                for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++);
+
+                                join(pid, cfg.original_argc,cfg.original_argv, i + 1);
+                                exit(0);
+                        }
 
-                // set sandbox name and start normally
-                cfg.name = ptr + 14;
-                if (strlen(cfg.name) == 0) {
-                        fprintf(stderr, "Error: invalid sandbox name\n");
-                        exit(1);
+                        // set sandbox name and start normally
+                        cfg.name = ptr + 14;
+                        if (strlen(cfg.name) == 0) {
+                                fprintf(stderr, "Error: invalid sandbox name\n");
+                                exit(1);
+                        }
                 }
+                else
+                        warning_feature_disabled("join");
                 return 0;
         }
 
@@ -1073,6 +1576,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "deterministic-exit-code") == 0) {
+                arg_deterministic_exit_code = 1;
+                return 0;
+        }
+
         // rest of filesystem
         if (strncmp(ptr, "blacklist ", 10) == 0)
                 ptr += 10;
@@ -1081,16 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noblacklist ", 12) == 0)
                 ptr += 12;
         else if (strncmp(ptr, "whitelist ", 10) == 0) {
-#ifdef HAVE_WHITELIST
-                if (checkcfg(CFG_WHITELIST)) {
-                        arg_whitelist = 1;
-                        ptr += 10;
-                }
-                else
-                        return 0;
-#else
-                return 0;
-#endif
+                arg_whitelist = 1;
+                ptr += 10;
         }
         else if (strncmp(ptr, "nowhitelist ", 12) == 0)
                 ptr += 12;
@@ -1101,10 +1601,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noexec ", 7) == 0)
                 ptr += 7;
         else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+#ifndef HAVE_USERTMPFS
                 if (getuid() != 0) {
                         fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
                         exit(1);
                 }
+#endif
                 ptr += 6;
         }
         else {
@@ -1118,7 +1620,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         // some characters just don't belong in filenames
-        invalid_filename(ptr);
+        invalid_filename(ptr, 1); // globbing
         if (strstr(ptr, "..")) {
                 if (lineno == 0)
                         fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr);
@@ -1165,23 +1667,24 @@ void profile_read(const char *fname) {
         }
 
         // check file
-        invalid_filename(fname);
+        invalid_filename(fname, 0); // no globbing
         if (strlen(fname) == 0 || is_dir(fname)) {
                 fprintf(stderr, "Error: invalid profile file\n");
                 exit(1);
         }
         if (access(fname, R_OK)) {
+                int errsv = errno;
                 // if the file ends in ".local", do not exit
                 const char *base = gnu_basename(fname);
                 char *ptr = strstr(base, ".local");
-                if (ptr && strlen(ptr) == 6)
+                if (ptr && strlen(ptr) == 6 && errsv != EACCES)
                         return;
 
-                fprintf(stderr, "Error: cannot access profile file\n");
+                fprintf(stderr, "Error: cannot access profile file: %s\n", fname);
                 exit(1);
         }
 
-        // allow debuggers
+        // --allow-debuggers - skip disable-devel.inc file
         if (arg_allow_debuggers) {
                 char *tmp = strrchr(fname, '/');
                 if (tmp && *(tmp + 1) != '\0') {
@@ -1190,36 +1693,26 @@ void profile_read(const char *fname) {
                                 return;
                 }
         }
+        // --appimage - skip disable-shell.inc file
+        if (arg_appimage) {
+                char *tmp = strrchr(fname, '/');
+                if (tmp && *(tmp + 1) != '\0') {
+                        tmp++;
+                        if (strcmp(tmp, "disable-shell.inc") == 0)
+                                return;
+                }
+        }
 
         // open profile file:
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (fp == NULL) {
                 fprintf(stderr, "Error: cannot open profile file %s\n", fname);
                 exit(1);
         }
 
         // save the name of the file for --profile.print option
-        if (include_level == 0) {
-                char *runfile;
-                if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, getpid()) == -1)
-                        errExit("asprintf");
-
-                EUID_ROOT();
-                // the file is deleted first
-                FILE *fp = fopen(runfile, "w");
-                if (!fp) {
-                        fprintf(stderr, "Error: cannot create %s\n", runfile);
-                        exit(1);
-                }
-                fprintf(fp, "%s\n", fname);
-
-                // mode and ownership
-                SET_PERMS_STREAM(fp, 0, 0, 0644);
-                fclose(fp);
-                EUID_USER();
-                free(runfile);
-        }
-
+        if (include_level == 0)
+                set_profile_run_file(getpid(), fname);
 
         int msg_printed = 0;
 
@@ -1228,44 +1721,100 @@ void profile_read(const char *fname) {
         int lineno = 0;
         while (fgets(buf, MAX_READ, fp)) {
                 ++lineno;
+
+                // remove comments
+                char *ptr = strchr(buf, '#');
+                if (ptr)
+                        *ptr = '\0';
+
                 // remove empty space - ptr in allocated memory
-                char *ptr = line_remove_spaces(buf);
+                ptr = line_remove_spaces(buf);
                 if (ptr == NULL)
                         continue;
-
-                // comments
-                if (*ptr == '#' || *ptr == '\0') {
+                if (*ptr == '\0') {
                         free(ptr);
                         continue;
                 }
 
+                // translate allow/deny to whitelist/blacklist
+                if (strncmp(ptr, "allow ", 6) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny ", 5) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny-nolog ", 11) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                // translate noallow/nodeny to nowhitelist/noblacklist
+                else if (strncmp(ptr, "noallow ", 8) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "nodeny ", 7) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+
                 // process quiet
+                // todo: a quiet in the profile file cannot be disabled by --ignore on command line
                 if (strcmp(ptr, "quiet") == 0) {
-                        arg_quiet = 1;
+                        if (is_in_ignore_list(ptr))
+                                arg_quiet = 0;
+                        else if (!arg_debug)
+                                arg_quiet = 1;
                         free(ptr);
                         continue;
                 }
                 if (!msg_printed) {
-                        if (!arg_quiet)
-                                fprintf(stderr, "Reading profile %s\n", fname);
+                        fmessage("Reading profile %s\n", fname);
                         msg_printed = 1;
                 }
 
                 // process include
-                if (strncmp(ptr, "include ", 8) == 0) {
+                if (strncmp(ptr, "include ", 8) == 0 && !is_in_ignore_list(ptr)) {
                         include_level++;
 
-                        // extract profile filename and new skip params
-                        char *newprofile = ptr + 8; // profile name
-
-                        // expand ${HOME}/ in front of the new profile file
-                        char *newprofile2 = expand_home(newprofile, cfg.homedir);
+                        // expand macros in front of the include profile file
+                        char *newprofile = expand_macros(ptr + 8);
+
+                        char *ptr2 = newprofile;
+                        while (*ptr2 != '/' && *ptr2 != '\0')
+                                ptr2++;
+                        // profile path contains no / chars, do a search
+                        if (*ptr2 == '\0') {
+                                int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory
+                                if (!rv) {
+                                        // maybe this is a file in the local working directory?
+                                        // it will stop the sandbox if not!
+                                        // Note: if the file ends in .local it will not stop the program
+                                        profile_read(newprofile);
+                                }
+                        }
+                        else {
+                                profile_read(newprofile);
+                        }
 
-                        // recursivity
-                        profile_read((newprofile2)? newprofile2:newprofile);
                         include_level--;
-                        if (newprofile2)
-                                free(newprofile2);
+                        free(newprofile);
                         free(ptr);
                         continue;
                 }
@@ -1277,9 +1826,148 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         fclose(fp);
 }
+
+char *profile_list_normalize(char *list)
+{
+        /* Remove redundant commas.
+         *
+         * As result is always shorter than original,
+         * in-place copying can be used.
+         */
+        size_t i = 0;
+        size_t j = 0;
+        int c;
+        while (list[i] == ',')
+                ++i;
+        while ((c = list[i++])) {
+                if (c == ',') {
+                        while (list[i] == ',')
+                                ++i;
+                        if (list[i] == 0)
+                                break;
+                }
+                list[j++] = c;
+        }
+        list[j] = 0;
+        return list;
+}
+
+char *profile_list_compress(char *list)
+{
+        size_t i;
+
+        /* Comma separated list is processed so that:
+         * "item"  -> adds item to list
+         * "-item" -> removes item from list
+         * "+item" -> adds item to list
+         * "=item" -> clear list, add item
+         *
+         * For example:
+         * ,a,,,b,,,c, -> a,b,c
+         * a,,b,,,c,a  -> a,b,c
+         * a,b,c,-a    -> b,c
+         * a,b,c,-a,a  -> b,c,a
+         * a,+b,c      -> a,b,c
+         * a,b,=c,d    -> c,d
+         * a,b,c,=     ->
+         */
+        profile_list_normalize(list);
+
+        /* Count items: comma count + 1 */
+        size_t count = 1;
+        for (i = 0; list[i]; ++i) {
+                if (list[i] == ',')
+                        ++count;
+        }
+
+        /* Collect items in an array */
+        char *in[count];
+        count = 0;
+        in[count++] = list;
+        for (i = 0; list[i]; ++i) {
+                if (list[i] != ',')
+                        continue;
+                list[i] = 0;
+                in[count++] = list + i + 1;
+        }
+
+        /* Filter array: add, remove, reset, filter out duplicates */
+        for (i = 0; i < count; ++i) {
+                char *item = in[i];
+                assert(item);
+
+                size_t k;
+                switch (*item) {
+                case '-':
+                        ++item;
+                        /* Do not include this item */
+                        in[i] = 0;
+                        /* Remove if already included */
+                        for (k = 0; k < i; ++k) {
+                                if (in[k] && !strcmp(in[k], item)) {
+                                        in[k] = 0;
+                                        break;
+                                }
+                        }
+                        break;
+                case '+':
+                        /* Allow +/- symmetry */
+                        in[i] = ++item;
+                        /* FALLTHRU */
+                default:
+                        /* Adding empty item is a NOP */
+                        if (!*item) {
+                                in[i] = 0;
+                                break;
+                        }
+                        /* Include item unless it is already included */
+                        for (k = 0; k < i; ++k) {
+                                if (in[k] && !strcmp(in[k], item)) {
+                                        in[i] = 0;
+                                        break;
+                                }
+                        }
+                        break;
+                case '=':
+                        in[i] = ++item;
+                        /* Include non-empty item */
+                        if (!*item)
+                                in[i] = 0;
+                        /* Remove all already included items */
+                        for (k = 0; k < i; ++k)
+                                in[k] = 0;
+                        break;
+                }
+        }
+
+        /* Copying back using in-place data works because the
+         * original order is retained and no item gets longer
+         * than what it used to be.
+         */
+        char *pos = list;
+        for (i = 0; i < count; ++i) {
+                char *item = in[i];
+                if (!item)
+                        continue;
+                if (pos > list)
+                        *pos++ = ',';
+                while (*item)
+                        *pos++ = *item++;
+        }
+        *pos = 0;
+        return list;
+}
+
+void profile_list_augment(char **list, const char *items)
+{
+        char *tmp = 0;
+        if (asprintf(&tmp, "%s,%s", *list ?: "", items ?: "") < 0)
+                errExit("asprintf");
+        free(*list);
+        *list = profile_list_compress(tmp);
+}
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 9524d6617..f21f8c96e 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,13 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 
 void protocol_filter_save(void) {
         // save protocol filter configuration in PROTOCOL_CFG
-        FILE *fp = fopen(RUN_PROTOCOL_CFG, "w");
+        FILE *fp = fopen(RUN_PROTOCOL_CFG, "wxe");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%s\n", cfg.protocol);
@@ -36,7 +35,7 @@ void protocol_filter_load(const char *fname) {
         assert(fname);
 
         // read protocol filter configuration from PROTOCOL_CFG
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         if (!fp)
                 return;
 
@@ -64,29 +63,11 @@ void protocol_print_filter(pid_t pid) {
 
         (void) pid;
 #ifdef SYS_socket
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
         // find the seccomp filter
         EUID_ROOT();
@@ -108,9 +89,6 @@ void protocol_print_filter(pid_t pid) {
         exit(0);
 #else
         fwarning("--protocol not supported on this platform\n");
-        return;
+        exit(1);
 #endif
 }
-
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 2f8cd5f7d..f8d4c2f3c 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,56 +20,37 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/statvfs.h>
 #include <sys/mount.h>
 #include <dirent.h>
+#include <errno.h>
 #include <sys/wait.h>
 
-static void disable_file(const char *path, const char *file) {
-        assert(file);
-        assert(path);
-
-        struct stat s;
-        char *fname;
-        if (asprintf(&fname, "%s/%s", path, file) == -1)
-                errExit("asprintf");
-        if (stat(fname, &s) == -1)
-                goto doexit;
-
-        if (arg_debug)
-                printf("Disable%s\n", fname);
-
-        if (S_ISDIR(s.st_mode)) {
-                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                        errExit("disable file");
-        }
-        else {
-                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                        errExit("disable file");
-        }
-        fs_logger2("blacklist", fname);
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
-doexit:
-        free(fname);
-}
+#define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
 
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
         if (arg_debug)
                 printf("disable pulseaudio\n");
         // blacklist user config directory
-        disable_file(cfg.homedir, ".config/pulse");
+        disable_file_path(cfg.homedir, ".config/pulse");
 
 
         // blacklist pulseaudio socket in XDG_RUNTIME_DIR
-        char *name = getenv("XDG_RUNTIME_DIR");
+        const char *name = env_get("XDG_RUNTIME_DIR");
         if (name)
-                disable_file(name, "pulse/native");
+                disable_file_path(name, "pulse/native");
 
         // try the default location anyway
         char *path;
         if (asprintf(&path, "/run/user/%d", getuid()) == -1)
                 errExit("asprintf");
-        disable_file(path, "pulse/native");
+        disable_file_path(path, "pulse");
         free(path);
 
 
@@ -87,125 +68,98 @@ void pulseaudio_disable(void) {
         struct dirent *entry;
         while ((entry = readdir(dir))) {
                 if (strncmp(entry->d_name, "pulse-", 6) == 0) {
-                        disable_file("/tmp", entry->d_name);
+                        disable_file_path("/tmp", entry->d_name);
                 }
         }
 
         closedir(dir);
-
 }
 
-
-// disable shm in pulseaudio
+// disable shm in pulseaudio (issue #69)
 void pulseaudio_init(void) {
-        struct stat s;
-
         // do we have pulseaudio in the system?
-        if (stat("/etc/pulse/client.conf", &s) == -1)
+        if (access(PULSE_CLIENT_SYSCONF, R_OK)) {
+                if (arg_debug)
+                        printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF);
                 return;
+        }
 
-        // create the new user pulseaudio directory
-        int rv = mkdir(RUN_PULSE_DIR, 0700);
-        (void) rv; // in --chroot mode the directory can already be there
-        if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
-                errExit("set_perms");
+        // create ~/.config/pulse directory if not present
+        char *homeusercfg = NULL;
+        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
 
+        free(homeusercfg);
+        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
+        // create the new user pulseaudio directory
+        // that will be mounted over ~/.config/pulse
+        if (mkdir(RUN_PULSE_DIR, 0700) == -1)
+                errExit("mkdir");
+        selinux_relabel_path(RUN_PULSE_DIR, homeusercfg);
+        fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
         // create the new client.conf file
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
                 errExit("asprintf");
-        if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed
+        if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed
                 errExit("copy_file");
-        FILE *fp = fopen(pulsecfg, "a+");
+        FILE *fp = fopen(pulsecfg, "ae");
         if (!fp)
                 errExit("fopen");
         fprintf(fp, "%s", "\nenable-shm = no\n");
         SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
         fclose(fp);
+        // hand over the directory to the user
+        if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
+                errExit("set_perms");
 
-        // create ~/.config/pulse directory if not present
-        char *dir1;
-        if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (stat(dir1, &s) == -1) {
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        int rv = mkdir(dir1, 0755);
-                        if (rv == 0) {
-                                if (set_perms(dir1, getuid(), getgid(), 0755))
-                                        {;} // do nothing
-                        }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-        }
-        else {
-                // make sure the directory is owned by the user
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: user .config directory is not owned by the current user\n");
-                        exit(1);
-                }
+        // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
+        // else set environment variable
+        EUID_USER();
+        int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        EUID_ROOT();
+        if (fd == -1) {
+                fwarning("not mounting tmpfs on %s\n", homeusercfg);
+                env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV);
+                goto out;
         }
-        free(dir1);
-
-        if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
+        // preserve a read-only mount
+        struct statvfs vfs;
+        if (fstatvfs(fd, &vfs) == -1)
+                errExit("fstatvfs");
+        if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
+                fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0);
+        // mount via the link in /proc/self/fd
+        if (arg_debug)
+                printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
+        if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd))
+                errExit("mount pulseaudio");
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
+                errLogExit("invalid pulseaudio mount");
+        fs_logger2("tmpfs", homeusercfg);
+        close(fd);
+
+        char *p;
+        if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
                 errExit("asprintf");
-        if (stat(dir1, &s) == -1) {
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        int rv = mkdir(dir1, 0700);
-                        if (rv == 0) {
-                                if (set_perms(dir1, getuid(), getgid(), 0700))
-                                        {;} // do nothing
-                        }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-        }
-        else {
-                // make sure the directory is owned by the user
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: user .config/pulse directory is not owned by the current user\n");
-                        exit(1);
-                }
-        }
-        free(dir1);
+        env_store_name_val("PULSE_CLIENTCONFIG", p, SETENV);
+        fs_logger2("create", p);
+        free(p);
 
+        // RUN_PULSE_DIR not needed anymore, mask it
+        if (mount("tmpfs", RUN_PULSE_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mount pulseaudio");
+        fs_logger2("tmpfs", RUN_PULSE_DIR);
 
-        // if we have ~/.config/pulse mount the new directory, else set environment variable
-        char *homeusercfg;
-        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (stat(homeusercfg, &s) == 0) {
-                if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 ||
-                    mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("mount pulseaudio");
-                fs_logger2("tmpfs", homeusercfg);
-        }
-        else {
-                // set environment
-                if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
-                        errExit("setenv");
-        }
-
+out:
         free(pulsecfg);
         free(homeusercfg);
 }
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 87ee513af..6f17231a4 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,15 +18,19 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/firejail_user.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
-#include "../../uids.h"
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
 #define MAXBUF 1024
 
@@ -41,6 +45,8 @@ static void ulist_add(const char *user) {
         assert(user);
 
         USER_LIST *nlist = malloc(sizeof(USER_LIST));
+        if (!nlist)
+                errExit("malloc");
         memset(nlist, 0, sizeof(USER_LIST));
         nlist->user = user;
         nlist->next = ulist;
@@ -62,32 +68,30 @@ static USER_LIST *ulist_find(const char *user) {
 
 static void sanitize_home(void) {
         assert(getuid() != 0);  // this code works only for regular users
+        struct stat s;
 
         if (arg_debug)
                 printf("Cleaning /home directory\n");
-
-        struct stat s;
-        if (stat(cfg.homedir, &s) == -1) {
-                // cannot find home directory, just return
-                fwarning("cannot find home directory\n");
-                return;
+        // open user home directory in order to keep it around
+        int fd = safer_openat(-1, cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                goto errout;
+        if (fstat(fd, &s) == -1) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                goto errout;
         }
 
-        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
-                errExit("mkdir");
-
-        // keep a copy of the user home directory
-        if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-
-        // mount tmpfs in the new home
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        // mount tmpfs on /home
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                 errExit("mount tmpfs");
+        selinux_relabel_path("/home", "/home");
         fs_logger("tmpfs /home");
 
-        // create user home directory
+        // create new user home directory
         if (mkdir(cfg.homedir, 0755) == -1) {
-                if (mkpath_as_root(cfg.homedir))
+                if (mkpath_as_root(cfg.homedir) == -1)
                         errExit("mkpath");
                 if (mkdir(cfg.homedir, 0755) == -1)
                         errExit("mkdir");
@@ -97,26 +101,70 @@ static void sanitize_home(void) {
         // set mode and ownership
         if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
                 errExit("set_perms");
+        selinux_relabel_path(cfg.homedir, cfg.homedir);
 
-        // mount user home directory
-        if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        // bring back real user home directory
+        if (bind_mount_fd_to_path(fd, cfg.homedir))
                 errExit("mount bind");
+        close(fd);
 
-        // mask home dir under /run
-        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
         if (!arg_private)
                 fs_logger2("whitelist", cfg.homedir);
+        return;
 
+errout:
+        fwarning("cannot clean /home directory\n");
+}
+
+static void sanitize_run(void) {
+        if (arg_debug)
+                printf("Cleaning /run/user directory\n");
+
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
+                errExit("asprintf");
+
+        // open /run/user/$UID directory in order to keep it around
+        int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1) {
+                if (arg_debug)
+                        printf("Cannot open %s directory\n", runuser);
+                free(runuser);
+                return;
+        }
+
+        // mount tmpfs on /run/user
+        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+        selinux_relabel_path("/run/user", "/run/user");
+        fs_logger("tmpfs /run/user");
+
+        // create new user directory
+        if (mkdir(runuser, 0700) == -1)
+                errExit("mkdir");
+        fs_logger2("mkdir", runuser);
+
+        // set mode and ownership
+        if (set_perms(runuser, getuid(), getgid(), 0700))
+                errExit("set_perms");
+        selinux_relabel_path(runuser, runuser);
+
+        // bring back real run/user/$UID directory
+        if (bind_mount_fd_to_path(fd, runuser))
+                errExit("mount bind");
+        close(fd);
+
+        fs_logger2("whitelist", runuser);
+        free(runuser);
 }
 
 static void sanitize_passwd(void) {
         struct stat s;
         if (stat("/etc/passwd", &s) == -1)
                 return;
+        assert(uid_min);
         if (arg_debug)
-                printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN);
+                printf("Sanitizing /etc/passwd, UID_MIN %d\n", uid_min);
         if (is_link("/etc/passwd")) {
                 fprintf(stderr, "Error: invalid /etc/passwd\n");
                 exit(1);
@@ -127,10 +175,10 @@ static void sanitize_passwd(void) {
 
         // open files
         /* coverity[toctou] */
-        fpin = fopen("/etc/passwd", "r");
+        fpin = fopen("/etc/passwd", "re");
         if (!fpin)
                 goto errout;
-        fpout = fopen(RUN_PASSWD_FILE, "w");
+        fpout = fopen(RUN_PASSWD_FILE, "we");
         if (!fpout)
                 goto errout;
 
@@ -167,7 +215,8 @@ static void sanitize_passwd(void) {
                 int rv = sscanf(ptr, "%d:", &uid);
                 if (rv == 0 || uid < 0)
                         goto errout;
-                if (uid < UID_MIN || uid == 65534) { // on Debian platforms user nobody is 65534
+                assert(uid_min);
+                if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534
                         fprintf(fpout, "%s", buf);
                         continue;
                 }
@@ -189,6 +238,11 @@ static void sanitize_passwd(void) {
         // mount-bind tne new password file
         if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_PASSWD_FILE
+        if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/passwd");
 
         return;
@@ -248,8 +302,9 @@ static void sanitize_group(void) {
         struct stat s;
         if (stat("/etc/group", &s) == -1)
                 return;
+        assert(gid_min);
         if (arg_debug)
-                printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN);
+                printf("Sanitizing /etc/group, GID_MIN %d\n", gid_min);
         if (is_link("/etc/group")) {
                 fprintf(stderr, "Error: invalid /etc/group\n");
                 exit(1);
@@ -260,10 +315,10 @@ static void sanitize_group(void) {
 
         // open files
         /* coverity[toctou] */
-        fpin = fopen("/etc/group", "r");
+        fpin = fopen("/etc/group", "re");
         if (!fpin)
                 goto errout;
-        fpout = fopen(RUN_GROUP_FILE, "w");
+        fpout = fopen(RUN_GROUP_FILE, "we");
         if (!fpout)
                 goto errout;
 
@@ -299,7 +354,8 @@ static void sanitize_group(void) {
                 int rv = sscanf(ptr, "%d:", &gid);
                 if (rv == 0 || gid < 0)
                         goto errout;
-                if (gid < GID_MIN || gid == 65534) { // on Debian platforms 65534 is group nogroup
+                assert(gid_min);
+                if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup
                         if (copy_line(fpout, buf, ptr))
                                 goto errout;
                         continue;
@@ -317,6 +373,11 @@ static void sanitize_group(void) {
         // mount-bind tne new group file
         if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_GROUP_FILE
+        if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/group");
 
         return;
@@ -342,10 +403,11 @@ void restrict_users(void) {
                 else {
                         // user has the home directory outside /home
                         // mount tmpfs on top of /home in order to hide it
-                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                                 errExit("mount tmpfs");
                         fs_logger("tmpfs /home");
                 }
+                sanitize_run();
                 sanitize_passwd();
                 sanitize_group();
         }
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index d09a2c7e5..ed66903b5 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -32,7 +32,7 @@ int restricted_shell(const char *user) {
         char *fname;
         if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
                 errExit("asprintf");
-        FILE *fp = fopen(fname, "r");
+        FILE *fp = fopen(fname, "re");
         free(fname);
         if (fp == NULL)
                 return 0;
@@ -96,7 +96,7 @@ int restricted_shell(const char *user) {
                                 fullargv[i] = ptr;
 #ifdef DEBUG_RESTRICTED_SHELL
                                 {EUID_ROOT();
-                                FILE *fp = fopen("/firelog", "a");
+                                FILE *fp = fopen("/firelog", "ae");
                                 if (fp) {
                                         fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]);
                                         fclose(fp);
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index 99127673e..f177f4b89 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,18 +18,43 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/time.h>
 #include <sys/resource.h>
 
 void set_rlimits(void) {
+        EUID_ASSERT();
         // resource limits
         struct rlimit rl;
+        if (arg_rlimit_cpu) {
+                if (getrlimit(RLIMIT_CPU, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_cpu > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_cpu = rl.rlim_max;
+                // set the new limit
+                rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
+                rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
+
+                __gcov_dump();
+
+                if (setrlimit(RLIMIT_CPU, &rl) == -1)
+                        errExit("setrlimit");
+                if (arg_debug)
+                        printf("Config rlimit: max cpu time %llu\n", cfg.rlimit_cpu);
+        }
+
         if (arg_rlimit_nofile) {
+                if (getrlimit(RLIMIT_NOFILE, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_nofile > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_nofile = rl.rlim_max;
+                // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
-#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+
+                // gcov-instrumented programs might crash at this point
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -37,11 +62,16 @@ void set_rlimits(void) {
         }
 
         if (arg_rlimit_nproc) {
+                if (getrlimit(RLIMIT_NPROC, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_nproc > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_nproc = rl.rlim_max;
+                // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -49,11 +79,16 @@ void set_rlimits(void) {
         }
 
         if (arg_rlimit_fsize) {
+                if (getrlimit(RLIMIT_FSIZE, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_fsize > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_fsize = rl.rlim_max;
+                // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                 rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -61,14 +96,36 @@ void set_rlimits(void) {
         }
 
         if (arg_rlimit_sigpending) {
+                if (getrlimit(RLIMIT_SIGPENDING, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_sigpending > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_sigpending = rl.rlim_max;
+                // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
                         printf("Config rlimit: maximum number of signals pending %llu\n", cfg.rlimit_sigpending);
         }
+
+        if (arg_rlimit_as) {
+                if (getrlimit(RLIMIT_AS, &rl) == -1)
+                        errExit("getrlimit");
+                if (cfg.rlimit_as > rl.rlim_max && getuid() != 0)
+                        cfg.rlimit_as = rl.rlim_max;
+                // set the new limit
+                rl.rlim_cur = (rlim_t) cfg.rlimit_as;
+                rl.rlim_max = (rlim_t) cfg.rlimit_as;
+
+                __gcov_dump();
+
+                if (setrlimit(RLIMIT_AS, &rl) == -1)
+                        errExit("setrlimit");
+                if (arg_debug)
+                        printf("Config rlimit: maximum virtual memory %llu\n", cfg.rlimit_as);
+        }
 }
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
new file mode 100644
index 000000000..c28c3e01b
--- /dev/null
+++ b/src/firejail/run_files.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "firejail.h"
+#include "../include/pid.h"
+#define BUFLEN 4096
+
+static void delete_x11_run_file(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+        free(fname);
+}
+
+static void delete_profile_run_file(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+        free(fname);
+}
+
+static void delete_name_run_file(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+        free(fname);
+}
+
+void delete_bandwidth_run_file(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
+                errExit("asprintf");
+        unlink(fname);
+        free(fname);
+}
+
+static void delete_network_run_file(pid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
+                errExit("asprintf");
+        unlink(fname);
+        free(fname);
+}
+
+
+
+void delete_run_files(pid_t pid) {
+        delete_bandwidth_run_file(pid);
+        delete_network_run_file(pid);
+        delete_name_run_file(pid);
+        delete_x11_run_file(pid);
+        delete_profile_run_file(pid);
+}
+
+static char *newname(char *name) {
+        char *rv = name;
+        pid_t pid;
+
+        if (checkcfg(CFG_NAME_CHANGE)) {
+                // try the name
+                if (name2pid(name, &pid))
+                        return name;
+
+                // return name-pid
+                if (asprintf(&rv, "%s-%d", name, getpid()) == -1)
+                        errExit("asprintf");
+        }
+
+        return rv;
+}
+
+
+void set_name_run_file(pid_t pid) {
+        cfg.name = newname(cfg.name);
+
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
+                errExit("asprintf");
+
+        // the file is deleted first
+        FILE *fp = fopen(fname, "we");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+        fprintf(fp, "%s\n", cfg.name);
+
+        // mode and ownership
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+        fclose(fp);
+}
+
+
+void set_x11_run_file(pid_t pid, int display) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
+                errExit("asprintf");
+
+        // the file is deleted first
+        FILE *fp = fopen(fname, "we");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+        fprintf(fp, "%d\n", display);
+
+        // mode and ownership
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+        fclose(fp);
+}
+
+void set_profile_run_file(pid_t pid, const char *fname) {
+        char *runfile;
+        if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
+                errExit("asprintf");
+
+        EUID_ROOT();
+        // the file is deleted first
+        FILE *fp = fopen(runfile, "we");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create %s\n", runfile);
+                exit(1);
+        }
+        fprintf(fp, "%s\n", fname);
+
+        // mode and ownership
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+        fclose(fp);
+        EUID_USER();
+        free(runfile);
+}
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index ed885d3b1..77fac5438 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -22,7 +22,9 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-void run_symlink(int argc, char **argv) {
+extern char *find_in_path(const char *program);
+
+void run_symlink(int argc, char **argv, int run_as_is) {
         EUID_ASSERT();
 
         char *program = strrchr(argv[0], '/');
@@ -30,69 +32,43 @@ void run_symlink(int argc, char **argv) {
                 program += 1;
         else
                 program = argv[0];
-        if (strcmp(program, "firejail") == 0)
+        if (strcmp(program, "firejail") == 0) // this is a regular "firejail program" sandbox starting
                 return;
 
-        // find the real program
-        // probably the first entry returend by "which -a" is a symlink - use the second entry!
-        char *p = getenv("PATH");
-        if (!p) {
+        // drop privileges
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
+
+        // find the real program by looking in PATH
+        const char *path = env_get("PATH");
+        if (!path) {
                 fprintf(stderr, "Error: PATH environment variable not set\n");
                 exit(1);
         }
 
-        char *path = strdup(p);
-        if (!path)
-                errExit("strdup");
-
-        char *selfpath = realpath("/proc/self/exe", NULL);
-        if (!selfpath)
-                errExit("realpath");
-
-        // look in path for our program
-        char *tok = strtok(path, ":");
-        int found = 0;
-        while (tok) {
-                char *name;
-                if (asprintf(&name, "%s/%s", tok, program) == -1)
-                        errExit("asprintf");
-
-                struct stat s;
-                if (stat(name, &s) == 0) {
-                        /* coverity[toctou] */
-                        char* rp = realpath(name, NULL);
-                        if (!rp)
-                                errExit("realpath");
-
-                        if (strcmp(selfpath, rp) != 0) {
-                                program = strdup(name);
-                                found = 1;
-                                free(rp);
-                                break;
-                        }
-
-                        free(rp);
-                }
-
-                free(name);
-                tok = strtok(NULL, ":");
-        }
-        if (!found) {
+        char *p = find_in_path(program);
+        if (!p) {
                 fprintf(stderr, "Error: cannot find the program in the path\n");
                 exit(1);
         }
+        program = p;
 
-        free(selfpath);
+        // restore original umask
+        umask(orig_umask);
 
+        // restore original environment variables
+        env_apply_all();
 
-        // start the argv[0] program in a new sandbox
-        // drop privileges
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
+        // desktop integration is not supported for root user; instead, the original program is started
+        if (getuid() == 0 || run_as_is) {
+                argv[0] = program;
+                execv(program, argv);
+                exit(1);
+        }
 
-        // run command
+        // start the argv[0] program in a new sandbox
         char *a[3 + argc];
         a[0] =PATH_FIREJAIL;
         a[1] = program;
@@ -101,6 +77,7 @@ void run_symlink(int argc, char **argv) {
                 a[i + 2] = argv[i + 1];
         }
         a[i + 2] = NULL;
+        assert(env_get("LD_PRELOAD") == NULL);
         assert(getenv("LD_PRELOAD") == NULL);
         execvp(a[0], a);
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index abdbbfecd..995827fb7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,16 +19,19 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include "../include/seccomp.h"
+#include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
-#include <sys/prctl.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <syscall.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -37,26 +40,22 @@
 
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+#ifndef PR_GET_NO_NEW_PRIVS
+#define PR_GET_NO_NEW_PRIVS 39
 #endif
 
 #ifdef HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif
-#include <syscall.h>
-
-
-#ifdef HAVE_SECCOMP
-int enforce_seccomp = 0;
-#endif
 
+static int force_nonewprivs = 0;
 
 static int monitored_pid = 0;
 static void sandbox_handler(int sig){
-        if (!arg_quiet) {
-                printf("\nChild received signal %d, shutting down the sandbox...\n", sig);
-                fflush(0);
-        }
+        usleep(10000); // don't race to print a message
+        fmessage("\nChild received signal %d, shutting down the sandbox...\n", sig);
 
         // broadcast sigterm to all processes in the group
         kill(-1, SIGTERM);
@@ -68,7 +67,7 @@ static void sandbox_handler(int sig){
                 if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
                         errExit("asprintf");
                 while (monsec) {
-                        FILE *fp = fopen(monfile, "r");
+                        FILE *fp = fopen(monfile, "re");
                         if (!fp)
                                 break;
 
@@ -84,17 +83,32 @@ static void sandbox_handler(int sig){
                         monsec--;
                 }
                 free(monfile);
-
         }
 
-
         // broadcast a SIGKILL
         kill(-1, SIGKILL);
-        flush_stdin();
 
-        exit(sig);
+        flush_stdin();
+        exit(128 + sig);
 }
 
+static void install_handler(void) {
+        struct sigaction sga;
+
+        // block SIGTERM while handling SIGINT
+        sigemptyset(&sga.sa_mask);
+        sigaddset(&sga.sa_mask, SIGTERM);
+        sga.sa_handler = sandbox_handler;
+        sga.sa_flags = 0;
+        sigaction(SIGINT, &sga, NULL);
+
+        // block SIGINT while handling SIGTERM
+        sigemptyset(&sga.sa_mask);
+        sigaddset(&sga.sa_mask, SIGINT);
+        sga.sa_handler = sandbox_handler;
+        sga.sa_flags = 0;
+        sigaction(SIGTERM, &sga, NULL);
+}
 
 static void set_caps(void) {
         if (arg_caps_drop_all)
@@ -105,18 +119,50 @@ static void set_caps(void) {
                 caps_keep_list(arg_caps_list);
         else if (arg_caps_default_filter)
                 caps_default_filter();
-        
+
         // drop discretionary access control capabilities for root sandboxes
         // if caps.keep, the user has to set it manually in the list
         if (!arg_caps_keep)
                 caps_drop_dac_override();
 }
 
-void save_nogroups(void) {
+#ifdef HAVE_APPARMOR
+void set_apparmor(void) {
+        EUID_ASSERT();
+        if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
+                if (aa_change_onexec("firejail-default")) {
+                        fwarning("Cannot confine the application using AppArmor.\n"
+                                "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
+                                "As root, run \"aa-enforce firejail-default\" to load it.\n");
+                }
+                else if (arg_debug)
+                        printf("AppArmor enabled\n");
+        }
+}
+#endif
+
+static void seccomp_debug(void) {
+        if (arg_debug == 0)
+                return;
+
+        EUID_USER();
+        printf("Seccomp directory:\n");
+        ls(RUN_SECCOMP_DIR);
+        struct stat s;
+        if (stat(RUN_SECCOMP_LIST, &s) == 0) {
+                printf("Active seccomp files:\n");
+                cat(RUN_SECCOMP_LIST);
+        }
+        else
+                printf("No active seccomp files\n");
+        EUID_ROOT();
+}
+
+static void save_nogroups(void) {
         if (arg_nogroups == 0)
                 return;
 
-        FILE *fp = fopen(RUN_GROUPS_CFG, "w");
+        FILE *fp = fopen(RUN_GROUPS_CFG, "wxe");
         if (fp) {
                 fprintf(fp, "\n");
                 SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
@@ -126,7 +172,48 @@ void save_nogroups(void) {
                 fprintf(stderr, "Error: cannot save nogroups state\n");
                 exit(1);
         }
+}
+
+static void save_nonewprivs(void) {
+        if (arg_nonewprivs == 0)
+                return;
+
+        FILE *fp = fopen(RUN_NONEWPRIVS_CFG, "wxe");
+        if (fp) {
+                fprintf(fp, "\n");
+                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
+                fclose(fp);
+        }
+        else {
+                fprintf(stderr, "Error: cannot save nonewprivs state\n");
+                exit(1);
+        }
+}
+
+static void save_umask(void) {
+        FILE *fp = fopen(RUN_UMASK_FILE, "wxe");
+        if (fp) {
+                fprintf(fp, "%o\n", orig_umask);
+                SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644
+                fclose(fp);
+        }
+        else {
+                fprintf(stderr, "Error: cannot save umask\n");
+                exit(1);
+        }
+}
 
+static char *create_join_file(void) {
+        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        if (fd == -1)
+                errExit("open");
+        if (ftruncate(fd, 1) == -1)
+                errExit("ftruncate");
+        char *rv = mmap(NULL, 1, PROT_WRITE, MAP_SHARED, fd, 0);
+        if (rv == MAP_FAILED)
+                errExit("mmap");
+        close(fd);
+        return rv;
 }
 
 static void sandbox_if_up(Bridge *br) {
@@ -140,7 +227,7 @@ static void sandbox_if_up(Bridge *br) {
         if (br->arg_ip_none == 1);      // do nothing
         else if (br->arg_ip_none == 0 && br->macvlan == 0) {
                 if (br->ipsandbox == br->ip) {
-                        fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev);
+                        fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev);
                         exit(1);
                 }
 
@@ -158,13 +245,17 @@ static void sandbox_if_up(Bridge *br) {
                         br->ipsandbox = arp_assign(dev, br); //br->ip, br->mask);
                 else {
                         if (br->ipsandbox == br->ip) {
-                                fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev);
+                                fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev);
+                                exit(1);
+                        }
+                        if (br->ipsandbox == cfg.defaultgw) {
+                                fprintf(stderr, "Error: %d.%d.%d.%d is the default gateway, exiting...\n", PRINT_IP(br->ipsandbox));
                                 exit(1);
                         }
 
                         uint32_t rv = arp_check(dev, br->ipsandbox);
                         if (rv) {
-                                fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use.\n", PRINT_IP(br->ipsandbox));
+                                fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use, exiting...\n", PRINT_IP(br->ipsandbox));
                                 exit(1);
                         }
                 }
@@ -181,8 +272,7 @@ static void sandbox_if_up(Bridge *br) {
 
 static void chk_chroot(void) {
         // if we are starting firejail inside some other container technology, we don't care about this
-        char *mycont = getenv("container");
-        if (mycont)
+        if (env_get("container"))
                 return;
 
         // check if this is a regular chroot
@@ -197,11 +287,29 @@ static void chk_chroot(void) {
 }
 
 static int monitor_application(pid_t app_pid) {
+        EUID_ASSERT();
         monitored_pid = app_pid;
-        signal (SIGTERM, sandbox_handler);
-        EUID_USER();
+
+        // block signals and install handler
+        sigset_t oldmask, newmask;
+        sigemptyset(&oldmask);
+        sigemptyset(&newmask);
+        sigaddset(&newmask, SIGTERM);
+        sigaddset(&newmask, SIGINT);
+        sigprocmask(SIG_BLOCK, &newmask, &oldmask);
+        install_handler();
+
+        // handle --timeout
+        int options = 0;;
+        unsigned timeout = 0;
+        if (cfg.timeout) {
+                options = WNOHANG;
+                timeout = cfg.timeout;
+                sleep(1);
+        }
 
         int status = 0;
+        int app_status = 0;
         while (monitored_pid) {
                 usleep(20000);
                 char *msg;
@@ -214,24 +322,39 @@ static int monitor_application(pid_t app_pid) {
 
                 pid_t rv;
                 do {
-                        rv = waitpid(-1, &status, 0);
-                        if (rv == -1)
+                        // handle signals asynchronously
+                        sigprocmask(SIG_SETMASK, &oldmask, NULL);
+
+                        rv = waitpid(-1, &status, options);
+
+                        // block signals again
+                        sigprocmask(SIG_BLOCK, &newmask, NULL);
+
+                        if (rv == -1) { // we can get here if we have processes joining the sandbox (ECHILD)
+                                sleep(1);
                                 break;
+                        }
+                        else if (rv == app_pid)
+                                app_status = status;
+
+                        // handle --timeout
+                        if (options) {
+                                if (--timeout == 0)  {
+                                        // SIGTERM might fail if the process ignores it (SIG_IGN)
+                                        // we give it 100ms to close properly and after that we SIGKILL it
+                                        kill(-1, SIGTERM);
+                                        usleep(100000);
+                                        kill(-1, SIGKILL);
+                                        flush_stdin();
+                                        _exit(1);
+                                }
+                                else
+                                        sleep(1);
+                        }
                 }
                 while(rv != monitored_pid);
                 if (arg_debug)
-                        printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
-                if (rv == -1) { // we can get here if we have processes joining the sandbox (ECHILD)
-                        if (arg_debug)
-                                perror("waitpid");
-                        sleep(1);
-                }
-
-                // if /proc is not remounted, we cannot check /proc directory,
-                // for now we just get out of here
-                // todo: find another way of checking child processes!
-                if (!checkcfg(CFG_REMOUNT_PROC_SYS))
-                        break;
+                        printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status);
 
                 DIR *dir;
                 if (!(dir = opendir("/proc"))) {
@@ -251,6 +374,8 @@ static int monitor_application(pid_t app_pid) {
                                 continue;
                         if (pid == 1)
                                 continue;
+                        if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid)
+                                continue;
 
                         // todo: make this generic
                         // Dillo browser leaves a dpid process running, we need to shut it down
@@ -270,27 +395,16 @@ static int monitor_application(pid_t app_pid) {
                 closedir(dir);
 
                 if (monitored_pid != 0 && arg_debug)
-                        printf("Sandbox monitor: monitoring %u\n", monitored_pid);
+                        printf("Sandbox monitor: monitoring %d\n", monitored_pid);
         }
 
-        // return the latest exit status.
-        return status;
+        // return the appropriate exit status.
+        return arg_deterministic_exit_code ? app_status : status;
 }
 
 static void print_time(void) {
-        if (start_timestamp) {
-                unsigned long long end_timestamp = getticks();
-                // measure 1 ms
-                usleep(1000);
-                unsigned long long onems = getticks() - end_timestamp;
-                if (onems) {
-                        printf("Child process initialized in %.02f ms\n",
-                                (float) (end_timestamp - start_timestamp) / (float) onems);
-                        return;
-                }
-        }
-
-        printf("Child process initialized\n");
+        float delta = timetrace_end();
+        fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
 
@@ -308,7 +422,7 @@ static int ok_to_run(const char *program) {
                         return 1;
         }
         else { // search $PATH
-                char *path1 = getenv("PATH");
+                const char *path1 = env_get("PATH");
                 if (path1) {
                         if (arg_debug)
                                 printf("Searching $PATH for %s\n", program);
@@ -350,34 +464,24 @@ static int ok_to_run(const char *program) {
         return 0;
 }
 
-void start_application(int no_sandbox) {
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
         // set environment
-        if (no_sandbox == 0) {
+        if (no_sandbox == 0)
                 env_defaults();
-                env_apply();
-        }
+        env_apply_all();
+
+        // restore original umask
+        umask(orig_umask);
+
         if (arg_debug) {
-                printf("starting application\n");
+                printf("Starting application\n");
                 printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
         }
 
         //****************************************
-        // audit
-        //****************************************
-        if (arg_audit) {
-                assert(arg_audit_prog);
-#ifdef HAVE_GCOV
-                __gcov_dump();
-#endif
-#ifdef HAVE_SECCOMP
-                seccomp_install_filters();
-#endif
-                execl(arg_audit_prog, arg_audit_prog, NULL);
-        }
-        //****************************************
         // start the program without using a shell
         //****************************************
-        else if (arg_shell_none) {
+        if (arg_shell_none) {
                 if (arg_debug) {
                         int i;
                         for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
@@ -395,53 +499,55 @@ void start_application(int no_sandbox) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-                int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]);
-#ifdef HAVE_GCOV
+                if (ok_to_run(cfg.original_argv[cfg.original_program_index]) == 0) {
+                        fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]);
+                        exit(1);
+                }
+
                 __gcov_dump();
-#endif
-#ifdef HAVE_SECCOMP
+
                 seccomp_install_filters();
-#endif
-                if (rv)
-                        execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
-                else
-                        fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]);
-                exit(1);
+
+                if (set_sandbox_status)
+                        *set_sandbox_status = SANDBOX_DONE;
+                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
         }
         //****************************************
         // start the program using a shell
         //****************************************
         else {
                 assert(cfg.shell);
-                assert(cfg.command_line);
 
                 char *arg[5];
                 int index = 0;
                 arg[index++] = cfg.shell;
-                if (login_shell) {
-                        arg[index++] = "-l";
-                        if (arg_debug)
-                                printf("Starting %s login shell\n", cfg.shell);
-                } else {
-                        arg[index++] = "-c";
+                if (cfg.command_line) {
                         if (arg_debug)
                                 printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+                        arg[index++] = "-c";
                         if (arg_doubledash)
                                 arg[index++] = "--";
                         arg[index++] = cfg.command_line;
                 }
-                arg[index] = NULL;
+                else if (login_shell) {
+                        if (arg_debug)
+                                printf("Starting %s login shell\n", cfg.shell);
+                        arg[index++] = "-l";
+                }
+                else if (arg_debug)
+                        printf("Starting %s shell\n", cfg.shell);
+
                 assert(index < 5);
+                arg[index] = NULL;
 
                 if (arg_debug) {
                         char *msg;
-                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
+                        if (asprintf(&msg, "sandbox %d, execvp into %s",
+                                sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1)
                                 errExit("asprintf");
                         logmsg(msg);
                         free(msg);
-                }
 
-                if (arg_debug) {
                         int i;
                         for (i = 0; i < 5; i++) {
                                 if (arg[i] == NULL)
@@ -452,45 +558,36 @@ void start_application(int no_sandbox) {
 
                 if (!arg_command && !arg_quiet)
                         print_time();
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
-#ifdef HAVE_SECCOMP
+
                 seccomp_install_filters();
-#endif
+
+                if (set_sandbox_status)
+                        *set_sandbox_status = SANDBOX_DONE;
                 execvp(arg[0], arg);
+
+                // join sandbox without shell in the mount namespace
+                if (fd > -1)
+                        fexecve(fd, arg, environ);
         }
 
-        perror("execvp");
-        exit(1); // it should never get here!!!
+        perror("Cannot start application");
+        exit(1);
 }
 
 static void enforce_filters(void) {
-        // force default seccomp inside the chroot, no keep or drop list
-        // the list build on top of the default drop list is kept intact
-        arg_seccomp = 1;
-#ifdef HAVE_SECCOMP
-        enforce_seccomp = 1;
-#endif
-        if (cfg.seccomp_list_drop) {
-                free(cfg.seccomp_list_drop);
-                cfg.seccomp_list_drop = NULL;
-        }
-        if (cfg.seccomp_list_keep) {
-                free(cfg.seccomp_list_keep);
-                cfg.seccomp_list_keep = NULL;
-        }
+        fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n");
+        // enforce NO_NEW_PRIVS
+        arg_nonewprivs = 1;
+        force_nonewprivs = 1;
 
         // disable all capabilities
-        if (arg_caps_default_filter || arg_caps_list)
-                fwarning("all capabilities disabled for a regular user in chroot\n");
         arg_caps_drop_all = 1;
 
         // drop all supplementary groups; /etc/group file inside chroot
         // is controlled by a regular usr
         arg_nogroups = 1;
-        if (!arg_quiet)
-                printf("Dropping all Linux capabilities and enforcing default seccomp filter\n");
 }
 
 int sandbox(void* sandbox_arg) {
@@ -529,6 +626,12 @@ int sandbox(void* sandbox_arg) {
         }
         // ... and mount a tmpfs on top of /run/firejail/mnt directory
         preproc_mount_mnt_dir();
+        // bind-mount firejail binaries and helper programs
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
+            mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
+                errExit("mounting " RUN_FIREJAIL_LIB_DIR);
+        // keep a copy of dhclient executable before the filesystem is modified
+        dhcp_store_exec();
 
         //****************************
         // log sandbox data
@@ -628,28 +731,29 @@ int sandbox(void* sandbox_arg) {
         // print network configuration
         if (!arg_quiet) {
                 if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) {
-                        printf("\n");
+                        fmessage("\n");
                         if (any_bridge_configured() || any_interface_configured()) {
-//                              net_ifprint();
                                 if (arg_scan)
                                         sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, PATH_FNET, "printif", "scan");
                                 else
-                                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET, "printif", "scan");
+                                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET, "printif");
 
                         }
                         if (cfg.defaultgw != 0) {
                                 if (gw_cfg_failed)
-                                        printf("Default gateway configuration failed\n");
+                                        fmessage("Default gateway configuration failed\n");
                                 else
-                                        printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
+                                        fmessage("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
                         }
-                        if (cfg.dns1 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
-                        if (cfg.dns2 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
-                        if (cfg.dns3 != 0)
-                                printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
-                        printf("\n");
+                        if (cfg.dns1 != NULL)
+                                fmessage("DNS server %s\n", cfg.dns1);
+                        if (cfg.dns2 != NULL)
+                                fmessage("DNS server %s\n", cfg.dns2);
+                        if (cfg.dns3 != NULL)
+                                fmessage("DNS server %s\n", cfg.dns3);
+                        if (cfg.dns4 != NULL)
+                                fmessage("DNS server %s\n", cfg.dns4);
+                        fmessage("\n");
                 }
         }
 
@@ -657,15 +761,17 @@ int sandbox(void* sandbox_arg) {
         if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) {
                 // do nothing - there are problems with ibus version 1.5.11
         }
-        else
+        else {
+                EUID_USER();
                 env_ibus_load();
+                EUID_ROOT();
+        }
 
         //****************************
         // fs pre-processing:
         //  - build seccomp filters
         //  - create an empty /etc/ld.so.preload
         //****************************
-#ifdef HAVE_SECCOMP
         if (cfg.protocol) {
                 if (arg_debug)
                         printf("Build protocol filter: %s\n", cfg.protocol);
@@ -676,9 +782,16 @@ int sandbox(void* sandbox_arg) {
                 if (rv)
                         exit(rv);
         }
-        if (arg_seccomp && (cfg.seccomp_list || cfg.seccomp_list_drop || cfg.seccomp_list_keep))
-                arg_seccomp_postexec = 1;
+
+#ifdef HAVE_FORCE_NONEWPRIVS
+        bool always_enforce_filters = true;
+#else
+        bool always_enforce_filters = false;
 #endif
+        // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS
+        // and drop all capabilities
+        if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters))
+                enforce_filters();
 
         // need ld.so.preload if tracing or seccomp with any non-default lists
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
@@ -694,19 +807,10 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // configure filesystem
         //****************************
-        if (arg_appimage)
-                enforce_filters();
-
 #ifdef HAVE_CHROOT
         if (cfg.chrootdir) {
                 fs_chroot(cfg.chrootdir);
 
-                // force caps and seccomp if not started as root
-                if (getuid() != 0)
-                        enforce_filters();
-                else
-                        arg_seccomp = 1;
-
                 //****************************
                 // trace pre-install, this time inside chroot
                 //****************************
@@ -716,22 +820,22 @@ int sandbox(void* sandbox_arg) {
         else
 #endif
 #ifdef HAVE_OVERLAYFS
-        if (arg_overlay)        {
+        if (arg_overlay)
                 fs_overlayfs();
-                // force caps and seccomp if not started as root
-                if (getuid() != 0)
-                        enforce_filters();
-                else
-                        arg_seccomp = 1;
-        }
         else
 #endif
                 fs_basic_fs();
 
         //****************************
+        // appimage
+        //****************************
+        appimage_mount();
+
+        //****************************
         // private mode
         //****************************
         if (arg_private) {
+                EUID_USER();
                 if (cfg.home_private) { // --private=
                         if (cfg.chrootdir)
                                 fwarning("private=directory feature is disabled in chroot\n");
@@ -750,29 +854,11 @@ int sandbox(void* sandbox_arg) {
                 }
                 else // --private
                         fs_private();
+                EUID_ROOT();
         }
 
-        if (arg_private_dev) {
-                if (cfg.chrootdir)
-                        fwarning("private-dev feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-dev feature is disabled in overlay\n");
-                else
-                        fs_private_dev();
-        }
-
-        if (arg_private_etc) {
-                if (cfg.chrootdir)
-                        fwarning("private-etc feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-etc feature is disabled in overlay\n");
-                else {
-                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
-                        // create /etc/ld.so.preload file again
-                        if (need_preload)
-                                fs_trace_preload();
-                }
-        }
+        if (arg_private_dev)
+                fs_private_dev();
 
         if (arg_private_opt) {
                 if (cfg.chrootdir)
@@ -794,7 +880,8 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
-        if (arg_private_bin) {
+        // private-bin is disabled for appimages
+        if (arg_private_bin && !arg_appimage) {
                 if (cfg.chrootdir)
                         fwarning("private-bin feature is disabled in chroot\n");
                 else if (arg_overlay)
@@ -813,7 +900,8 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
-        if (arg_private_lib) {
+        // private-lib is disabled for appimages
+        if (arg_private_lib && !arg_appimage) {
                 if (cfg.chrootdir)
                         fwarning("private-lib feature is disabled in chroot\n");
                 else if (arg_overlay)
@@ -823,20 +911,29 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
+#ifdef HAVE_USERTMPFS
+        if (arg_private_cache) {
+                EUID_USER();
+                profile_add("tmpfs ${HOME}/.cache");
+                EUID_ROOT();
+        }
+#endif
+
         if (arg_private_tmp) {
-                if (cfg.chrootdir)
-                        fwarning("private-tmp feature is disabled in chroot\n");
-                else if (arg_overlay)
-                        fwarning("private-tmp feature is disabled in overlay\n");
-                else {
-                        // private-tmp is implemented as a whitelist
-                        EUID_USER();
-                        fs_private_tmp();
-                        EUID_ROOT();
-                }
+                // private-tmp is implemented as a whitelist
+                EUID_USER();
+                fs_private_tmp();
+                EUID_ROOT();
         }
 
         //****************************
+        // Session D-BUS
+        //****************************
+#ifdef HAVE_DBUSPROXY
+        dbus_apply_policy();
+#endif
+
+        //****************************
         // hosts and hostname
         //****************************
         if (cfg.hostname)
@@ -854,25 +951,60 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // update /proc, /sys, /dev, /boot directory
         //****************************
-        if (checkcfg(CFG_REMOUNT_PROC_SYS))
-                fs_proc_sys_dev_boot();
+        fs_proc_sys_dev_boot();
 
         //****************************
         // handle /mnt and /media
         //****************************
-        if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT))
-                fs_mnt();
+        if (checkcfg(CFG_DISABLE_MNT))
+                fs_mnt(1);
+        else if (arg_disable_mnt)
+                fs_mnt(0);
+
+        // Install new /etc last, so we can use it as long as possible
+        if (arg_private_etc) {
+                if (cfg.chrootdir)
+                        fwarning("private-etc feature is disabled in chroot\n");
+                else if (arg_overlay)
+                        fwarning("private-etc feature is disabled in overlay\n");
+                else {
+                        /* Current /etc/passwd and /etc/group files are bind
+                         * mounted filtered versions of originals. Leaving
+                         * them underneath private-etc mount causes problems
+                         * in devices with older kernels, e.g. attempts to
+                         * update the real /etc/passwd file yield EBUSY.
+                         *
+                         * As we do want to retain filtered /etc content:
+                         * 1. duplicate /etc content to RUN_ETC_DIR
+                         * 2. unmount bind mounts from /etc
+                         * 3. mount RUN_ETC_DIR at /etc
+                         */
+                        timetrace_start();
+                        fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+
+                        if (umount2("/etc/group", MNT_DETACH) == -1)
+                                fprintf(stderr, "/etc/group: unmount: %s\n", strerror(errno));
+                        if (umount2("/etc/passwd", MNT_DETACH) == -1)
+                                fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno));
+
+                        fs_private_dir_mount("/etc", RUN_ETC_DIR);
+                        fmessage("Private /etc installed in %0.2f ms\n", timetrace_end());
+
+                        // create /etc/ld.so.preload file again
+                        if (need_preload)
+                                fs_trace_preload();
+
+                        // openSUSE configuration is split between /etc and /usr/etc
+                        // process private-etc a second time
+                        fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep);
+                }
+        }
 
         //****************************
         // apply the profile file
         //****************************
         // apply all whitelist commands ...
-        if (cfg.chrootdir)
-                fwarning("whitelist feature is disabled in chroot\n");
-        else if (arg_overlay)
-                fwarning("whitelist feature is disabled in overlay\n");
-        else
-                fs_whitelist();
+        fs_whitelist();
 
         // ... followed by blacklist commands
         fs_blacklist(); // mkdir and mkfile are processed all over again
@@ -887,7 +1019,7 @@ int sandbox(void* sandbox_arg) {
                 // disable /dev/snd
                 fs_dev_disable_sound();
         }
-        else
+        else if (!arg_keep_config_pulse)
                 pulseaudio_init();
 
         if (arg_no3d)
@@ -899,34 +1031,37 @@ int sandbox(void* sandbox_arg) {
         if (arg_nodvd)
                 fs_dev_disable_dvd();
 
+        if (arg_nou2f)
+                fs_dev_disable_u2f();
+
         if (arg_novideo)
                 fs_dev_disable_video();
 
-        //****************************
-        // install trace
-        //****************************
-        if (need_preload)
-                fs_trace();
+        if (arg_noinput)
+                fs_dev_disable_input();
 
         //****************************
         // set dns
         //****************************
-        fs_resolvconf();
+        fs_rebuild_etc();
 
         //****************************
-        // fs post-processing
+        // start dhcp client
         //****************************
-        fs_logger_print();
-        fs_logger_change_owner();
+        dhcp_start();
 
         //****************************
         // set application environment
         //****************************
-        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+        EUID_USER();
         int cwd = 0;
         if (cfg.cwd) {
                 if (chdir(cfg.cwd) == 0)
                         cwd = 1;
+                else if (arg_private_cwd) {
+                        fprintf(stderr, "Error: unable to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno));
+                        exit(1);
+                }
         }
 
         if (!cwd) {
@@ -949,44 +1084,34 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
-
-        // set nice
-        if (arg_nice) {
-                errno = 0;
-                int rv = nice(cfg.nice);
-                (void) rv;
-                if (errno) {
-                        fwarning("cannot set nice value\n");
-                        errno = 0;
-                }
-        }
-
+        EUID_ROOT();
         // clean /tmp/.X11-unix sockets
         fs_x11();
         if (arg_x11_xorg)
                 x11_xorg();
 
+        // save original umask
+        save_umask();
+
         //****************************
-        // set security filters
+        // fs post-processing
         //****************************
-        // set capabilities
-        set_caps();
+        fs_logger_print();
+        fs_logger_change_owner();
 
-        // set rlimits
-        set_rlimits();
+        //****************************
+        // set security filters
+        //****************************
+        // save state of nonewprivs
+        save_nonewprivs();
 
-        // set cpu affinity
-        if (cfg.cpus) {
-                save_cpu(); // save cpu affinity mask to CPU_CFG file
-                set_cpu_affinity();
-        }
+        // save cpu affinity mask to CPU_CFG file
+        save_cpu();
 
         // save cgroup in CGROUP_CFG file
-        if (cfg.cgroup)
-                save_cgroup();
+        save_cgroup();
 
         // set seccomp
-#ifdef HAVE_SECCOMP
         // install protocol filter
 #ifdef SYS_socket
         if (cfg.protocol) {
@@ -995,44 +1120,71 @@ int sandbox(void* sandbox_arg) {
                 seccomp_load(RUN_SECCOMP_PROTOCOL);     // install filter
                 protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG
         }
+        else {
+                int rv = unlink(RUN_SECCOMP_PROTOCOL);
+                (void) rv;
+        }
 #endif
 
         // if a keep list is available, disregard the drop list
         if (arg_seccomp == 1) {
                 if (cfg.seccomp_list_keep)
-                        seccomp_filter_keep();
+                        seccomp_filter_keep(true);
                 else
-                        seccomp_filter_drop();
+                        seccomp_filter_drop(true);
         }
+        if (arg_seccomp32 == 1) {
+                if (cfg.seccomp_list_keep32)
+                        seccomp_filter_keep(false);
+                else
+                        seccomp_filter_drop(false);
 
-        if (arg_debug) {
-                printf("\nSeccomp files:\n");
-                int rv = system("ls -l /run/firejail/mnt/seccomp*\n");
-                (void) rv;
-                printf("\n");
         }
 
         if (arg_memory_deny_write_execute) {
+                if (arg_seccomp_error_action != EPERM) {
+                        seccomp_filter_mdwx(true);
+                        seccomp_filter_mdwx(false);
+                }
                 if (arg_debug)
                         printf("Install memory write&execute filter\n");
                 seccomp_load(RUN_SECCOMP_MDWX); // install filter
+                seccomp_load(RUN_SECCOMP_MDWX_32);
         }
-#endif
+
+        // make seccomp filters read-only
+        fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
+        seccomp_debug();
+
+        //****************************
+        // install trace - still need capabilities
+        //****************************
+        if (need_preload)
+                fs_trace();
+
+        //****************************
+        // continue security filters
+        //****************************
+        // set capabilities
+        set_caps();
+
+        //****************************************
+        // relay status information to join option
+        //****************************************
+        char *set_sandbox_status = create_join_file();
 
         //****************************************
-        // drop privileges or create a new user namespace
+        // create a new user namespace
+        //     - too early to drop privileges
         //****************************************
         save_nogroups();
         if (arg_noroot) {
                 int rv = unshare(CLONE_NEWUSER);
                 if (rv == -1) {
                         fwarning("cannot create a new user namespace, going forward without it...\n");
-                        drop_privs(arg_nogroups);
                         arg_noroot = 0;
                 }
         }
-        else
-                drop_privs(arg_nogroups);
 
         // notify parent that new user namespace has been created so a proper
         // UID/GID map can be setup
@@ -1055,15 +1207,34 @@ int sandbox(void* sandbox_arg) {
         // Set NO_NEW_PRIVS if desired
         //****************************************
         if (arg_nonewprivs) {
-                int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+                prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
-                if(no_new_privs != 0 && !arg_quiet)
-                        fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
+                if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1) {
+                        fwarning("cannot set NO_NEW_PRIVS, it requires a Linux kernel version 3.5 or newer.\n");
+                        if (force_nonewprivs) {
+                                fprintf(stderr, "Error: NO_NEW_PRIVS required for this sandbox, exiting ...\n");
+                                exit(1);
+                        }
+                }
                 else if (arg_debug)
                         printf("NO_NEW_PRIVS set\n");
         }
 
         //****************************************
+        // drop privileges
+        //****************************************
+        drop_privs(arg_nogroups);
+
+        // kill the sandbox in case the parent died
+        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+        //****************************************
+        // set cpu affinity
+        //****************************************
+        if (cfg.cpus)
+                set_cpu_affinity();
+
+        //****************************************
         // fork the application and monitor it
         //****************************************
         pid_t app_pid = fork();
@@ -1072,29 +1243,31 @@ int sandbox(void* sandbox_arg) {
 
         if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-                if (arg_apparmor) {
-                        errno = 0;
-                        if (aa_change_onexec("firejail-default")) {
-                                fwarning("Cannot confine the application using AppArmor.\n"
-                                        "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
-                                        "As root, run \"aa-enforce firejail-default\" to load it.\n");
-                        }
-                        else if (arg_debug)
-                                printf("AppArmor enabled\n");
-                }
+                set_apparmor();
 #endif
-                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
-                start_application(0);   // start app
+
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
+                start_application(0, -1, set_sandbox_status);
         }
 
+        munmap(set_sandbox_status, 1);
+
         int status = monitor_application(app_pid);      // monitor application
-        flush_stdin();
 
         if (WIFEXITED(status)) {
                 // if we had a proper exit, return that exit status
-                return WEXITSTATUS(status);
+                status = WEXITSTATUS(status);
+        } else if (WIFSIGNALED(status)) {
+                // distinguish fatal signals by adding 128
+                status = 128 + WTERMSIG(status);
         } else {
-                // something else went wrong!
-                return -1;
+                status = -1;
         }
+
+        flush_stdin();
+        return status;
 }
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 1d6cc2353..37111324a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,211 +23,295 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
- #include <sys/wait.h>
+#include <sys/wait.h>
 #include "../include/seccomp.h"
 
-static struct sock_filter filter[] = {
-        VALIDATE_ARCHITECTURE,
-        EXAMINE_SYSCALL,
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * const arg[]) {
+        // build a new, clean environment
+        int env_index = 0;
+        char *new_environment[256] = { NULL };
+        // preserve firejail-specific env vars
+        const char *cl = env_get("FIREJAIL_FILE_COPY_LIMIT");
+        if (cl) {
+                if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1)
+                        errExit("asprintf");
+        }
+        if (arg_quiet) // --quiet is passed as an environment variable
+                new_environment[env_index++] = "FIREJAIL_QUIET=yes";
+        if (arg_debug) // --debug is passed as an environment variable
+                new_environment[env_index++] = "FIREJAIL_DEBUG=yes";
+        if (cfg.seccomp_error_action)
+                if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1)
+                        errExit("asprintf");
+        new_environment[env_index++] = "FIREJAIL_PLUGIN="; // always set
+
+        if (filtermask & SBOX_STDIN_FROM_FILE) {
+                int fd;
+                if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
+                        fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
+                        exit(1);
+                }
+                if (dup2(fd, STDIN_FILENO) == -1)
+                        errExit("dup2");
+                close(fd);
+        }
+        else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {
+                int fd = open("/dev/null",O_RDWR, 0);
+                if (fd != -1) {
+                        if (dup2(fd, STDIN_FILENO) == -1)
+                                errExit("dup2");
+                        close(fd);
+                }
+                else // the user could run the sandbox without /dev/null
+                        close(STDIN_FILENO);
+        }
+
+        // close all other file descriptors
+        if ((filtermask & SBOX_KEEP_FDS) == 0) {
+                int i;
+                for (i = 3; i < FIREJAIL_MAX_FD; i++)
+                        close(i); // close open files
+        }
+
+        umask(027);
+
+        // apply filters
+        if (filtermask & SBOX_CAPS_NONE) {
+                caps_drop_all();
+        } else {
+                uint64_t set = 0;
+                if (filtermask & SBOX_CAPS_NETWORK) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        set |= ((uint64_t) 1) << CAP_NET_ADMIN;
+                        set |= ((uint64_t) 1) << CAP_NET_RAW;
+#endif
+                }
+                if (filtermask & SBOX_CAPS_HIDEPID) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        set |= ((uint64_t) 1) << CAP_SYS_PTRACE;
+                        set |= ((uint64_t) 1) << CAP_SYS_PACCT;
+#endif
+                }
+                if (filtermask & SBOX_CAPS_NET_SERVICE) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        set |= ((uint64_t) 1) << CAP_NET_BIND_SERVICE;
+                        set |= ((uint64_t) 1) << CAP_NET_BROADCAST;
+#endif
+                }
+                if (set != 0) { // some SBOX_CAPS_ flag was specified, drop all other capabilities
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        caps_set(set);
+#endif
+                }
+        }
+
+        if (filtermask & SBOX_SECCOMP) {
+                struct sock_filter filter[] = {
+                        VALIDATE_ARCHITECTURE,
+                        EXAMINE_SYSCALL,
 
 #if defined(__x86_64__)
 #define X32_SYSCALL_BIT 0x40000000
-        // handle X32 ABI
-        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
-        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
-        RETURN_ERRNO(EPERM),
+                        // handle X32 ABI
+                        BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0),
+                        BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0),
+                        KILL_OR_RETURN_ERRNO,
 #endif
 
-        // syscall list
+                // syscall list
 #ifdef SYS_mount
-        BLACKLIST(SYS_mount),  // mount/unmount filesystems
+                        BLACKLIST(SYS_mount), // mount/unmount filesystems
+#endif
+#ifdef SYS_umount
+                        BLACKLIST(SYS_umount),
 #endif
 #ifdef SYS_umount2
-        BLACKLIST(SYS_umount2),
+                        BLACKLIST(SYS_umount2),
 #endif
 #ifdef SYS_ptrace
-        BLACKLIST(SYS_ptrace), // trace processes
+                        BLACKLIST(SYS_ptrace), // trace processes
+#endif
+#ifdef SYS_process_vm_readv
+                        BLACKLIST(SYS_process_vm_readv),
+#endif
+#ifdef SYS_process_vm_writev
+                        BLACKLIST(SYS_process_vm_writev),
 #endif
 #ifdef SYS_kexec_file_load
-        BLACKLIST(SYS_kexec_file_load),
+                        BLACKLIST(SYS_kexec_file_load), // loading a different kernel
 #endif
 #ifdef SYS_kexec_load
-        BLACKLIST(SYS_kexec_load), // loading a different kernel
+                        BLACKLIST(SYS_kexec_load),
 #endif
 #ifdef SYS_name_to_handle_at
-        BLACKLIST(SYS_name_to_handle_at),
+                        BLACKLIST(SYS_name_to_handle_at),
 #endif
 #ifdef SYS_open_by_handle_at
-        BLACKLIST(SYS_open_by_handle_at), // open by handle
+                        BLACKLIST(SYS_open_by_handle_at), // open by handle
 #endif
 #ifdef SYS_init_module
-        BLACKLIST(SYS_init_module), // kernel module handling
+                        BLACKLIST(SYS_init_module), // kernel module handling
 #endif
 #ifdef SYS_finit_module // introduced in 2013
-        BLACKLIST(SYS_finit_module),
+                        BLACKLIST(SYS_finit_module),
 #endif
 #ifdef SYS_create_module
-        BLACKLIST(SYS_create_module),
+                        BLACKLIST(SYS_create_module),
 #endif
 #ifdef SYS_delete_module
-        BLACKLIST(SYS_delete_module),
+                        BLACKLIST(SYS_delete_module),
 #endif
 #ifdef SYS_iopl
-        BLACKLIST(SYS_iopl), // io permissions
-#endif
-#ifdef  SYS_ioperm
-        BLACKLIST(SYS_ioperm),
+                        BLACKLIST(SYS_iopl), // io permissions
 #endif
-#ifdef SYS_iopl
-        BLACKLIST(SYS_iopl), // io permissions
+#ifdef SYS_ioperm
+                        BLACKLIST(SYS_ioperm),
 #endif
-#ifdef  SYS_ioprio_set
-        BLACKLIST(SYS_ioprio_set),
+#ifdef SYS_ioprio_set
+                        BLACKLIST(SYS_ioprio_set),
 #endif
 #ifdef SYS_ni_syscall // new io permissions call on arm devices
-        BLACKLIST(SYS_ni_syscall),
+                        BLACKLIST(SYS_ni_syscall),
 #endif
 #ifdef SYS_swapon
-        BLACKLIST(SYS_swapon), // swap on/off
+                        BLACKLIST(SYS_swapon), // swap on/off
 #endif
 #ifdef SYS_swapoff
-        BLACKLIST(SYS_swapoff),
+                        BLACKLIST(SYS_swapoff),
 #endif
 #ifdef SYS_syslog
-        BLACKLIST(SYS_syslog), // kernel printk control
+                        BLACKLIST(SYS_syslog), // kernel printk control
 #endif
-        RETURN_ALLOW
-};
+                        RETURN_ALLOW
+                };
 
-static struct sock_fprog prog = {
-        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
-        .filter = filter,
-};
+                struct sock_fprog prog = {
+                        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                        .filter = filter,
+                };
 
-typedef struct sbox_config {
-        char *name;
-        char *path;
-        unsigned filters;
-} SboxConfig;
+                if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                        perror("prctl(NO_NEW_PRIVS)");
+                }
+                if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                        perror("prctl(PR_SET_SECCOMP)");
+                }
+        }
 
+        if (filtermask & SBOX_USER)
+                drop_privs(1);
+        else if (filtermask & SBOX_ROOT) {
+                // elevate privileges in order to get grsecurity working
+                if (setreuid(0, 0))
+                        errExit("setreuid");
+                if (setregid(0, 0))
+                        errExit("setregid");
+        }
+        else assert(0);
 
-int sbox_run(unsigned filter, int num, ...) {
-        EUID_ROOT();
+        if (arg[0]) { // get rid of scan-build warning
+                int fd = open(arg[0], O_PATH | O_CLOEXEC);
+                if (fd == -1) {
+                        if (errno == ENOENT) {
+                                fprintf(stderr, "Error: %s does not exist\n", arg[0]);
+                                exit(1);
+                        } else {
+                                errExit("open");
+                        }
+                }
+                struct stat s;
+                if (fstat(fd, &s) == -1)
+                        errExit("fstat");
+                if (s.st_uid != 0 && s.st_gid != 0) {
+                        fprintf(stderr, "Error: %s is not owned by root, refusing to execute\n", arg[0]);
+                        exit(1);
+                }
+                if (s.st_mode & 00002) {
+                        fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]);
+                        exit(1);
+                }
+                fexecve(fd, arg, new_environment);
+        } else {
+                assert(0);
+        }
+        perror("fexecve");
+        _exit(1);
+}
 
-        int i;
+int sbox_run(unsigned filtermask, int num, ...) {
         va_list valist;
         va_start(valist, num);
 
         // build argument list
-        char *arg[num + 1];
+        char **arg = calloc(num + 1, sizeof(char *));
+        if (!arg)
+                errExit("calloc");
+        int i;
         for (i = 0; i < num; i++)
-                arg[i] = va_arg(valist, char*);
+                arg[i] = va_arg(valist, char *);
         arg[i] = NULL;
         va_end(valist);
 
+        int status = sbox_run_v(filtermask, arg);
+
+        free(arg);
+
+        return status;
+}
+
+int sbox_run_v(unsigned filtermask, char * const arg[]) {
+        assert(arg);
+
         if (arg_debug) {
                 printf("sbox run: ");
-                for (i = 0; i <= num; i++)
+                int i = 0;
+                while (arg[i]) {
                         printf("%s ", arg[i]);
+                        i++;
+                }
                 printf("\n");
         }
 
+        // KEEP_FDS only makes sense with sbox_exec_v
+        assert((filtermask & SBOX_KEEP_FDS) == 0);
+
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
-                // clean the new process
-                clearenv();
-
-                if (filter & SBOX_STDIN_FROM_FILE) {
-                        int fd;
-                        if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
-                                fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
-                                exit(1);
-                        }
-                        dup2(fd,STDIN_FILENO);
-                }
-                else if ((filter & SBOX_ALLOW_STDIN) == 0) {
-                        int fd = open("/dev/null",O_RDWR, 0);
-                        if (fd != -1)
-                                dup2(fd, STDIN_FILENO);
-                        else // the user could run the sandbox without /dev/null
-                                close(STDIN_FILENO);
-                }
-
-                // close all other file descriptors
-                int max = 20; // getdtablesize() is overkill for a firejail process
-                for (i = 3; i < max; i++)
-                        close(i); // close open files
-
-                if (arg_debug) {
-                        printf("sbox file descriptors:\n");
-                        int rv = system("ls -l /proc/self/fd");
-                        (void) rv;
-                }
-
-                umask(027);
-
-                // apply filters
-                if (filter & SBOX_CAPS_NONE) {
-                        caps_drop_all();
-                }
-                else if (filter & SBOX_CAPS_NETWORK) {
-#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-                        uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN;
-                        set |=  ((uint64_t) 1) << CAP_NET_RAW;
-                        caps_set(set);
-#endif
-                }
-
-                if (filter & SBOX_SECCOMP) {
-                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                                perror("prctl(NO_NEW_PRIVS)");
-                        }
-                        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-                                perror("prctl(PR_SET_SECCOMP)");
-                        }
-                }
-
-                if (filter & SBOX_ROOT) {
-                        // elevate privileges in order to get grsecurity working
-                        if (setreuid(0, 0))
-                                errExit("setreuid");
-                        if (setregid(0, 0))
-                                errExit("setregid");
-                }
-                else if (filter & SBOX_USER)
-                        drop_privs(1);
-
-                clearenv();
-
-                // --quiet is passed as an environment variable
-                if (arg_quiet)
-                        setenv("FIREJAIL_QUIET", "yes", 1);
-
-                if (arg[0])     // get rid of scan-build warning
-                        execvp(arg[0], arg);
-                else
-                        assert(0);
-                perror("execvp");
-                _exit(1);
+                EUID_ROOT();
+                sbox_do_exec_v(filtermask, arg);
         }
 
         int status;
         if (waitpid(child, &status, 0) == -1 ) {
                 errExit("waitpid");
         }
-        if (WIFEXITED(status) && status != 0) {
-                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
+        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+                fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }
 
-#if 0
-printf("** sbox run out *********************************\n");
-system("ls -l /run/firejail/mnt\n");
-system("ls -l /proc/self/fd");
-printf("** sbox run out *********************************\n");
-#endif
-
         return status;
 }
+
+void sbox_exec_v(unsigned filtermask, char * const arg[]) {
+        EUID_ROOT();
+
+        if (arg_debug) {
+                printf("sbox exec: ");
+                int i = 0;
+                while (arg[i]) {
+                        printf("%s ", arg[i]);
+                        i++;
+                }
+                printf("\n");
+        }
+
+        sbox_do_exec_v(filtermask, arg);
+}
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index e75863c3a..3d9bf9082 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
@@ -31,7 +30,6 @@ typedef struct filter_list {
 
 static FilterList *filter_list_head = NULL;
 static int err_printed = 0;
-extern int enforce_seccomp;
 
 char *seccomp_check_list(const char *str) {
         assert(str);
@@ -49,10 +47,11 @@ char *seccomp_check_list(const char *str) {
         const char *ptr1 = str;
         char *ptr2 = rv;
         while (*ptr1 != '\0') {
-                if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':' || *ptr1 == '@' || *ptr1 == '-')
+        if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':'
+                                   || *ptr1 == '@' || *ptr1 == '-' || *ptr1 == '$' || *ptr1 == '!')
                         *ptr2++ = *ptr1++;
                 else {
-                        fprintf(stderr, "Error: invalid syscall list\n");
+                        fprintf(stderr, "Error: invalid syscall list entry %s\n", str);
                         exit(1);
                 }
         }
@@ -74,11 +73,6 @@ int seccomp_install_filters(void) {
 
                         if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
 
-                                if (enforce_seccomp) {
-                                        fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
-                                        exit(1);
-                                }
-
                                 if (!err_printed)
                                         fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
                                 err_printed = 1;
@@ -89,11 +83,46 @@ int seccomp_install_filters(void) {
         return r;
 }
 
+static void seccomp_save_file_list(const char *fname) {
+        assert(fname);
+
+        FILE *fp = fopen(RUN_SECCOMP_LIST, "ae");
+        if (!fp)
+                errExit("fopen");
+
+        fprintf(fp, "%s\n", fname);
+        fclose(fp);
+        int rv = chown(RUN_SECCOMP_LIST, getuid(), getgid());
+        (void) rv;
+}
+
+#define MAXBUF 4096
+static int load_file_list_flag = 0;
+void seccomp_load_file_list(void) {
+        FILE *fp = fopen(RUN_SECCOMP_LIST, "re");
+        if (!fp)
+                return; // no seccomp configuration whatsoever
+
+        load_file_list_flag = 1;
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                // clean '\n'
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                seccomp_load(buf);
+        }
+
+        fclose(fp);
+        load_file_list_flag = 0;
+}
+
+
 int seccomp_load(const char *fname) {
         assert(fname);
 
         // open filter file
-        int fd = open(fname, O_RDONLY);
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
         if (fd == -1)
                 goto errexit;
 
@@ -126,11 +155,15 @@ int seccomp_load(const char *fname) {
                 errExit("strdup");
         filter_list_head = fl;
 
-        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
-                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-                        PATH_FSECCOMP, "print", fname);
+        if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
+                        PATH_FSEC_PRINT, fname);
         }
 
+        // save the file name in seccomp list
+        if (!load_file_list_flag)
+                seccomp_save_file_list(fname);
+
         return 0;
 errexit:
         fprintf(stderr, "Error: cannot read %s\n", fname);
@@ -138,6 +171,7 @@ errexit:
 }
 
 // 32 bit arch filter installed on 64 bit architectures
+#if defined(__x86_64__)
 #if defined(__LP64__)
 static void seccomp_filter_32(void) {
         if (seccomp_load(RUN_SECCOMP_32) == 0) {
@@ -146,15 +180,6 @@ static void seccomp_filter_32(void) {
         }
 }
 #endif
-
-// 64 bit arch filter installed on 32 bit architectures
-#if defined(__ILP32__)
-static void seccomp_filter_64(void) {
-        if (seccomp_load(RUN_SECCOMP_64) == 0) {
-                if (arg_debug)
-                        printf("Dual 32/64 bit seccomp filter configured\n");
-        }
-}
 #endif
 
 static void seccomp_filter_block_secondary(void) {
@@ -165,49 +190,98 @@ static void seccomp_filter_block_secondary(void) {
 }
 
 // drop filter for seccomp option
-int seccomp_filter_drop(void) {
+int seccomp_filter_drop(bool native) {
+        const char *filter, *postexec_filter;
+
+        if (native) {
+                filter = RUN_SECCOMP_CFG;
+                postexec_filter = RUN_SECCOMP_POSTEXEC;
+        } else {
+                filter = RUN_SECCOMP_32;
+                postexec_filter = RUN_SECCOMP_POSTEXEC_32;
+        }
+
         // if we have multiple seccomp commands, only one of them is executed
         // in the following order:
         //      - seccomp.drop list
         //      - seccomp list
         //      - seccomp
         if (cfg.seccomp_list_drop == NULL) {
-                // default seccomp
-                if (cfg.seccomp_list == NULL) {
+                // default seccomp if error action is not changed
+                if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+                    && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
                         if (arg_seccomp_block_secondary)
                                 seccomp_filter_block_secondary();
                         else {
+#if defined(__x86_64__)
 #if defined(__LP64__)
                                 seccomp_filter_32();
 #endif
-#if defined(__ILP32__)
-                                seccomp_filter_64();
 #endif
                         }
                 }
                 // default seccomp filter with additional drop list
                 else { // cfg.seccomp_list != NULL
-                        if (arg_seccomp_block_secondary)
+                        int rv;
+
+                        if (arg_seccomp_block_secondary) {
+                                if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) {
+                                        if (arg_debug)
+                                                printf("Rebuild secondary block seccomp filter\n");
+                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                                                      PATH_FSECCOMP, "secondary", "block", RUN_SECCOMP_BLOCK_SECONDARY);
+                                        if (rv)
+                                                exit(rv);
+                                }
                                 seccomp_filter_block_secondary();
-                        else {
+                        } else {
+#if defined(__x86_64__)
 #if defined(__LP64__)
+                                if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) {
+                                        if (arg_debug)
+                                                printf("Rebuild 32 bit seccomp filter\n");
+                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                                                      PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_32);
+                                        if (rv)
+                                                exit(rv);
+                                }
                                 seccomp_filter_32();
 #endif
-#if defined(__ILP32__)
-                                seccomp_filter_64();
 #endif
                         }
                         if (arg_debug)
                                 printf("Build default+drop seccomp filter\n");
 
+                        const char *command, *list;
+                        if (native) {
+                                command = "default";
+                                list = cfg.seccomp_list;
+                        } else {
+                                command = "default32";
+                                list = cfg.seccomp_list32;
+                        }
+
                         // build the seccomp filter as a regular user
-                        int rv;
-                        if (arg_allow_debuggers)
-                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
-                                              PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list, "allow-debuggers");
+                        if (list && list[0])
+                                if (arg_allow_debuggers)
+                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
+                                                      PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
+                                else
+                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
+                                                      PATH_FSECCOMP, command, "drop", filter, postexec_filter, list);
                         else
-                                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-                                              PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
+                                if (arg_allow_debuggers)
+                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
+                                                      PATH_FSECCOMP, command, filter, "allow-debuggers");
+                                else
+                                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                                                      PATH_FSECCOMP, command, filter);
+
+                        if (rv)
+                                exit(rv);
+
+                        // optimize the new filter
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter);
                         if (rv)
                                 exit(rv);
                 }
@@ -221,31 +295,45 @@ int seccomp_filter_drop(void) {
                 if (arg_debug)
                         printf("Build drop seccomp filter\n");
 
+                const char *command, *list;
+                if (native) {
+                        command = "drop";
+                        list = cfg.seccomp_list_drop;
+                } else {
+                        command = "drop32";
+                        list = cfg.seccomp_list_drop32;
+                }
+
                 // build the seccomp filter as a regular user
                 int rv;
                 if (arg_allow_debuggers)
                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-                                      PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop,  "allow-debuggers");
+                                      PATH_FSECCOMP, command, filter, postexec_filter, list,  "allow-debuggers");
                 else
                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-                                PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop);
+                                      PATH_FSECCOMP, command, filter, postexec_filter, list);
 
                 if (rv)
                         exit(rv);
+
+                // optimize the drop filter
+                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter);
+                if (rv)
+                        exit(rv);
         }
 
         // load the filter
-        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
+        if (seccomp_load(filter) == 0) {
                 if (arg_debug)
                         printf("seccomp filter configured\n");
         }
 
-        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
+        if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
                 struct stat st;
-                if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
-                        printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
-                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-                                  PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
+                if (stat(postexec_filter, &st) != -1 && st.st_size != 0) {
+                        printf("configuring postexec seccomp filter in %s\n", postexec_filter);
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
+                                  PATH_FSEC_PRINT, postexec_filter);
                 }
         }
 
@@ -253,7 +341,7 @@ int seccomp_filter_drop(void) {
 }
 
 // keep filter for seccomp option
-int seccomp_filter_keep(void) {
+int seccomp_filter_keep(bool native) {
         // secondary filters are not installed except when secondary
         // architectures are explicitly blocked
         if (arg_seccomp_block_secondary)
@@ -262,9 +350,20 @@ int seccomp_filter_keep(void) {
         if (arg_debug)
                 printf("Build keep seccomp filter\n");
 
+        const char *filter, *postexec_filter, *list;
+        if (native) {
+                filter = RUN_SECCOMP_CFG;
+                postexec_filter = RUN_SECCOMP_POSTEXEC;
+                list = cfg.seccomp_list_keep;
+        } else {
+                filter = RUN_SECCOMP_32;
+                postexec_filter = RUN_SECCOMP_POSTEXEC_32;
+                list = cfg.seccomp_list_keep32;
+        }
+
         // build the seccomp filter as a regular user
         int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-                 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep);
+                 PATH_FSECCOMP, "keep", filter, postexec_filter, list);
 
         if (rv) {
                 fprintf(stderr, "Error: cannot configure seccomp filter\n");
@@ -275,67 +374,98 @@ int seccomp_filter_keep(void) {
                 printf("seccomp filter configured\n");
 
         // load the filter
-        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
+        if (seccomp_load(filter) == 0) {
                 if (arg_debug)
                         printf("seccomp filter configured\n");
         }
 
-        if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) {
+        if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
                 struct stat st;
-                if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
-                        printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
-                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
-                                  PATH_FSECCOMP, "print", RUN_SECCOMP_POSTEXEC);
+                if (stat(postexec_filter, &st) != -1 && st.st_size != 0) {
+                        printf("configuring postexec seccomp filter in %s\n", postexec_filter);
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
+                                  PATH_FSEC_PRINT, postexec_filter);
                 }
         }
 
         return 0;
 }
 
+// create mdwx filter for non-default error action
+int seccomp_filter_mdwx(bool native) {
+        if (arg_debug)
+                printf("Build memory-deny-write-execute filter\n");
+
+        const char *command, *filter;
+        if (native) {
+                command = "memory-deny-write-execute";
+                filter = RUN_SECCOMP_MDWX;
+        } else {
+                command = "memory-deny-write-execute.32";
+                filter = RUN_SECCOMP_MDWX_32;
+        }
+
+        // build the seccomp filter as a regular user
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                 PATH_FSECCOMP, command, filter);
+
+        if (rv) {
+                fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
+                exit(rv);
+        }
+
+        if (arg_debug)
+                printf("Memory-deny-write-execute filter configured\n");
+
+        return 0;
+}
+
 void seccomp_print_filter(pid_t pid) {
         EUID_ASSERT();
 
-        // if the pid is that of a firejail  process, use the pid of the first child process
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                        }
-                }
-                free(comm);
-        }
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid = switch_to_child(pid);
 
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission denied.\n");
-                        exit(1);
-                }
-        }
+        // exit if no permission to join the sandbox
+        check_join_permission(pid);
 
-        // find the seccomp filter
+        // find the seccomp list file
         EUID_ROOT();
         char *fname;
-        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_CFG) == -1)
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1)
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(fname, &s) == -1) {
-                printf("Cannot access seccomp filter.\n");
-                exit(1);
-        }
+        if (stat(fname, &s) == -1)
+                goto errexit;
 
-        // read and print the filter - run this as root, the user doesn't have access
-        sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", fname);
+        FILE *fp = fopen(fname, "re");
+        if (!fp)
+                goto errexit;
         free(fname);
 
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                // clean '\n'
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                if (asprintf(&fname, "/proc/%d/root%s", pid, buf) == -1)
+                        errExit("asprintf");
+                printf("FILE: %s\n", fname); fflush(0);
+
+                // read and print the filter - run this as root, the user doesn't have access
+                sbox_run(SBOX_ROOT | SBOX_SECCOMP, 2, PATH_FSEC_PRINT, fname);
+                fflush(0);
+
+                printf("\n"); fflush(0);
+                free(fname);
+        }
+        fclose(fp);
         exit(0);
-}
 
-#endif // HAVE_SECCOMP
+errexit:
+        printf("Cannot access seccomp filter.\n");
+        exit(1);
+}
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
new file mode 100644
index 000000000..6969e7a3d
--- /dev/null
+++ b/src/firejail/selinux.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2020-2021 Firejail and systemd authors
+ *
+ * This file is part of firejail project, from systemd selinux-util.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#if HAVE_SELINUX
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
+
+static struct selabel_handle *label_hnd = NULL;
+static int selinux_enabled = -1;
+#endif
+
+void selinux_relabel_path(const char *path, const char *inside_path)
+{
+#if HAVE_SELINUX
+        char procfs_path[64];
+        char *fcon = NULL;
+        int fd;
+        struct stat st;
+
+        if (selinux_enabled == -1)
+                selinux_enabled = is_selinux_enabled();
+
+        if (!selinux_enabled)
+                return;
+
+        if (!label_hnd)
+                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+        if (!label_hnd)
+                errExit("selabel_open");
+
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label
+         * Defeat symlink races by not allowing symbolic links */
+        fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        if (fd < 0)
+                return;
+        if (fstat(fd, &st) < 0)
+                goto close;
+
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+                sprintf(procfs_path, "/proc/self/fd/%i", fd);
+                if (arg_debug)
+                        printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
+
+                setfilecon_raw(procfs_path, fcon);
+        }
+        freecon(fcon);
+ close:
+        close(fd);
+#else
+        (void) path;
+        (void) inside_path;
+#endif
+}
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index f187960d5..d1be6eed4 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -26,27 +26,20 @@
 void shut(pid_t pid) {
         EUID_ASSERT();
 
-        pid_t parent = pid;
-        // if the pid is that of a firejail  process, use the pid of a child process inside the sandbox
         EUID_ROOT();
         char *comm = pid_proc_comm(pid);
         EUID_USER();
         if (comm) {
-                if (strcmp(comm, "firejail") == 0) {
-                        pid_t child;
-                        if (find_child(pid, &child) == 0) {
-                                pid = child;
-                                printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid);
-                        }
-                }
-                else {
+                if (strcmp(comm, "firejail") != 0) {
                         fprintf(stderr, "Error: this is not a firejail sandbox\n");
                         exit(1);
                 }
                 free(comm);
         }
-        else
-                errExit("/proc/PID/comm");
+        else {
+                fprintf(stderr, "Error: cannot find process %d\n", pid);
+                exit(1);
+        }
 
         // check privileges for non-root users
         uid_t uid = getuid();
@@ -58,20 +51,23 @@ void shut(pid_t pid) {
                 }
         }
 
-        EUID_ROOT();
         printf("Sending SIGTERM to %u\n", pid);
         kill(pid, SIGTERM);
 
-        // wait for not more than 10 seconds
-        sleep(2);
-        int monsec = 8;
+        // wait for not more than 11 seconds
+        int monsec = 11;
         char *monfile;
         if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
                 errExit("asprintf");
         int killdone = 0;
 
         while (monsec) {
-                FILE *fp = fopen(monfile, "r");
+                sleep(1);
+                monsec--;
+
+                EUID_ROOT();
+                FILE *fp = fopen(monfile, "re");
+                EUID_USER();
                 if (!fp) {
                         killdone = 1;
                         break;
@@ -85,23 +81,22 @@ void shut(pid_t pid) {
                         killdone = 1;
                         break;
                 }
-
-                sleep(1);
-                monsec--;
         }
         free(monfile);
 
 
         // force SIGKILL
         if (!killdone) {
-                // kill the process and also the parent
+                // kill the process and its child
+                pid_t child;
+                if (find_child(pid, &child) == 0) {
+                        printf("Sending SIGKILL to %u\n", child);
+                        kill(child, SIGKILL);
+                }
                 printf("Sending SIGKILL to %u\n", pid);
                 kill(pid, SIGKILL);
-                if (parent != pid) {
-                        printf("Sending SIGKILL to %u\n", parent);
-                        kill(parent, SIGKILL);
-                }
         }
 
-        clear_run_files(parent);
+        EUID_ROOT();
+        delete_run_files(pid);
 }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 28b5cc8a4..43f862b9d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,230 +19,280 @@
 */
 #include "firejail.h"
 
-void usage(void) {
-        printf("firejail - version %s\n\n", VERSION);
-        printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n");
-        printf("restricting the running environment of untrusted applications using Linux\n");
-        printf("namespaces.\n");
-        printf("\n");
-        printf("Usage: firejail [options] [program and arguments]\n");
-        printf("\n");
-        printf("Options:\n");
-        printf("    -- - signal the end of options and disables further option processing.\n");
-        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-        printf("    --allow-private-blacklist - allow blacklisting files in private\n");
-        printf("\thome directories.\n");
-        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
-        printf("    --apparmor - enable AppArmor confinement.\n");
-        printf("    --appimage - sandbox an AppImage application.\n");
-        printf("    --audit[=test-program] - audit the sandbox.\n");
+static char *usage_str =
+        "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"
+        "restricting the running environment of untrusted applications using Linux\n"
+        "namespaces.\n"
+        "\n"
+        "Usage: firejail [options] [program and arguments]\n"
+        "\n"
+        "Options:\n"
+        "    -- - signal the end of options and disables further option processing.\n"
+        "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
+        "    --allusers - all user home directories are visible inside the sandbox.\n"
+        "    --apparmor - enable AppArmor confinement.\n"
+        "    --apparmor.print=name|pid - print apparmor status.\n"
+        "    --appimage - sandbox an AppImage application.\n"
 #ifdef HAVE_NETWORK
-        printf("    --bandwidth=name|pid - set bandwidth limits.\n");
-#endif
-#ifdef HAVE_BIND
-        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
-        printf("    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n");
-#endif
-        printf("    --blacklist=filename - blacklist directory or file.\n");
-        printf("    --build - build a whitelisted profile for the application.\n");
-        printf("    -c - execute command and exit.\n");
-        printf("    --caps - enable default Linux capabilities filter.\n");
-        printf("    --caps.drop=all - drop all capabilities.\n");
-        printf("    --caps.drop=capability,capability - blacklist capabilities filter.\n");
-        printf("    --caps.keep=capability,capability - whitelist capabilities filter.\n");
-        printf("    --caps.print=name|pid - print the caps filter.\n");
-        printf("    --cgroup=tasks-file - place the sandbox in the specified control group.\n");
+        "    --bandwidth=name|pid - set bandwidth limits.\n"
+#endif
+        "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
+        "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
+        "    --blacklist=filename - blacklist directory or file.\n"
+        "    --build - build a whitelisted profile for the application.\n"
+        "    --build=filename - build a whitelisted profile for the application.\n"
+        "    --caps - enable default Linux capabilities filter.\n"
+        "    --caps.drop=all - drop all capabilities.\n"
+        "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
+        "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
+        "    --caps.print=name|pid - print the caps filter.\n"
+#ifdef HAVE_FILE_TRANSFER
+        "    --cat=name|pid filename - print content of file from sandbox container.\n"
+#endif
+        "    --cgroup=tasks-file - place the sandbox in the specified control group.\n"
 #ifdef HAVE_CHROOT
-        printf("    --chroot=dirname - chroot into directory.\n");
-#endif
-        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n");
-        printf("    --cpu.print=name|pid - print the cpus in use.\n");
-        printf("    --csh - use /bin/csh as default shell.\n");
-        printf("    --debug - print sandbox debug messages.\n");
-        printf("    --debug-blacklists - debug blacklisting.\n");
-        printf("    --debug-caps - print all recognized capabilities.\n");
-        printf("    --debug-check-filename - debug filename checking.\n");
-        printf("    --debug-errnos - print all recognized error numbers.\n");
-        printf("    --debug-protocols - print all recognized protocols.\n");
-        printf("    --debug-syscalls - print all recognized system calls.\n");
-#ifdef HAVE_WHITELIST
-        printf("    --debug-whitelists - debug whitelisting.\n");
+        "    --chroot=dirname - chroot into directory.\n"
 #endif
-#ifdef HAVE_NETWORK
-        printf("    --defaultgw=address - configure default gateway.\n");
+        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
+        "    --cpu.print=name|pid - print the cpus in use.\n"
+#ifdef HAVE_DBUSPROXY
+        "    --dbus-log=file - set DBus log file location.\n"
+        "    --dbus-system=filter|none - set system DBus access policy.\n"
+        "    --dbus-system.broadcast=rule - allow signals on the system DBus according\n"
+        "\tto rule.\n"
+        "    --dbus-system.call=rule - allow calls on the system DBus according to rule.\n"
+        "    --dbus-system.log - turn on logging for the system DBus.\n"
+        "    --dbus-system.own=name - allow ownership of name on the system DBus.\n"
+        "    --dbus-system.see=name - allow seeing name on the system DBus.\n"
+        "    --dbus-system.talk=name - allow talking to name on the system DBus.\n"
+        "    --dbus-user=filter|none - set session DBus access policy.\n"
+        "    --dbus-user.broadcast=rule - allow signals on the session DBus according\n"
+        "\tto rule.\n"
+        "    --dbus-user.call=rule - allow calls on the session DBus according to rule.\n"
+        "    --dbus-user.log - turn on logging for the user DBus.\n"
+        "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
+        "    --dbus-user.see=name - allow seeing name on the session DBus.\n"
+        "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
 #endif
-        printf("    --dns=address - set DNS server.\n");
-        printf("    --dns.print=name|pid - print DNS configuration.\n");
-
-        printf("    --env=name=value - set environment variable.\n");
-        printf("    --force - attempt to start a new sandbox inside the existing sandbox.\n");
-        printf("    --fs.print=name|pid - print the filesystem log.\n");
-        printf("    --get=name|pid filename - get a file from sandbox container.\n");
-#ifdef HAVE_GIT_INSTALL
-        printf("    --git-install - download, compile and install mainline git version\n");
-        printf("\tof Firejail.\n");
-        printf("    --git-uninstall - uninstall mainline git version of Firejail\n");
-#endif
-        printf("    --help, -? - this help screen.\n");
-        printf("    --hostname=name - set sandbox hostname.\n");
-        printf("    --hosts-file=file - use file as /etc/hosts.\n");
-        printf("    --ignore=command - ignore command in profile files.\n");
+        "    --debug - print sandbox debug messages.\n"
+        "    --debug-blacklists - debug blacklisting.\n"
+        "    --debug-caps - print all recognized capabilities.\n"
+        "    --debug-errnos - print all recognized error numbers.\n"
+        "    --debug-private-lib - debug for --private-lib option.\n"
+        "    --debug-protocols - print all recognized protocols.\n"
+        "    --debug-syscalls - print all recognized system calls.\n"
+        "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
+        "    --debug-whitelists - debug whitelisting.\n"
 #ifdef HAVE_NETWORK
-        printf("    --interface=name - move interface in sandbox.\n");
-        printf("    --ip=address - set interface IP address.\n");
-        printf("    --ip=none - no IP address and no default gateway are configured.\n");
-        printf("    --ip6=address - set interface IPv6 address.\n");
-        printf("    --iprange=address,address - configure an IP address in this range.\n");
-#endif
-        printf("    --ipc-namespace - enable a new IPC namespace.\n");
-        printf("    --join=name|pid - join the sandbox.\n");
-        printf("    --join-filesystem=name|pid - join the mount namespace.\n");
+        "    --defaultgw=address - configure default gateway.\n"
+#endif
+        "    --deterministic-exit-code - always exit with first child's status code.\n"
+        "    --dns=address - set DNS server.\n"
+        "    --dns.print=name|pid - print DNS configuration.\n"
+        "    --env=name=value - set environment variable.\n"
+        "    --fs.print=name|pid - print the filesystem log.\n"
+#ifdef HAVE_FILE_TRANSFER
+        "    --get=name|pid filename - get a file from sandbox container.\n"
+#endif
+        "    --help, -? - this help screen.\n"
+        "    --hostname=name - set sandbox hostname.\n"
+        "    --hosts-file=file - use file as /etc/hosts.\n"
+        "    --ids-check - verify file system.\n"
+        "    --ids-init - initialize IDS database.\n"
+        "    --ignore=command - ignore command in profile files.\n"
 #ifdef HAVE_NETWORK
-        printf("    --join-network=name|pid - join the network namespace.\n");
+        "    --interface=name - move interface in sandbox.\n"
+        "    --ip=address - set interface IP address.\n"
+        "    --ip=none - no IP address and no default gateway are configured.\n"
+        "    --ip=dhcp - acquire IP address by running dhclient.\n"
+        "    --ip6=address - set interface IPv6 address.\n"
+        "    --ip6=dhcp - acquire IPv6 address by running dhclient.\n"
+        "    --iprange=address,address - configure an IP address in this range.\n"
 #endif
-        printf("    --join-or-start=name|pid - join the sandbox or start a new one.\n");
-        printf("    --list - list all sandboxes.\n");
-        printf("    --ls=name|pid dir_or_filename - list files in sandbox container.\n");
+        "    --ipc-namespace - enable a new IPC namespace.\n"
+        "    --join=name|pid - join the sandbox.\n"
+        "    --join-filesystem=name|pid - join the mount namespace.\n"
 #ifdef HAVE_NETWORK
-        printf("    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n");
+        "    --join-network=name|pid - join the network namespace.\n"
 #endif
-        printf("    --machine-id - preserve /etc/machine-id\n");
-#ifdef HAVE_SECCOMP
-        printf("    --memory-deny-write-execute - seccomp filter to block attempts to create\n");
-        printf("\tmemory mappings  that are both writable and executable.\n");
+        "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
+        "    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
+        "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+        "    --keep-var-tmp - /var/tmp directory is untouched.\n"
+        "    --list - list all sandboxes.\n"
+#ifdef HAVE_FILE_TRANSFER
+        "    --ls=name|pid dir_or_filename - list files in sandbox container.\n"
 #endif
 #ifdef HAVE_NETWORK
-        printf("    --mtu=number - set interface MTU.\n");
+        "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
-        printf("    --name=name - set sandbox name.\n");
+        "    --machine-id - preserve /etc/machine-id\n"
+        "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
+        "\tmemory mappings that are both writable and executable.\n"
+        "    --mkdir=dirname - create a directory.\n"
+        "    --mkfile=filename - create a file.\n"
 #ifdef HAVE_NETWORK
-        printf("    --net=bridgename - enable network namespaces and connect to this bridge.\n");
-        printf("    --net=ethernet_interface - enable network namespaces and connect to this\n");
-        printf("\tEthernet interface.\n");
-        printf("    --net=none - enable a new, unconnected network namespace.\n");
-        printf("    --netfilter[=filename] - enable the default client network filter.\n");
-        printf("    --netfilter6=filename - enable the IPv6 network filter.\n");
-        printf("    --netns=name - Run the program in a named, persistent network namespace.\n");
-        printf("    --netstats - monitor network statistics.\n");
-#endif
-        printf("    --nice=value - set nice value.\n");
-        printf("    --no3d - disable 3D hardware acceleration.\n");
-        printf("    --noblacklist=filename - disable blacklist for file or directory .\n");
-        printf("    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
-        printf("    --nogroups - disable supplementary groups.\n");
-        printf("    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
-        printf("    --noprofile - do not use a security profile.\n");
-#ifdef HAVE_USERNS
-        printf("    --noroot - install a user namespace with only the current user.\n");
-#endif
-        printf("    --nosound - disable sound system.\n");
-        printf("    --novideo - disable video devices.\n");
-        printf("    --nowhitelist=filename - disable whitelist for file or directory .\n");
-        printf("    --output=logfile - stdout logging and log rotation.\n");
-        printf("    --output-stderr=logfile - stdout and stderr logging and log rotation.\n");
-        printf("    --overlay - mount a filesystem overlay on top of the current filesystem.\n");
-        printf("    --overlay-named=name - mount a filesystem overlay on top of the current\n");
-        printf("\tfilesystem, and store it in name directory.\n");
-        printf("    --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n");
-        printf("\tcurrent filesystem.\n");
-        printf("    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n");
-        printf("    --private - temporary home directory.\n");
-        printf("    --private=directory - use directory as user home.\n");
-        printf("    --private-home=file,directory - build a new user home in a temporary\n");
-        printf("\tfilesystem, and copy the files and directories in the list in\n");
-        printf("\tthe new home.\n");
-        printf("    --private-bin=file,file - build a new /bin in a temporary filesystem,\n");
-        printf("\tand copy the programs in the list.\n");
-        printf("    --private-dev - create a new /dev directory with a small number of\n");
-        printf("\tcommon device files.\n");
-        printf("    --private-etc=file,directory - build a new /etc in a temporary\n");
-        printf("\tfilesystem, and copy the files and directories in the list.\n");
-        printf("    --private-tmp - mount a tmpfs on top of /tmp directory.\n");
-        printf("    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n");
-        printf("    --profile=filename - use a custom profile.\n");
-        printf("    --profile.print=name|pid - print the name of profile file.\n");
-        printf("    --profile-path=directory - use this directory to look for profile files.\n");
-        printf("    --protocol=protocol,protocol,protocol - enable protocol filter.\n");
-        printf("    --protocol.print=name|pid - print the protocol filter.\n");
-        printf("    --put=name|pid src-filename dest-filename - put a file in sandbox\n");
-        printf("\tcontainer.\n");
-        printf("    --quiet - turn off Firejail's output.\n");
-        printf("    --read-only=filename - set directory or file read-only..\n");
-        printf("    --read-write=filename - set directory or file read-write.\n");
-        printf("    --rlimit-fsize=number - set the maximum file size that can be created\n");
-        printf("\tby a process.\n");
-        printf("    --rlimit-nofile=number - set the maximum number of files that can be\n");
-        printf("\topened by a process.\n");
-        printf("    --rlimit-nproc=number - set the maximum number of processes that can be\n");
-        printf("\tcreated for the real user ID of the calling process.\n");
-        printf("    --rlimit-sigpending=number - set the maximum number of pending signals\n");
-        printf("\tfor a process.\n");
-        printf("    --rmenv=name - remove environment variable in the new sandbox.\n");
+        "    --mtu=number - set interface MTU.\n"
+#endif
+        "    --name=name - set sandbox name.\n"
 #ifdef HAVE_NETWORK
-        printf("    --scan - ARP-scan all the networks from inside a network namespace.\n");
-#endif
-#ifdef HAVE_SECCOMP
-        printf("    --seccomp - enable seccomp filter and apply the default blacklist.\n");
-        printf("    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n");
-        printf("\tdefault syscall list and the syscalls specified by the command.\n");
-        printf("    --seccomp.block-secondary - build only the native architecture filters.\n");
-        printf("    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\tblacklist the syscalls specified by the command.\n");
-        printf("    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n");
-        printf("\twhitelist the syscalls specified by the command.\n");
-        printf("    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n");
-        printf("\tidentified by name or PID.\n");
-#endif
-        printf("    --shell=none - run the program directly without a user shell.\n");
-        printf("    --shell=program - set default user shell.\n");
-        printf("    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n");
-        printf("    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n");
-        printf("    --top - monitor the most CPU-intensive sandboxes.\n");
-        printf("    --trace - trace open, access and connect system calls.\n");
-        printf("    --tracelog - add a syslog message for every access to files or\n");
-        printf("\tdirectoires blacklisted by the security profile.\n");
-        printf("    --tree - print a tree of all sandboxed processes.\n");
-        printf("    --version - print program version and exit.\n");
+        "    --net=bridgename - enable network namespaces and connect to this bridge.\n"
+        "    --net=ethernet_interface - enable network namespaces and connect to this\n"
+        "\tEthernet interface.\n"
+        "    --net=none - enable a new, unconnected network namespace.\n"
+        "    --net.print=name|pid - print network interface configuration.\n"
+        "    --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"
+        "    --netfilter.print=name|pid - print the firewall.\n"
+        "    --netfilter6=filename - enable IPv6 firewall.\n"
+        "    --netfilter6.print=name|pid - print the IPv6 firewall.\n"
+        "    --netmask=address - define a network mask when dealing with unconfigured\n"
+        "\tparent interfaces.\n"
+        "    --netns=name - Run the program in a named, persistent network namespace.\n"
+        "    --netstats - monitor network statistics.\n"
+#endif
+        "    --nice=value - set nice value.\n"
+        "    --no3d - disable 3D hardware acceleration.\n"
+        "    --noblacklist=filename - disable blacklist for file or directory.\n"
+        "    --nodbus - disable D-Bus access.\n"
+        "    --nodvd - disable DVD and audio CD devices.\n"
+        "    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
+        "    --nogroups - disable supplementary groups.\n"
+        "    --noinput - disable input devices.\n"
+        "    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+        "    --noprofile - do not use a security profile.\n"
+#ifdef HAVE_USERNS
+        "    --noroot - install a user namespace with only the current user.\n"
+#endif
+        "    --nosound - disable sound system.\n"
+        "    --noautopulse - disable automatic ~/.config/pulse init.\n"
+        "    --novideo - disable video devices.\n"
+        "    --nou2f - disable U2F devices.\n"
+        "    --nowhitelist=filename - disable whitelist for file or directory.\n"
+#ifdef HAVE_OUTPUT
+        "    --output=logfile - stdout logging and log rotation.\n"
+        "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
+#endif
+#ifdef HAVE_OVERLAYFS
+        "    --overlay - mount a filesystem overlay on top of the current filesystem.\n"
+        "    --overlay-named=name - mount a filesystem overlay on top of the current\n"
+        "\tfilesystem, and store it in name directory.\n"
+        "    --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"
+        "\tcurrent filesystem.\n"
+        "    --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"
+#endif
+        "    --private - temporary home directory.\n"
+        "    --private=directory - use directory as user home.\n"
+        "    --private-cache - temporary ~/.cache directory.\n"
+        "    --private-home=file,directory - build a new user home in a temporary\n"
+        "\tfilesystem, and copy the files and directories in the list in\n"
+        "\tthe new home.\n"
+        "    --private-bin=file,file - build a new /bin in a temporary filesystem,\n"
+        "\tand copy the programs in the list.\n"
+        "    --private-dev - create a new /dev directory with a small number of\n"
+        "\tcommon device files.\n"
+        "    --private-etc=file,directory - build a new /etc in a temporary\n"
+        "\tfilesystem, and copy the files and directories in the list.\n"
+        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
+        "    --private-cwd - do not inherit working directory inside jail.\n"
+        "    --private-cwd=directory - set working directory inside jail.\n"
+        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
+        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
+        "    --profile=filename|profile_name - use a custom profile.\n"
+        "    --profile.print=name|pid - print the name of profile file.\n"
+        "    --profile-path=directory - use this directory to look for profile files.\n"
+        "    --protocol=protocol,protocol,protocol - enable protocol filter.\n"
+        "    --protocol.print=name|pid - print the protocol filter.\n"
+#ifdef HAVE_FILE_TRANSFER
+        "    --put=name|pid src-filename dest-filename - put a file in sandbox\n"
+        "\tcontainer.\n"
+#endif
+        "    --quiet - turn off Firejail's output.\n"
+        "    --read-only=filename - set directory or file read-only.\n"
+        "    --read-write=filename - set directory or file read-write.\n"
+        "    --rlimit-as=number - set the maximum size of the process's virtual memory.\n"
+        "\t(address space) in bytes.\n"
+        "    --rlimit-cpu=number - set the maximum CPU time in seconds.\n"
+        "    --rlimit-fsize=number - set the maximum file size that can be created\n"
+        "\tby a process.\n"
+        "    --rlimit-nofile=number - set the maximum number of files that can be\n"
+        "\topened by a process.\n"
+        "    --rlimit-nproc=number - set the maximum number of processes that can be\n"
+        "\tcreated for the real user ID of the calling process.\n"
+        "    --rlimit-sigpending=number - set the maximum number of pending signals\n"
+        "\tfor a process.\n"
+        "    --rmenv=name - remove environment variable in the new sandbox.\n"
 #ifdef HAVE_NETWORK
-        printf("    --veth-name=name - use this name for the interface connected to the bridge.\n");
+        "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-#ifdef HAVE_WHITELIST
-        printf("    --whitelist=filename - whitelist directory or file.\n");
+        "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
+        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
+        "\tdefault syscall list and the syscalls specified by the command.\n"
+        "    --seccomp.block-secondary - build only the native architecture filters.\n"
+        "    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
+        "\tblacklist the syscalls specified by the command.\n"
+        "    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
+        "\twhitelist the syscalls specified by the command.\n"
+        "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
+        "\tidentified by name or PID.\n"
+        "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
+        "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
+        "\tor log the attempt.\n"
+        "    --shell=none - run the program directly without a user shell.\n"
+        "    --shell=program - set default user shell.\n"
+        "    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
+        "    --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"
+        "\thas elapsed.\n"
+        "    --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"
+        "    --top - monitor the most CPU-intensive sandboxes.\n"
+        "    --trace - trace open, access and connect system calls.\n"
+        "    --tracelog - add a syslog message for every access to files or\n"
+        "\tdirectories blacklisted by the security profile.\n"
+        "    --tree - print a tree of all sandboxed processes.\n"
+        "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
+        "\tfiretunnel utility.\n"
+        "    --version - print program version and exit.\n"
+#ifdef HAVE_NETWORK
+        "    --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
-        printf("    --writable-etc - /etc directory is mounted read-write.\n");
-        printf("    --writable-run-user - allow access to /run/user/$UID/systemd and\n");
-        printf("\t/run/user/$UID/gnupg.\n");
-        printf("    --writable-var - /var directory is mounted read-write.\n");
-        printf("    --writable-var-log - use the real /var/log directory, not a clone.\n");
+        "    --whitelist=filename - whitelist directory or file.\n"
+        "    --writable-etc - /etc directory is mounted read-write.\n"
+        "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
+        "\t/run/user/$UID/gnupg.\n"
+        "    --writable-var - /var directory is mounted read-write.\n"
+        "    --writable-var-log - use the real /var/log directory, not a clone.\n"
 #ifdef HAVE_X11
-        printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
-        printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
-        printf("\tattempt to use X11 security extension.\n");
-        printf("    --x11=none - disable access to X11 sockets.\n");
-        printf("    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n");
-        printf("    --x11=xorg - enable X11 security extension.\n");
-        printf("    --x11=xpra - enable Xpra X11 server.\n");
-        printf("    --x11=xvfb - enable Xvfb X11 server.\n");
-        printf("    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n");
-#endif
-        printf("    --zsh - use /usr/bin/zsh as default shell.\n");
-        printf("\n");
-        printf("Examples:\n");
-        printf("    $ firejail firefox\n");
-        printf("\tstart Mozilla Firefox\n");
-        printf("    $ firejail --debug firefox\n");
-        printf("\tdebug Firefox sandbox\n");
-        printf("    $ firejail --private --dns=8.8.8.8 firefox\n");
-        printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
-        printf("\tserver setting.\n");
-        printf("    $ firejail --net=eth0 firefox\n");
-        printf("\tstart Firefox in a new network namespace\n");
-        printf("    $ firejail --x11=xorg firefox\n");
-        printf("\tstart Firefox and sandbox X11\n");
-        printf("    $ firejail --list\n");
-        printf("\tlist all running sandboxes\n");
-        printf("\n");
-        printf("License GPL version 2 or later\n");
-        printf("Homepage: http://firejail.wordpress.com\n");
-        printf("\n");
+        "    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"
+        "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"
+        "\tattempt to use X11 security extension.\n"
+        "    --x11=none - disable access to X11 sockets.\n"
+        "    --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"
+        "    --x11=xorg - enable X11 security extension.\n"
+        "    --x11=xpra - enable Xpra X11 server.\n"
+        "    --x11=xvfb - enable Xvfb X11 server.\n"
+        "    --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"
+#endif
+        "\n"
+        "Examples:\n"
+        "    $ firejail firefox\n"
+        "\tstart Mozilla Firefox\n"
+        "    $ firejail --debug firefox\n"
+        "\tdebug Firefox sandbox\n"
+        "    $ firejail --private --dns=8.8.8.8 firefox\n"
+        "\tstart Firefox with a new, empty home directory, and a well-known DNS\n"
+        "\tserver setting.\n"
+        "    $ firejail --net=eth0 firefox\n"
+        "\tstart Firefox in a new network namespace\n"
+        "    $ firejail --x11=xorg firefox\n"
+        "\tstart Firefox and sandbox X11\n"
+        "    $ firejail --list\n"
+        "\tlist all running sandboxes\n"
+        "\n"
+        "License GPL version 2 or later\n"
+        "Homepage: https://firejail.wordpress.com\n"
+        "\n";
+
+
+void usage(void) {
+        printf("firejail - version %s\n\n", VERSION);
+        puts(usage_str);
 }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 4d1c94c25..094a68c60 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,9 +19,10 @@
  */
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <ftw.h>
 #include <sys/stat.h>
-#include <fcntl.h>
+#include <sys/mount.h>
 #include <syslog.h>
 #include <errno.h>
 #include <dirent.h>
@@ -29,55 +30,168 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
+#include <limits.h>
+
+#include <string.h>
+#include <ctype.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#include <sys/syscall.h>
+#ifdef __NR_openat2
+#include <linux/openat2.h>
+#endif
 
 #define MAX_GROUPS 1024
+#define MAXBUF 4098
+#define EMPTY_STRING ("")
+
+
+long long unsigned parse_arg_size(char *str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str, "%llu", &result);
+
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) {
+                len -= 1;
+        }
+
+        /* checks for is value valid positive number */
+        for (int i = 0; i < len; i++) {
+                if (!isdigit(*(str+i))) {
+                        return 0;
+                }
+        }
+
+        if (isdigit(suffix))
+                return result;
+
+        switch (suffix) {
+        case 'k':
+                result *= 1024;
+                break;
+        case 'm':
+                result *= 1024 * 1024;
+                break;
+        case 'g':
+                result *= 1024 * 1024 * 1024;
+                break;
+        default:
+                result = 0;
+                break;
+        }
+
+        return result;
+}
+
+// send the error to /var/log/auth.log and exit after a small delay
+void errLogExit(char* fmt, ...) {
+        va_list args;
+        va_start(args,fmt);
+        openlog("firejail", LOG_NDELAY | LOG_PID, LOG_AUTH);
+        MountData *m = get_last_mount();
+
+        char *msg1;
+        char *msg2  = "Access error";
+        if (vasprintf(&msg1, fmt, args) != -1 &&
+            asprintf(&msg2, "Access error: uid %d, last mount name:%s dir:%s type:%s - %s", getuid(), m->fsname, m->dir, m->fstype, msg1) != -1)
+                syslog(LOG_CRIT, "%s", msg2);
+        va_end(args);
+        closelog();
+
+        sleep(2);
+        fprintf(stderr, "%s\n", msg2);
+        exit(1);
+}
+
+static void clean_supplementary_groups(gid_t gid) {
+        assert(cfg.username);
+        gid_t groups[MAX_GROUPS];
+        int ngroups = MAX_GROUPS;
+        int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
+        if (rv == -1)
+                goto clean_all;
+
+        // clean supplementary group list
+        // allow only firejail, tty, audio, video, games
+        gid_t new_groups[MAX_GROUPS];
+        int new_ngroups = 0;
+        char *allowed[] = {
+                "firejail",
+                "tty",
+                "audio",
+                "video",
+                "games",
+                NULL
+        };
+
+        int i = 0;
+        while (allowed[i]) {
+                gid_t g = get_group_id(allowed[i]);
+                if (g) {
+                        int j;
+                        for (j = 0; j < ngroups; j++) {
+                                if (g == groups[j]) {
+                                        new_groups[new_ngroups] = g;
+                                        new_ngroups++;
+                                        break;
+                                }
+                        }
+                }
+                i++;
+        }
+
+        if (new_ngroups) {
+                rv = setgroups(new_ngroups, new_groups);
+                if (rv)
+                        goto clean_all;
+
+                if (arg_debug) {
+                        printf("Supplementary groups: ");
+                        for (i = 0; i < new_ngroups; i++)
+                                printf("%d ", new_groups[i]);
+                        printf("\n");
+                }
+        }
+        else
+                goto clean_all;
+
+        return;
+
+clean_all:
+        fwarning("cleaning all supplementary groups\n");
+        if (setgroups(0, NULL) < 0)
+                errExit("setgroups");
+}
+
+
 // drop privileges
 // - for root group or if nogroups is set, supplementary groups are not configured
 void drop_privs(int nogroups) {
-        EUID_ROOT();
         gid_t gid = getgid();
+        if (arg_debug)
+                printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n",  getpid(), getuid(), gid, nogroups);
 
         // configure supplementary groups
+        EUID_ROOT();
         if (gid == 0 || nogroups) {
                 if (setgroups(0, NULL) < 0)
                         errExit("setgroups");
                 if (arg_debug)
-                        printf("Username %s, no supplementary groups\n", cfg.username);
-        }
-        else {
-                assert(cfg.username);
-                gid_t groups[MAX_GROUPS];
-                int ngroups = MAX_GROUPS;
-                int rv = getgrouplist(cfg.username, gid, groups, &ngroups);
-
-                if (arg_debug && rv) {
-                        printf("Username %s, groups ", cfg.username);
-                        int i;
-                        for (i = 0; i < ngroups; i++)
-                                printf("%u, ", groups[i]);
-                        printf("\n");
-                }
-
-                if (rv == -1) {
-                        fwarning("cannot extract supplementary group list, dropping them\n");
-                        if (setgroups(0, NULL) < 0)
-                                errExit("setgroups");
-                }
-                else {
-                        rv = setgroups(ngroups, groups);
-                        if (rv) {
-                                fwarning("cannot set supplementary group list, dropping them\n");
-                                if (setgroups(0, NULL) < 0)
-                                        errExit("setgroups");
-                        }
-                }
+                        printf("No supplementary groups\n");
         }
+        else if (arg_noroot)
+                clean_supplementary_groups(gid);
 
         // set uid/gid
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
+        if (setresgid(-1, getgid(), getgid()) != 0)
+                errExit("setresgid");
+        if (setresuid(-1, getuid(), getuid()) != 0)
+                errExit("setresuid");
 }
 
 
@@ -95,7 +209,6 @@ int mkpath_as_root(const char* path) {
                 *p='\0';
                 if (mkdir(file_path, 0755)==-1) {
                         if (errno != EEXIST) {
-                                *p='/';
                                 free(file_path);
                                 return -1;
                         }
@@ -126,6 +239,16 @@ void fwarning(char* fmt, ...) {
         va_end(args);
 }
 
+void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/fnet/interface.c
+        if (arg_quiet)
+                return;
+
+        va_list args;
+        va_start(args,fmt);
+        vfprintf(stderr, fmt, args);
+        va_end(args);
+        fflush(0);
+}
 
 void logsignal(int s) {
         if (!arg_debug)
@@ -180,6 +303,16 @@ void logerr(const char *msg) {
         closelog();
 }
 
+
+void set_nice(int inc) {
+        errno = 0;
+        int rv = nice(inc);
+        (void) rv;
+        if (errno)
+                fwarning("cannot set nice value\n");
+}
+
+
 static int copy_file_by_fd(int src, int dst) {
         assert(src >= 0);
         assert(dst >= 0);
@@ -196,8 +329,9 @@ static int copy_file_by_fd(int src, int dst) {
                         done += rv;
                 }
         }
-//      fflush(0);
-        return 0;
+        if (len == 0)
+                return 0;
+        return -1;
 }
 
 // return -1 if error, 0 if no error; if destname already exists, return error
@@ -206,14 +340,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
         assert(destname);
 
         // open source
-        int src = open(srcname, O_RDONLY);
+        int src = open(srcname, O_RDONLY|O_CLOEXEC);
         if (src < 0) {
                 fwarning("cannot open source file %s, file not copied\n", srcname);
                 return -1;
         }
 
         // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
                 fwarning("cannot open destination file %s, file not copied\n", destname);
                 close(src);
@@ -233,7 +367,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
@@ -241,13 +375,13 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                 // drop privileges
                 drop_privs(0);
 
-                // copy, set permissions and ownership
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                // copy, set permissions
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                 if (rv)
                         fwarning("cannot copy %s\n", srcname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -256,7 +390,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
 
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
         // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
                 fwarning("cannot open destination file %s, file not copied\n", destname);
                 return;
@@ -269,7 +403,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                 // drop privileges
                 drop_privs(0);
 
-                int src = open(srcname, O_RDONLY);
+                int src = open(srcname, O_RDONLY|O_CLOEXEC);
                 if (src < 0) {
                         fwarning("cannot open source file %s, file not copied\n", srcname);
                 } else {
@@ -279,9 +413,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                         close(src);
                 }
                 close(dst);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -294,7 +428,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
 }
 
 // return -1 if error, 0 if no error
-void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+void touch_file_as_user(const char *fname, mode_t mode) {
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
@@ -302,15 +436,17 @@ void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
                 // drop privileges
                 drop_privs(0);
 
-                FILE *fp = fopen(fname, "w");
-                if (fp) {
-                        fprintf(fp, "\n");
-                        SET_PERMS_STREAM(fp, uid, gid, mode);
-                        fclose(fp);
+                int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (fd > -1) {
+                        int err = fchmod(fd, mode);
+                        (void) err;
+                        close(fd);
                 }
-#ifdef HAVE_GCOV
+                else
+                        fwarning("cannot create %s\n", fname);
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -323,6 +459,13 @@ int is_dir(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
         // if fname doesn't end in '/', add one
         int rv;
         struct stat s;
@@ -338,6 +481,9 @@ int is_dir(const char *fname) {
                 free(tmp);
         }
 
+        if (called_as_root)
+                EUID_ROOT();
+
         if (rv == -1)
                 return 0;
 
@@ -347,32 +493,117 @@ int is_dir(const char *fname) {
         return 0;
 }
 
-
 // return 1 if the file is a link
 int is_link(const char *fname) {
         assert(fname);
         if (*fname == '\0')
                 return 0;
 
-        struct stat s;
-        if (lstat(fname, &s) == 0) {
-                if (S_ISLNK(s.st_mode))
-                        return 1;
-        }
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
 
-        return 0;
+        if (called_as_root)
+                EUID_USER();
+
+        // remove trailing '/' if any
+        char *tmp = strdup(fname);
+        if (!tmp)
+                errExit("strdup");
+        trim_trailing_slash_or_dot(tmp);
+
+        char c;
+        ssize_t rv = readlink(tmp, &c, 1);
+        free(tmp);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return (rv != -1);
 }
 
+char *realpath_as_user(const char *fname) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        char *rv = realpath(fname, NULL);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int stat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = stat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int lstat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = lstat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+// remove all slashes and single dots from the end of a path
+// for example /foo/bar///././. -> /foo/bar
+void trim_trailing_slash_or_dot(char *path) {
+        assert(path);
+
+        char *end = strchr(path, '\0');
+        if ((end - path) > 1) {
+                end--;
+                while (*end == '/' ||
+                      (*end == '.' && *(end - 1) == '/')) {
+                        *end = '\0';
+                        end--;
+                        if (end == path)
+                                break;
+                }
+        }
+}
 
 // remove multiple spaces and return allocated memory
 char *line_remove_spaces(const char *buf) {
         EUID_ASSERT();
         assert(buf);
-        if (strlen(buf) == 0)
+        size_t len = strlen(buf);
+        if (len == 0)
                 return NULL;
 
         // allocate memory for the new string
-        char *rv = malloc(strlen(buf) + 1);
+        char *rv = malloc(len + 1);
         if (rv == NULL)
                 errExit("malloc");
 
@@ -430,6 +661,43 @@ char *split_comma(char *str) {
 }
 
 
+// simplify absolute path by removing
+// 1) consecutive and trailing slashes, and
+// 2) segments with a single dot
+// for example /foo//./bar/ -> /foo/bar
+char *clean_pathname(const char *path) {
+        assert(path && path[0] == '/');
+
+        size_t len = strlen(path);
+        char *rv = malloc(len + 1);
+        if (!rv)
+                errExit("malloc");
+
+        size_t i = 0;
+        size_t j = 0;
+        while (path[i]) {
+                if (path[i] == '/') {
+                        while (path[i+1] == '/' ||
+                              (path[i+1] == '.' && path[i+2] == '/'))
+                                i++;
+                }
+
+                rv[j++] = path[i++];
+        }
+        rv[j] = '\0';
+
+        // remove a trailing dot
+        if (j > 1 && rv[j - 1] == '.' && rv[j - 2] == '/')
+                rv[--j] = '\0';
+
+        // remove a trailing slash
+        if (j > 1 && rv[j - 1] == '/')
+                rv[--j] = '\0';
+
+        return rv;
+}
+
+
 void check_unsigned(const char *str, const char *msg) {
         EUID_ASSERT();
         const char *ptr = str;
@@ -475,7 +743,7 @@ int find_child(pid_t parent, pid_t *child) {
                         perror("asprintf");
                         exit(1);
                 }
-                FILE *fp = fopen(file, "r");
+                FILE *fp = fopen(file, "re");
                 if (!fp) {
                         free(file);
                         continue;
@@ -493,8 +761,15 @@ int find_child(pid_t parent, pid_t *child) {
                                         fprintf(stderr, "Error: cannot read /proc file\n");
                                         exit(1);
                                 }
-                                if (parent == atoi(ptr))
-                                        *child = pid;
+                                if (parent == atoi(ptr)) {
+                                        // we don't want /usr/bin/xdg-dbus-proxy!
+                                        char *cmdline = pid_proc_cmdline(pid);
+                                        if (cmdline) {
+                                                if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
+                                                        *child = pid;
+                                                free(cmdline);
+                                        }
+                                }
                                 break;            // stop reading the file
                         }
                 }
@@ -533,33 +808,33 @@ void extract_command_name(int index, char **argv) {
         if (!cfg.command_name)
                 errExit("strdup");
 
-        // restrict the command name to the first word
-        char *ptr = cfg.command_name;
-        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
-                ptr++;
-        *ptr = '\0';
-
         // remove the path: /usr/bin/firefox becomes firefox
-        ptr = strrchr(cfg.command_name, '/');
+        char *basename = cfg.command_name;
+        char *ptr = strrchr(cfg.command_name, '/');
         if (ptr) {
-                ptr++;
+                basename = ++ptr;
                 if (*ptr == '\0') {
                         fprintf(stderr, "Error: invalid command name\n");
                         exit(1);
                 }
+        }
+        else
+                ptr = basename;
 
-                char *tmp = strdup(ptr);
-                if (!tmp)
-                        errExit("strdup");
+        // restrict the command name to the first word
+        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
+                ptr++;
+
+        // command name is a substring of cfg.command_name
+        if (basename != cfg.command_name || *ptr != '\0') {
+                *ptr = '\0';
 
-                // limit the command to the first ' '
-                char *ptr2 = tmp;
-                while (*ptr2 != ' ' && *ptr2 != '\0')
-                        ptr2++;
-                *ptr2 = '\0';
+                basename = strdup(basename);
+                if (!basename)
+                        errExit("strdup");
 
                 free(cfg.command_name);
-                cfg.command_name = tmp;
+                cfg.command_name = basename;
         }
 }
 
@@ -576,7 +851,7 @@ void update_map(char *mapping, char *map_file) {
                 if (mapping[j] == ',')
                         mapping[j] = '\n';
 
-        fd = open(map_file, O_RDWR);
+        fd = open(map_file, O_RDWR|O_CLOEXEC);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno));
                 exit(EXIT_FAILURE);
@@ -596,9 +871,9 @@ void wait_for_other(int fd) {
         // wait for the parent to be initialized
         //****************************
         char childstr[BUFLEN + 1];
-        int newfd = dup(fd);
+        int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
         if (newfd == -1)
-                errExit("dup");
+                errExit("fcntl");
         FILE* stream;
         stream = fdopen(newfd, "r");
         *childstr = '\0';
@@ -645,61 +920,15 @@ void wait_for_other(int fd) {
 
 void notify_other(int fd) {
         FILE* stream;
-        int newfd = dup(fd);
+        int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0);
         if (newfd == -1)
-                errExit("dup");
+                errExit("fcntl");
         stream = fdopen(newfd, "w");
         fprintf(stream, "arg_noroot=%d\n", arg_noroot);
         fflush(stream);
         fclose(stream);
 }
 
-
-// This function takes a pathname supplied by the user and expands '~' and
-// '${HOME}' at the start, to refer to a path relative to the user's home
-// directory (supplied).
-// The return value is allocated using malloc and must be freed by the caller.
-// The function returns NULL if there are any errors.
-char *expand_home(const char *path, const char* homedir) {
-        assert(path);
-        assert(homedir);
-
-        // Replace home macro
-        char *new_name = NULL;
-        if (strncmp(path, "${HOME}", 7) == 0) {
-                if (asprintf(&new_name, "%s%s", homedir, path + 7) == -1)
-                        errExit("asprintf");
-                return new_name;
-        }
-        else if (*path == '~') {
-                if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1)
-                        errExit("asprintf");
-                return new_name;
-        }
-        else if (strncmp(path, "${CFG}", 6) == 0) {
-                if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1)
-                        errExit("asprintf");
-                return new_name;
-        }
-
-        char *rv = strdup(path);
-        if (!rv)
-                errExit("strdup");
-        return rv;
-}
-
-
-// Equivalent to the GNU version of basename, which is incompatible with
-// the POSIX basename. A few lines of code saves any portability pain.
-// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path) {
-        const char *last_slash = strrchr(path, '/');
-        if (!last_slash)
-                return path;
-        return last_slash+1;
-}
-
-
 uid_t pid_get_uid(pid_t pid) {
         EUID_ASSERT();
         uid_t rv = 0;
@@ -711,7 +940,7 @@ uid_t pid_get_uid(pid_t pid) {
                 exit(1);
         }
         EUID_ROOT();                              // grsecurity fix
-        FILE *fp = fopen(file, "r");
+        FILE *fp = fopen(file, "re");
         if (!fp) {
                 free(file);
                 fprintf(stderr, "Error: cannot open /proc file\n");
@@ -723,12 +952,14 @@ uid_t pid_get_uid(pid_t pid) {
         char buf[PIDS_BUFLEN];
         while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
                 if (strncmp(buf, "Uid:", 4) == 0) {
-                        char *ptr = buf + 5;
+                        char *ptr = buf + 4;
                         while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
                                 ptr++;
                         }
-                        if (*ptr == '\0')
-                                break;
+                        if (*ptr == '\0') {
+                                fprintf(stderr, "Error: cannot read /proc file\n");
+                                exit(1);
+                        }
 
                         rv = atoi(ptr);
                         break;                    // break regardless!
@@ -739,36 +970,10 @@ uid_t pid_get_uid(pid_t pid) {
         free(file);
         EUID_USER();                              // grsecurity fix
 
-        if (rv == 0) {
-                fprintf(stderr, "Error: cannot read /proc file\n");
-                exit(1);
-        }
         return rv;
 }
 
 
-void invalid_filename(const char *fname) {
-//      EUID_ASSERT();
-        assert(fname);
-        const char *ptr = fname;
-
-        if (arg_debug_check_filename)
-                printf("Checking filename %s\n", fname);
-
-        if (strncmp(ptr, "${HOME}", 7) == 0)
-                ptr = fname + 7;
-        else if (strncmp(ptr, "${PATH}", 7) == 0)
-                ptr = fname + 7;
-        else if (strcmp(fname, "${DOWNLOADS}") == 0)
-                return;
-
-        int len = strlen(ptr);
-        // file globbing ('*') is allowed
-        if (strcspn(ptr, "\\&!?\"'<>%^(){}[];,") != (size_t)len) {
-                fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr);
-                exit(1);
-        }
-}
 
 
 uid_t get_group_id(const char *group) {
@@ -786,30 +991,136 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla
         (void) sb;
         (void) typeflag;
         (void) ftwbuf;
+        assert(fpath);
 
-        int rv = remove(fpath);
-        if (rv)
-                perror(fpath);
+        if (strcmp(fpath, ".") == 0)
+                return 0;
 
-        return rv;
+        if (remove(fpath)) {    // removes the link not the actual file
+                perror("remove");
+                fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath);
+                exit(1);
+        }
+
+        return 0;
 }
 
 
-int remove_directory(const char *path) {
-        // FTW_PHYS - do not follow symbolic links
-        return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
+int remove_overlay_directory(void) {
+        EUID_ASSERT();
+        sleep(1);
+
+        char *path;
+        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+
+        if (access(path, F_OK) == 0) {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // open ~/.firejail
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1) {
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
+                        // chdir to ~/.firejail
+                        if (fchdir(fd) == -1)
+                                errExit("fchdir");
+                        close(fd);
+
+                        EUID_ROOT();
+                        // FTW_PHYS - do not follow symbolic links
+                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
+                                errExit("nftw");
+
+                        EUID_USER();
+                        // remove ~/.firejail
+                        if (rmdir(path) == -1)
+                                errExit("rmdir");
+
+                        __gcov_flush();
+
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                // check if ~/.firejail was deleted
+                if (access(path, F_OK) == 0)
+                        return 1;
+        }
+        return 0;
 }
 
+// flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
-        if (isatty(STDIN_FILENO)) {
-                int cnt = 0;
-                int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
-                if (rv == 0 && cnt) {
-                        fwarning("removing %d bytes from stdin\n", cnt);
-                        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
-                        (void) rv;
+        if (!isatty(STDIN_FILENO))
+                return;
+
+        int cnt = 0;
+        int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
+        if (rv != 0 || cnt == 0)
+                return;
+
+        fwarning("removing %d bytes from stdin\n", cnt);
+
+        // If this process is backgrounded, below ioctl() will trigger
+        // SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for
+        // the duration of the ioctl.
+        sighandler_t hdlr = signal(SIGTTOU, SIG_IGN);
+        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+        signal(SIGTTOU, hdlr);
+
+        if (rv)
+                fwarning("Flushing stdin failed: %s\n", strerror(errno));
+}
+
+// return 1 if new directory was created, else return 0
+int create_empty_dir_as_user(const char *dir, mode_t mode) {
+        assert(dir);
+        mode &= 07777;
+
+        if (access(dir, F_OK) != 0) {
+                if (arg_debug)
+                        printf("Creating empty %s directory\n", dir);
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+
+                        if (mkdir(dir, mode) == 0) {
+                                int err = chmod(dir, mode);
+                                (void) err;
+                        }
+                        else if (arg_debug)
+                                printf("Directory %s not created: %s\n", dir, strerror(errno));
+
+                        __gcov_flush();
+
+                        _exit(0);
                 }
+                waitpid(child, NULL, 0);
+                if (access(dir, F_OK) == 0)
+                        return 1;
         }
+        return 0;
 }
 
 void create_empty_dir_as_root(const char *dir, mode_t mode) {
@@ -839,15 +1150,14 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
         if (stat(fname, &s)) {
                 if (arg_debug)
                         printf("Creating empty %s file\n", fname);
-
                 /* coverity[toctou] */
-                FILE *fp = fopen(fname, "w");
+                // don't fail if file already exists. This can be the case in a race
+                // condition, when two jails launch at the same time. Compare to #1013
+                FILE *fp = fopen(fname, "we");
                 if (!fp)
                         errExit("fopen");
-                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR);
+                SET_PERMS_STREAM(fp, 0, 0, mode);
                 fclose(fp);
-                if (chmod(fname, mode) == -1)
-                        errExit("chmod");
         }
 }
 
@@ -899,44 +1209,311 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
         ASSERT_PERMS(fname, uid, gid, mode);
 }
 
-char *read_text_file_or_exit(const char *fname) {
-        assert(fname);
-
-        // open file
-        int fd = open(fname, O_RDONLY);
-        if (fd == -1) {
-                fprintf(stderr, "Error: cannot read %s\n", fname);
+unsigned extract_timeout(const char *str) {
+        unsigned s;
+        unsigned m;
+        unsigned h;
+        int rv = sscanf(str, "%02u:%02u:%02u", &h, &m, &s);
+        if (rv != 3) {
+                fprintf(stderr, "Error: invalid timeout, please use a hh:mm:ss format\n");
+                exit(1);
+        }
+        unsigned timeout = h * 3600 + m * 60 + s;
+        if (timeout == 0) {
+                fprintf(stderr, "Error: invalid timeout\n");
                 exit(1);
         }
 
-        int size = lseek(fd, 0, SEEK_END);
-        if (size == -1)
-                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
-
-        // allocate memory
-        char *data = malloc(size + 1);    // + '\0'
-        if (data == NULL)
-                goto errexit;
-        memset(data, 0, size + 1);
-
-        // read file
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) data + rd, size - rd);
-                if (rv == -1) {
-                        goto errexit;
-                }
-                rd += rv;
+        return timeout;
+}
+
+void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
+        assert(fname);
+
+        EUID_USER();
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        EUID_ROOT();
+        if (fd < 0)
+                return;
+
+        struct stat s;
+        if (fstat(fd, &s) < 0) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                return;
         }
 
-        // close file
+        if (arg_debug)
+                printf("blacklist %s\n", fname);
+        if (S_ISDIR(s.st_mode)) {
+                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
+                        errExit("disable directory");
+        }
+        else {
+                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
+                        errExit("disable file");
+        }
         close(fd);
-        return data;
+        fs_logger2("blacklist", fname);
+}
+
+void disable_file_path(const char *path, const char *file) {
+        assert(file);
+        assert(path);
 
-errexit:
+        char *fname;
+        if (asprintf(&fname, "%s/%s", path, file) == -1)
+                errExit("asprintf");
+
+        disable_file_or_dir(fname);
+        free(fname);
+}
+
+// open an existing file without following any symbolic link
+// relative paths are interpreted relative to dirfd
+// ignore dirfd if path is absolute
+// https://web.archive.org/web/20180419120236/https://blogs.gnome.org/jamesh/2018/04/19/secure-mounts
+int safer_openat(int dirfd, const char *path, int flags) {
+        assert(path && path[0]);
+        flags |= O_NOFOLLOW;
+
+        int fd = -1;
+
+#ifdef __NR_openat2 // kernel 5.6 or better
+        struct open_how oh;
+        memset(&oh, 0, sizeof(oh));
+        oh.flags = flags;
+        oh.resolve = RESOLVE_NO_SYMLINKS;
+        fd = syscall(__NR_openat2, dirfd, path, &oh, sizeof(struct open_how));
+        if (fd != -1 || errno != ENOSYS)
+                return fd;
+#endif
+
+        // openat2 syscall is not available, traverse path and
+        // check each component if it is a symbolic link or not
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+        char *tok = strtok(dup, "/");
+        if (!tok) { // nothing to do, path is the root directory
+                free(dup);
+                return openat(dirfd, path, flags);
+        }
+        char *last_tok = EMPTY_STRING;
+
+        int parentfd;
+        if (path[0] == '/')
+                parentfd = open("/", O_PATH|O_CLOEXEC);
+        else
+                parentfd = fcntl(dirfd, F_DUPFD_CLOEXEC, 0);
+        if (parentfd == -1)
+                errExit("open/fcntl");
+
+        while (1) {
+                // open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
+                // if token is a single dot, the directory referred to by parentfd is reopened
+                fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1) {
+                        // if the following token is NULL, the current token is the final path component
+                        // try again to open it, this time using the passed flags, and return -1 or the descriptor
+                        last_tok = tok;
+                        tok = strtok(NULL, "/");
+                        if (!tok)
+                                fd = openat(parentfd, last_tok, flags);
+                        close(parentfd);
+                        free(dup);
+                        return fd;
+                }
+                // move on to next path component
+                last_tok = tok;
+                tok = strtok(NULL, "/");
+                if (!tok)
+                        break;
+                close(parentfd);
+                parentfd = fd;
+        }
+        // getting here when the last path component exists and is of file type directory
+        // reopen it using the passed flags
         close(fd);
-        fprintf(stderr, "Error: cannot read %s\n", fname);
-        exit(1);
+        fd = openat(parentfd, last_tok, flags);
+        close(parentfd);
+        free(dup);
+        return fd;
+}
+
+int remount_by_fd(int dst, unsigned long mountflags) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_by_fd(int src, int dst) {
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 ||
+            asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc_src);
+        free(proc_dst);
+        return rv;
+}
+
+int bind_mount_fd_to_path(int src, const char *destname) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", src) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_path_to_fd(const char *srcname, int dst) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int has_handler(pid_t pid, int signal) {
+        if (signal > 0 && signal <= SIGRTMAX) {
+                char *fname;
+                if (asprintf(&fname, "/proc/%d/status", pid) == -1)
+                        errExit("asprintf");
+                EUID_ROOT();
+                FILE *fp = fopen(fname, "re");
+                EUID_USER();
+                free(fname);
+                if (fp) {
+                        char buf[BUFLEN];
+                        while (fgets(buf, BUFLEN, fp)) {
+                                if (strncmp(buf, "SigCgt:", 7) == 0) {
+                                        unsigned long long val;
+                                        if (sscanf(buf + 7, "%llx", &val) != 1) {
+                                                fprintf(stderr, "Error: cannot read /proc file\n");
+                                                exit(1);
+                                        }
+                                        val >>= (signal - 1);
+                                        val &= 1ULL;
+                                        fclose(fp);
+                                        return val;  // 1 if process has a handler for the signal, else 0
+                                }
+                        }
+                        fclose(fp);
+                }
+        }
+        return 0;
+}
+
+void enter_network_namespace(pid_t pid) {
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid_t child = switch_to_child(pid);
+
+        // exit if no permission to join the sandbox
+        check_join_permission(child);
+
+        // check network namespace
+        char *name;
+        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
+                exit(1);
+        }
+
+        // join the namespace
+        EUID_ROOT();
+        if (join_namespace(child, "net")) {
+                fprintf(stderr, "Error: cannot join the network namespace\n");
+                exit(1);
+        }
+}
+
+// return 1 if error, 0 if a valid pid was found
+static int extract_pid(const char *name, pid_t *pid) {
+        int retval = 0;
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+
+        EUID_ROOT();
+        if (name2pid(name, pid)) {
+                retval = 1;
+        }
+        EUID_USER();
+        return retval;
+}
+
+// return 1 if error, 0 if a valid pid was found
+int read_pid(const char *name, pid_t *pid) {
+        char *endptr;
+        errno = 0;
+        long int pidtmp = strtol(name, &endptr, 10);
+        if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN))
+                || (errno != 0 && pidtmp == 0)) {
+                return extract_pid(name,pid);
+        }
+        // endptr points to '\0' char in name if the entire string is valid
+        if (endptr == NULL || endptr[0]!='\0') {
+                return extract_pid(name,pid);
+        }
+        *pid =(pid_t)pidtmp;
+        return 0;
+}
+
+pid_t require_pid(const char *name) {
+        pid_t pid;
+        if (read_pid(name,&pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        return pid;
+}
+
+// return 1 if there is a link somewhere in path of directory
+static int has_link(const char *dir) {
+        assert(dir);
+        int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd != -1)
+                close(fd);
+        else if (errno == ELOOP || (errno == ENOTDIR && is_dir(dir)))
+                return 1;
+        return 0;
+}
+
+void check_homedir(const char *dir) {
+        assert(dir);
+        if (dir[0] != '/') {
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
+                exit(1);
+        }
+        // symlinks are rejected in many places
+        if (has_link(dir))
+                fmessage("No full support for symbolic links in path of user directory.\n"
+                        "Please provide resolved path in password database (/etc/passwd).\n\n");
 }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index d41f46d93..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,9 +20,9 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/statvfs.h>
 #include <sys/socket.h>
 #include <sys/un.h>
-#include <fcntl.h>
 #include <unistd.h>
 #include <signal.h>
 #include <stdlib.h>
@@ -32,10 +32,16 @@
 #include <errno.h>
 #include <limits.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+
 // Parse the DISPLAY environment variable and return a display number.
 // Returns -1 if DISPLAY is not set, or is set to anything other than :ddd.
 int x11_display(void) {
-        const char *display_str = getenv("DISPLAY");
+        const char *display_str = env_get("DISPLAY");
         char *endp;
         unsigned long display;
 
@@ -78,7 +84,7 @@ int x11_display(void) {
 static int x11_abstract_sockets_present(void) {
 
         EUID_ROOT();                              // grsecurity fix
-        FILE *fp = fopen("/proc/net/unix", "r");
+        FILE *fp = fopen("/proc/net/unix", "re");
         if (!fp)
                 errExit("fopen");
         EUID_USER();
@@ -198,13 +204,12 @@ static int random_display_number(void) {
 void x11_start_xvfb(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
-        setenv("FIREJAIL_X11", "yes", 1);
+        env_store_name_val("FIREJAIL_X11", "yes", SETENV);
 
-        // mever try to run X servers as root!!!
+        // never try to run X servers as root!!!
         if (getuid() == 0) {
                 fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                 exit(1);
@@ -216,6 +221,7 @@ void x11_start_xvfb(int argc, char **argv) {
                 fprintf(stderr, "\nError: Xvfb program was not found in /usr/bin directory, please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xvfb\n");
                 fprintf(stderr, "   Arch: sudo pacman -S xorg-server-xvfb\n");
+                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-server-Xvfb\n");
                 exit(0);
         }
 
@@ -226,7 +232,7 @@ void x11_start_xvfb(int argc, char **argv) {
 
         assert(xvfb_screen);
 
-        char *server_argv[256] = {                // rest initialyzed to NULL
+        char *server_argv[256] = {                // rest initialized to NULL
                 "Xvfb", display_str, "-screen", "0", xvfb_screen
         };
         unsigned pos = 0;
@@ -304,7 +310,7 @@ void x11_start_xvfb(int argc, char **argv) {
 
         if (arg_debug) {
                 size_t i = 0;
-                printf("\n*** Stating xvfb client:");
+                printf("\n*** Starting xvfb client:");
                 while (jail_argv[i]!=NULL) {
                         printf(" \"%s\"", jail_argv[i]);
                         i++;
@@ -319,7 +325,11 @@ void x11_start_xvfb(int argc, char **argv) {
                 if (arg_debug)
                         printf("Starting xvfb...\n");
 
+                // restore original environment variables
+                env_apply_all();
+
                 // running without privileges - see drop_privs call above
+                assert(env_get("LD_PRELOAD") == NULL);
                 assert(getenv("LD_PRELOAD") == NULL);
                 execvp(server_argv[0], server_argv);
                 perror("execvp");
@@ -337,7 +347,7 @@ void x11_start_xvfb(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -347,23 +357,20 @@ void x11_start_xvfb(int argc, char **argv) {
         }
         free(fname);
 
-        if (arg_debug) {
-                printf("X11 sockets: "); fflush(0);
-                int rv = system("ls /tmp/.X11-unix");
-                (void) rv;
-        }
-
         assert(display_str);
-        setenv("DISPLAY", display_str, 1);
+        env_store_name_val("DISPLAY", display_str, SETENV);
         // run attach command
         jail = fork();
         if (jail < 0)
                 errExit("fork");
         if (jail == 0) {
-                if (!arg_quiet)
-                        printf("\n*** Attaching to Xvfb display %d ***\n\n", display);
+                fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display);
+
+                // restore original environment variables
+                env_apply_all();
 
                 // running without privileges - see drop_privs call above
+                assert(env_get("LD_PRELOAD") == NULL);
                 assert(getenv("LD_PRELOAD") == NULL);
                 execvp(jail_argv[0], jail_argv);
                 perror("execvp");
@@ -419,16 +426,15 @@ static char *extract_setting(int argc, char **argv, const char *argument) {
 void x11_start_xephyr(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
-        // default xephyr screen can be overwriten by a --xephyr-screen= command line option
+        // default xephyr screen can be overwritten by a --xephyr-screen= command line option
         char *newscreen = extract_setting(argc, argv, "--xephyr-screen=");
         if (newscreen)
                 xephyr_screen = newscreen;
 
-        setenv("FIREJAIL_X11", "yes", 1);
+        env_store_name_val("FIREJAIL_X11", "yes", SETENV);
 
         // unfortunately, xephyr does a number of weird things when started by root user!!!
         if (getuid() == 0) {
@@ -442,6 +448,7 @@ void x11_start_xephyr(int argc, char **argv) {
                 fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
                 fprintf(stderr, "   Arch: sudo pacman -S xorg-server-xephyr\n");
+                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-server-Xephyr\n");
                 exit(0);
         }
 
@@ -451,7 +458,7 @@ void x11_start_xephyr(int argc, char **argv) {
                 errExit("asprintf");
 
         assert(xephyr_screen);
-        char *server_argv[256] = {                // rest initialyzed to NULL
+        char *server_argv[256] = {                // rest initialized to NULL
                 "Xephyr", "-ac", "-br", "-noreset", "-screen", xephyr_screen
         };
         unsigned pos = 0;
@@ -515,7 +522,7 @@ void x11_start_xephyr(int argc, char **argv) {
         assert(pos < (sizeof(server_argv)/sizeof(*server_argv)));
         assert(server_argv[pos-1] == NULL);       // last element is null
 
-        if (arg_debug) {
+        {
                 size_t i = 0;
                 printf("\n*** Starting xephyr server:");
                 while (server_argv[i]!=NULL) {
@@ -555,7 +562,11 @@ void x11_start_xephyr(int argc, char **argv) {
                 if (arg_debug)
                         printf("Starting xephyr...\n");
 
+                // restore original environment variables
+                env_apply_all();
+
                 // running without privileges - see drop_privs call above
+                assert(env_get("LD_PRELOAD") == NULL);
                 assert(getenv("LD_PRELOAD") == NULL);
                 execvp(server_argv[0], server_argv);
                 perror("execvp");
@@ -573,7 +584,7 @@ void x11_start_xephyr(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -583,14 +594,8 @@ void x11_start_xephyr(int argc, char **argv) {
         }
         free(fname);
 
-        if (arg_debug) {
-                printf("X11 sockets: "); fflush(0);
-                int rv = system("ls /tmp/.X11-unix");
-                (void) rv;
-        }
-
         assert(display_str);
-        setenv("DISPLAY", display_str, 1);
+        env_store_name_val("DISPLAY", display_str, SETENV);
         // run attach command
         jail = fork();
         if (jail < 0)
@@ -599,8 +604,12 @@ void x11_start_xephyr(int argc, char **argv) {
                 if (!arg_quiet)
                         printf("\n*** Attaching to Xephyr display %d ***\n\n", display);
 
+                // restore original environment variables
+                env_apply_all();
+
                 // running without privileges - see drop_privs call above
                 assert(getenv("LD_PRELOAD") == NULL);
+                assert(env_get("LD_PRELOAD") == NULL);
                 execvp(jail_argv[0], jail_argv);
                 perror("execvp");
                 _exit(1);
@@ -630,15 +639,71 @@ void x11_start_xephyr(int argc, char **argv) {
 }
 
 
-void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
+// this function returns the string that will appear in the window title when xpra is being used
+// this string may include one of these items:
+// *  the "--name" argument, if specified
+// *  the basename portion of the "--private" directory, if specified
+// note: the malloc() is leaking, but this is a small string allocated one time only during startup, so don't care
+static char * get_title_arg_str() {
+
+        char * title_arg_str = NULL;
+
+        const char * title_start = "--title=firejail x11 sandbox";
+        const char * title_sep = " ";
+
+        // use the "--name" argument if it was explicitly specified
+        if ((cfg.name != NULL) && (strlen(cfg.name) > 0)) {
+
+                title_arg_str = malloc(strlen(title_start) + strlen(title_sep) + strlen(cfg.name) + 1);
+                if (title_arg_str == NULL) {
+                        fprintf(stderr, "Error: malloc() failed to allocate memory\n");
+                        exit(1);
+                }
+
+                strcpy(title_arg_str, title_start);
+                strcat(title_arg_str, title_sep);
+                strcat(title_arg_str, cfg.name);
+        }
+
+        // use the "--private" argument if it was explicitly specified
+        else if ((cfg.home_private != NULL) && (strlen(cfg.home_private) > 0)) {
+
+                const char * base_out = gnu_basename(cfg.home_private);
+
+                title_arg_str = malloc(strlen(title_start) + strlen(title_sep) + strlen(base_out) + 1);
+                if (title_arg_str == NULL) {
+                        fprintf(stderr, "Error: malloc() failed to allocate memory\n");
+                        exit(1);
+                }
+
+                strcpy(title_arg_str, title_start);
+                strcat(title_arg_str, title_sep);
+                strcat(title_arg_str, base_out);
+        }
+
+        // default
+        else {
+                title_arg_str = malloc(strlen(title_start) + 1);
+                if (title_arg_str == NULL) {
+                        fprintf(stderr, "Error: malloc() failed to allocate memory\n");
+                        exit(1);
+                }
+
+                strcpy(title_arg_str, title_start);
+        }
+
+        return title_arg_str;
+}
+
+
+static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t client = 0;
         pid_t server = 0;
 
         // build the start command
-        char *server_argv[256] = {                // rest initialyzed to NULL
+        char *server_argv[256] = {                // rest initialized to NULL
                 "xpra", "start", display_str, "--no-daemon",
         };
         unsigned pos = 0;
@@ -728,8 +793,12 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                         dup2(fd_null,2);
                 }
 
+                // restore original environment variables
+                env_apply_all();
+
                 // running without privileges - see drop_privs call above
                 assert(getenv("LD_PRELOAD") == NULL);
+                assert(env_get("LD_PRELOAD") == NULL);
                 execvp(server_argv[0], server_argv);
                 perror("execvp");
                 _exit(1);
@@ -746,7 +815,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         }
 
@@ -756,14 +825,11 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         }
         free(fname);
 
-        if (arg_debug) {
-                printf("X11 sockets: "); fflush(0);
-                int rv = system("ls /tmp/.X11-unix");
-                (void) rv;
-        }
-
         // build attach command
-        char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL };
+
+        char * title_arg_str = get_title_arg_str();
+
+        char *attach_argv[] = { "xpra", title_arg_str, "attach", display_str, NULL };
 
         // run attach command
         client = fork();
@@ -776,10 +842,13 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                         dup2(fd_null,2);
                 }
 
-                if (!arg_quiet)
-                        printf("\n*** Attaching to xpra display %d ***\n\n", display);
+                fmessage("\n*** Attaching to xpra display %d ***\n\n", display);
+
+                // restore original environment variables
+                env_apply_all();
 
                 // running without privileges - see drop_privs call above
+                assert(env_get("LD_PRELOAD") == NULL);
                 assert(getenv("LD_PRELOAD") == NULL);
                 execvp(attach_argv[0], attach_argv);
                 perror("execvp");
@@ -787,7 +856,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         }
 
         assert(display_str);
-        setenv("DISPLAY", display_str, 1);
+        env_store_name_val("DISPLAY", display_str, SETENV);
 
         // build jail command
         char *firejail_argv[argc+2];
@@ -809,15 +878,19 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                 errExit("fork");
         if (jail == 0) {
                 // running without privileges - see drop_privs call above
+                assert(env_get("LD_PRELOAD") == NULL);
                 assert(getenv("LD_PRELOAD") == NULL);
+
+                // restore original environment variables
+                env_apply_all();
+
                 if (firejail_argv[0])             // shut up llvm scan-build
                         execvp(firejail_argv[0], firejail_argv);
                 perror("execvp");
                 exit(1);
         }
 
-        if (!arg_quiet)
-                printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail);
+        fmessage("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail);
 
         sleep(1);                                 // adding a delay in order to let the server start
 
@@ -836,7 +909,12 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
                                         dup2(fd_null,1);
                                         dup2(fd_null,2);
                                 }
+
+                                // restore original environment variables
+                                env_apply_all();
+
                                 // running without privileges - see drop_privs call above
+                                assert(env_get("LD_PRELOAD") == NULL);
                                 assert(getenv("LD_PRELOAD") == NULL);
                                 execvp(stop_argv[0], stop_argv);
                                 perror("execvp");
@@ -853,7 +931,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
 
                         if (arg_debug) {
                                 if (n == 10)
-                                        printf("failed to stop xpra server gratefully\n");
+                                        printf("failed to stop xpra server gracefully\n");
                                 else
                                         printf("xpra server successfully stopped in %d secs\n", n);
                         }
@@ -874,13 +952,13 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
 }
 
 
-void x11_start_xpra_new(int argc, char **argv, char *display_str) {
+static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv, char *display_str) {
         EUID_ASSERT();
         int i;
         pid_t server = 0;
 
         // build the start command
-        char *server_argv[256] = {                // rest initialyzed to NULL
+        char *server_argv[256] = {                // rest initialized to NULL
                 "xpra", "start", display_str, "--daemon=no", "--attach=yes", "--exit-with-children=yes"
         };
         unsigned spos = 0;
@@ -908,9 +986,9 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) {
 
         strcpy(start_child,start_child_prefix);
         for(i = 0; (unsigned) i < fpos; i++) {
-                strncat(start_child,firejail_argv[i],strlen(firejail_argv[i]));
+                strcat(start_child,firejail_argv[i]);
                 if((unsigned) i != fpos - 1)
-                        strncat(start_child," ",strlen(" "));
+                        strcat(start_child," ");
         }
 
         server_argv[spos++] = start_child;
@@ -965,6 +1043,8 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) {
                 }
         }
 
+        server_argv[spos++] = NULL;
+
         assert((int) fpos < (argc+2));
         assert(!firejail_argv[fpos]);
                                                   // no overrun
@@ -1002,7 +1082,11 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) {
                         dup2(fd_null,2);
                 }
 
+                // restore original environment variables
+                env_apply_all();
+
                 // running without privileges - see drop_privs call above
+                assert(env_get("LD_PRELOAD") == NULL);
                 assert(getenv("LD_PRELOAD") == NULL);
                 execvp(server_argv[0], server_argv);
                 perror("execvp");
@@ -1023,7 +1107,7 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) {
 void x11_start_xpra(int argc, char **argv) {
         EUID_ASSERT();
 
-        setenv("FIREJAIL_X11", "yes", 1);
+        env_store_name_val("FIREJAIL_X11", "yes", SETENV);
 
         // unfortunately, xpra does a number of weird things when started by root user!!!
         if (getuid() == 0) {
@@ -1036,6 +1120,8 @@ void x11_start_xpra(int argc, char **argv) {
         if (!program_in_path("xpra")) {
                 fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
+                fprintf(stderr, "   Arch: sudo pacman -S xpra\n");
+                fprintf(stderr, "   Fedora: sudo dnf install xpra\n");
                 exit(0);
         }
 
@@ -1043,7 +1129,7 @@ void x11_start_xpra(int argc, char **argv) {
         char *display_str;
         if (asprintf(&display_str, ":%d", display) == -1)
                 errExit("asprintf");
-        
+
         if (checkcfg(CFG_XPRA_ATTACH))
                 x11_start_xpra_new(argc, argv, display_str);
         else
@@ -1069,152 +1155,161 @@ void x11_start(int argc, char **argv) {
                 fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xpra\n");
                 fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n");
+                fprintf(stderr, "   Arch: sudo pacman -S xpra\n");
+                fprintf(stderr, "   Arch: sudo pacman -S xorg-server-xephyr\n");
+                fprintf(stderr, "   Fedora: sudo dnf install xpra\n");
+                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-server-Xephyr\n");
                 exit(0);
         }
 }
 #endif
 
-// Porting notes:
-//
-// 1. merge #1100 from zackw:
-//     Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8
-//     with this message:
-//            xauth:  timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4
-//            Failed to create untrusted X cookie: xauth: exit 1
-//     For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was
-//     a partial merge.
-//
-// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home
-// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not
-// something picked up on $PATH.
-//
-// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens
-// when using a network namespace. Somehow, xauth tries to connect to the abstract socket,
-// and it fails because of the network namespace - it should try to connect to the regular
-// Unix socket! If we ignore the fail condition, the program will be started on X server without
-// the security extension loaded.
+
 void x11_xorg(void) {
 #ifdef HAVE_X11
 
-        // check xauth utility is present in the system
-        struct stat s;
-        if (stat("/usr/bin/xauth", &s) == -1) {
-                fprintf(stderr, "Error: xauth utility not found in PATH.  Please install it:\n"
-                        "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
-                exit(1);
-        }
-        if (s.st_uid != 0 && s.st_gid != 0) {
-                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
-                exit(1);
-        }
-
         // get DISPLAY env
-        char *display = getenv("DISPLAY");
+        const char *display = env_get("DISPLAY");
         if (!display) {
                 fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr);
                 exit(1);
         }
 
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
-                errExit("mounting /tmp");
-
-        // create the temporary .Xauthority file
-        if (arg_debug)
-                printf("Generating a new .Xauthority file\n");
-        char tmpfname[] = "/tmp/.tmpXauth-XXXXXX";
-        int fd = mkstemp(tmpfname);
-        if (fd == -1) {
-                fprintf(stderr, "Error: cannot create .Xauthority file\n");
+        // check xauth utility is present in the system
+        struct stat s;
+        if (stat("/usr/bin/xauth", &s) == -1) {
+                fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n");
+                fprintf(stderr, "   Debian/Ubuntu/Mint: sudo apt-get install xauth\n");
+                fprintf(stderr, "   Arch: sudo pacman -S xorg-xauth\n");
+                fprintf(stderr, "   Fedora: sudo dnf install xorg-x11-xauth\n");
                 exit(1);
         }
-        if (fchown(fd, getuid(), getgid()) == -1)
-                errExit("chown");
-        close(fd);
-
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                drop_privs(1);
-                clearenv();
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname,
-                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL);
-
-                _exit(127);
-        }
-
-        // wait for the xauth process to finish
-        int status;
-        if (waitpid(child, &status, 0) != child)
-                errExit("waitpid");
-        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
-                /* success */
-        }
-        else if (WIFEXITED(status)) {
-                fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n",
-                        WEXITSTATUS(status));
+        if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) {
+                fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n");
                 exit(1);
         }
-        else if (WIFSIGNALED(status)) {
-                fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n",
-                        strsignal(WTERMSIG(status)));
+        if (s.st_size > 1024 * 1024) {
+                fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n");
                 exit(1);
         }
-        else {
-                fprintf(stderr, "Failed to create untrusted X cookie: "
-                        "xauth: un-decodable exit status %04x\n", status);
+        // copy /usr/bin/xauth in the sandbox and set mode to 0711
+        // users are not able to trace the running xauth this way
+        if (arg_debug)
+                printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE);
+        if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) {
+                fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n");
                 exit(1);
         }
 
-        // ensure the file has the correct permissions and move it
-        // into the correct location.
-        if (stat(tmpfname, &s) == -1) {
-                fprintf(stderr, "Error: .Xauthority file was not created\n");
+        fmessage("Generating a new .Xauthority file\n");
+        mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
+        // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        EUID_USER();
+        char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
+        int fd = mkstemp(tmpfname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        if (set_perms(tmpfname, getuid(), getgid(), 0600))
-                errExit("set_perms");
+        close(fd);
 
-        // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
-        // automatically when the sandbox is closed (rename doesn't work)
-                                                  // root needed
-        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
-                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
-                exit(1);
-        }
-        if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))
-                errExit("set_perms");
-        /* coverity[toctou] */
-        unlink(tmpfname);
-        umount("/tmp");
+        // run xauth
+        if (arg_debug)
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 8, RUN_XAUTH_FILE, "-v", "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
+        else
+                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
+                        "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
 
-        // Ensure there is already a file in the usual location, so that bind-mount below will work.
-        // todo: fix TOCTOU races, currently managed by imposing /usr/bin/xauth as executable
+        // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (stat(dest, &s) == -1) {
-                // create an .Xauthority file
-                touch_file_as_user(dest, getuid(), getgid(), 0600);
+        if (access(dest, F_OK) == -1) {
+                touch_file_as_user(dest, 0600);
+                if (access(dest, F_OK) == -1) {
+                        fprintf(stderr, "Error: cannot create %s\n", dest);
+                        exit(1);
+                }
         }
-        if (is_link(dest)) {
-                fprintf(stderr, "Error: .Xauthority is a symbolic link\n");
+        // get a file descriptor for ~/.Xauthority
+        int dst = safer_openat(-1, dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (dst == -1)
+                errExit("safer_openat");
+        // check if the actual mount destination is a user owned regular file
+        if (fstat(dst, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode) || s.st_uid != getuid()) {
+                if (S_ISLNK(s.st_mode))
+                        fprintf(stderr, "Error: .Xauthority is a symbolic link\n");
+                else
+                        fprintf(stderr, "Error: .Xauthority is not a user owned regular file\n");
                 exit(1);
         }
+        // preserve a read-only mount
+        struct statvfs vfs;
+        if (fstatvfs(dst, &vfs) == -1)
+                errExit("fstatvfs");
+        if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
+                fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_READONLY, 0);
 
-        // mount
-        if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) {
+        // always mounting the new Xauthority file noexec,nodev,nosuid
+        fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_NOEXEC, 0);
+
+        // get a file descriptor for the new Xauthority file
+        int src = safer_openat(-1, tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src == -1)
+                errExit("safer_openat");
+        if (fstat(src, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                errno = EPERM;
+                errExit("mounting Xauthority file");
+        }
+
+        // mount via the link in /proc/self/fd
+        if (arg_debug)
+                printf("Mounting %s on %s\n", tmpfname, dest);
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst)) {
                 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                 exit(1);
         }
-        // just  in case...
-        if (set_perms(dest, getuid(), getgid(), 0600))
-                errExit("set_perms");
+        EUID_USER();
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
+                errLogExit("invalid .Xauthority mount");
+        close(src);
+        close(dst);
+
+        ASSERT_PERMS(dest, getuid(), getgid(), 0600);
+
+        // blacklist user .Xauthority file if it is not masked already
+        const char *envar = env_get("XAUTHORITY");
+        if (envar) {
+                char *rp = realpath(envar, NULL);
+                if (rp) {
+                        if (strcmp(rp, dest) != 0) {
+                                EUID_ROOT();
+                                disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
+                        free(rp);
+                }
+        }
+        // set environment variable
+        env_store_name_val("XAUTHORITY", dest, SETENV);
         free(dest);
+
+        // mask RUN_XAUTHORITY_SEC_DIR
+        EUID_ROOT();
+        if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
+
+        // cleanup
+        unlink(RUN_XAUTH_FILE);
 #endif
 }
 
@@ -1225,60 +1320,58 @@ void fs_x11(void) {
         if (display <= 0)
                 return;
 
+        struct stat s1, s2;
+        if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0)
+                return;
+        if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
+                fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
+                return;
+        }
+        if (s2.st_uid != 0) {
+                fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
+                return;
+        }
+
+        // the mount source is under control of the user, so be careful and
+        // mount without following symbolic links, using a file descriptor
         char *x11file;
         if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                 errExit("asprintf");
-        struct stat x11stat;
-        if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) {
+        int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src < 0) {
+                free(x11file);
+                return;
+        }
+        struct stat s3;
+        if (fstat(src, &s3) < 0)
+                errExit("fstat");
+        if (!S_ISSOCK(s3.st_mode)) {
+                close(src);
                 free(x11file);
                 return;
         }
 
         if (arg_debug || arg_debug_whitelists)
                 fprintf(stderr, "Masking all X11 sockets except %s\n", x11file);
-
-        // Move the real /tmp/.X11-unix to a scratch location
-        // so we can still access x11file after we mount a
-        // tmpfs over /tmp/.X11-unix.
-        int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700);
-        if (rv == -1)
-                errExit("mkdir");
-        if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700))
-                errExit("set_perms");
-
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
-                errExit("mount bind");
-
-        // This directory must be mode 1777, or Xlib will barf.
+        // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
-                MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,
+                MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                 "mode=1777,uid=0,gid=0") < 0)
                 errExit("mounting tmpfs on /tmp/.X11-unix");
+        selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix");
         fs_logger("tmpfs /tmp/.X11-unix");
 
-        // create an empty file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT);
-        if (fd < 0)
-                errExit(x11file);
-        if (fchown(fd, x11stat.st_uid, x11stat.st_gid))
-                errExit("fchown");
-        close(fd);
+        // create an empty root-owned file which will have the desired socket bind-mounted over it
+        int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (dst < 0)
+                errExit("open");
 
-        // do the mount
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
+        close(src);
+        close(dst);
         fs_logger2("whitelist", x11file);
-
         free(x11file);
-        free(wx11file);
-
-        // block access to RUN_WHITELIST_X11_DIR
-        if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
-                errExit("mount");
-        fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
 #endif
 }
 
@@ -1286,7 +1379,7 @@ void fs_x11(void) {
 void x11_block(void) {
 #ifdef HAVE_X11
         // check abstract socket presence and network namespace options
-        if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
+        if ((!arg_nonetwork && !arg_netns && !cfg.bridge0.configured && !cfg.interface0.configured)
         && x11_abstract_sockets_present()) {
                 fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n"
                         "Additional setup required. To block abstract X11 socket you can either:\n"
@@ -1297,13 +1390,19 @@ void x11_block(void) {
         }
 
         // blacklist sockets
-        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
-        profile_add(strdup("blacklist /tmp/.X11-unix"));
+        char *cmd = strdup("blacklist /tmp/.X11-unix");
+        if (!cmd)
+                errExit("strdup");
+        profile_check_line(cmd, 0, NULL);
+        profile_add(cmd);
 
         // blacklist .Xauthority
-        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
-        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
-        char *xauthority = getenv("XAUTHORITY");
+        cmd = strdup("blacklist ${HOME}/.Xauthority");
+        if (!cmd)
+                errExit("strdup");
+        profile_check_line(cmd, 0, NULL);
+        profile_add(cmd);
+        const char *xauthority = env_get("XAUTHORITY");
         if (xauthority) {
                 char *line;
                 if (asprintf(&line, "blacklist %s", xauthority) == -1)
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index c24bae9ff..a1b6692aa 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -1,30 +1,17 @@
+.PHONY: all
 all: firemon
 
-CC=@CC@
-prefix=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+include ../common.mk
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-
-%.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 firemon: $(OBJS) ../lib/common.o ../lib/pid.o
         $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
 
-clean:; rm -f *.o firemon *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c
new file mode 100644
index 000000000..eb810a9e7
--- /dev/null
+++ b/src/firemon/apparmor.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firemon.h"
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
+static void print_apparmor(int pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv != -1) {
+                printf("  AppArmor: ");
+                if (label)
+                        printf("%s ", label);
+                if (mode)
+                        printf("%s", mode);
+                printf("\n");
+        }
+}
+
+void apparmor(pid_t pid, int print_procs) {
+        pid_read(pid);
+
+        // print processes
+        int i;
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        if (print_procs || pid == 0)
+                                pid_print_list(i, arg_wrap);
+                        int child = find_child(i);
+                        if (child != -1)
+                                print_apparmor(child);
+                }
+        }
+        printf("\n");
+}
+
+#else
+
+void apparmor(pid_t pid, int print_procs) {
+        (void) pid;
+        (void) print_procs;
+        printf("AppArmor support not available\n");
+}
+#endif
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index dad183b85..1a69a67b1 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -51,7 +51,7 @@ static void print_arp(const char *fname) {
                 char mac[64];
                 char mask[64];
                 char device[64];
-                int rv = sscanf(start, "%s %s %s %s %s %s\n", ip, type, flags, mac, mask, device);
+                int rv = sscanf(start, "%63s %63s %63s %63s %63s %63s\n", ip, type, flags, mac, mask, device);
                 if (rv != 6)
                         continue;
 
@@ -80,7 +80,7 @@ void arp(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1) {
                                 char *fname;
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index 09955d983..c0f305a5d 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -53,7 +53,7 @@ void caps(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_caps(child);
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 6b39ee385..97ba591a6 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -53,7 +53,7 @@ void cgroup(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_cgroup(child);
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 6a7310c34..91b455941 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -54,7 +54,7 @@ void cpu(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_cpu(child);
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 1f3fdd578..6c34cd411 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,6 +25,8 @@
 #include <grp.h>
 #include <sys/stat.h>
 
+pid_t skip_process = 0;
+int arg_debug = 0;
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
@@ -37,7 +39,8 @@ static int arg_x11 = 0;
 static int arg_top = 0;
 static int arg_list = 0;
 static int arg_netstats = 0;
-int arg_nowrap = 0;
+static int arg_apparmor = 0;
+int arg_wrap = 0;
 
 static struct termios tlocal;   // startup terminal setting
 static struct termios twait;    // no wait on key press
@@ -49,24 +52,31 @@ static void my_handler(int s){
 
         if (terminal_set)
                 tcsetattr(0, TCSANOW, &tlocal);
-        exit(0);
+        _exit(0);
 }
 
 // find the second child process for the specified pid
 // return -1 if not found
 //
 // Example:
-//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt 
-//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt 
-//    14792:netblue:/usr/bin/transmission-qt 
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
 // We need 14792, the first real sandboxed process
 int find_child(int id) {
         int i;
         int first_child = -1;
 
-        // find the first child 
+        // find the first child
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
+                        }
+                        free(cmdline);
                         first_child = i;
                         break;
                 }
@@ -74,14 +84,16 @@ int find_child(int id) {
 
         if (first_child == -1)
                 return -1;
-        
-        // find the second child
+
+        // find the second-level child
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 3 && pids[i].parent == first_child)
                         return i;
         }
-        
-        return -1;
+
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
 
 // sleep and wait for a key to be pressed
@@ -138,7 +150,8 @@ int main(int argc, char **argv) {
                         printf("firemon version %s\n\n", VERSION);
                         return 0;
                 }
-
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
                 // options without a pid argument
                 else if (strcmp(argv[i], "--top") == 0)
                         arg_top = 1;
@@ -146,6 +159,7 @@ int main(int argc, char **argv) {
                         arg_list = 1;
                 else if (strcmp(argv[i], "--tree") == 0)
                         arg_tree = 1;
+#ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netstats") == 0) {
                         struct stat s;
                         if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
@@ -154,7 +168,7 @@ int main(int argc, char **argv) {
                         }
                         arg_netstats = 1;
                 }
-
+#endif
 
                 // cumulative options with or without a pid argument
                 else if (strcmp(argv[i], "--x11") == 0)
@@ -174,10 +188,14 @@ int main(int argc, char **argv) {
                         }
                         arg_interface = 1;
                 }
+#ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--route") == 0)
                         arg_route = 1;
                 else if (strcmp(argv[i], "--arp") == 0)
                         arg_arp = 1;
+#endif
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
 
                 else if (strncmp(argv[i], "--name=", 7) == 0) {
                         char *name = argv[i] + 7;
@@ -188,8 +206,8 @@ int main(int argc, char **argv) {
                 }
 
                 // etc
-                else if (strcmp(argv[i], "--nowrap") == 0)
-                        arg_nowrap = 1;
+                else if (strcmp(argv[i], "--wrap") == 0)
+                        arg_wrap = 1;
 
                 // invalid option
                 else if (*argv[i] == '-') {
@@ -214,6 +232,13 @@ int main(int argc, char **argv) {
                 }
         }
 
+
+        // if the parent is firejail, skip the process
+        pid_t ppid = getppid();
+        char *pcomm = pid_proc_comm(ppid);
+        if (pcomm && strcmp(pcomm, "firejail") == 0)
+                skip_process = ppid;
+
         // allow only root user if /proc is mounted hidepid
         if (pid_hidepid() && getuid() != 0) {
                 fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
@@ -232,9 +257,13 @@ int main(int argc, char **argv) {
                 netstats();     // print all sandboxes, --name disregarded
                 return 0;
         }
+        if (arg_tree) {
+                tree(pid);
+                return 0;
+        }
 
         // if --name requested without other options, print all data
-        if (pid && !arg_tree &&  !arg_cpu && !arg_seccomp && !arg_caps &&
+        if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
             !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
                 arg_tree = 1;
                 arg_cpu = 1;
@@ -245,14 +274,11 @@ int main(int argc, char **argv) {
                 arg_interface = 1;
                 arg_route = 1;
                 arg_arp = 1;
+                arg_apparmor = 1;
         }
 
         // cumulative options
         int print_procs = 1;
-        if (arg_tree) {
-                tree((pid_t) pid);
-                print_procs = 0;
-        }
         if (arg_cpu) {
                 cpu((pid_t) pid, print_procs);
                 print_procs = 0;
@@ -265,6 +291,10 @@ int main(int argc, char **argv) {
                 caps((pid_t) pid, print_procs);
                 print_procs = 0;
         }
+        if (arg_apparmor) {
+                apparmor((pid_t) pid, print_procs);
+                print_procs = 0;
+        }
         if (arg_cgroup) {
                 cgroup((pid_t) pid, print_procs);
                 print_procs = 0;
@@ -285,10 +315,10 @@ int main(int argc, char **argv) {
                 arp((pid_t) pid, print_procs);
                 print_procs = 0;
         }
+        (void) print_procs;
 
         if (getuid() == 0) {
-                if (!arg_tree)
-                        tree((pid_t) pid);
+                tree((pid_t) pid);      // pid initialized as zero, will print the tree for all processes if a specific pid was not requested
                 procevent((pid_t) pid);
         }
 
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 9798ed545..5252ad34f 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -29,6 +29,9 @@
 #include "../include/pid.h"
 #include "../include/common.h"
 
+// main.c
+extern int arg_debug;
+
 // clear screen
 static inline void firemon_clrscr(void) {
         printf("\033[2J\033[1;1H");
@@ -36,19 +39,20 @@ static inline void firemon_clrscr(void) {
 }
 
 // firemon.c
-extern int arg_nowrap;
+extern pid_t skip_process;
+extern int arg_wrap;
 int find_child(int id);
 void firemon_sleep(int st);
 
 
 // procevent.c
-void procevent(pid_t pid);
+void procevent(pid_t pid) __attribute__((noreturn));
 
 // usage.c
 void usage(void);
 
 // top.c
-void top(void);
+void top(void) __attribute__((noreturn));
 
 // list.c
 void list(void);
@@ -78,9 +82,12 @@ void cgroup(pid_t pid, int print_procs);
 void tree(pid_t pid);
 
 // netstats.c
-void netstats(void);
+void netstats(void) __attribute__((noreturn));
 
 // x11.c
 void x11(pid_t pid, int print_procs);
 
+//apparmor.c
+void apparmor(pid_t pid, int print_procs);
+
 #endif
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index 839cea624..780e3d706 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <netdb.h>
@@ -62,7 +63,7 @@ static void net_ifprint(void) {
                                         // extract mac address
                                         struct ifreq ifr;
                                         memset(&ifr, 0, sizeof(ifr));
-                                        strncpy(ifr.ifr_name,  ifa->ifa_name, IFNAMSIZ);
+                                        strncpy(ifr.ifr_name,  ifa->ifa_name, IFNAMSIZ - 1);
                                         int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
 
                                         if (rv == 0)
@@ -145,9 +146,9 @@ static void print_sandbox(pid_t pid) {
                 if (rv)
                         return;
                 net_ifprint();
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
 
@@ -163,7 +164,7 @@ void interface(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1) {
                                 print_sandbox(child);
diff --git a/src/firemon/list.c b/src/firemon/list.c
index b8e54c233..51099a75c 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,7 +25,9 @@ void list(void) {
         // print processes
         int i;
         for (i = 0; i < max_pids; i++) {
+                if (i == skip_process)
+                        continue;
                 if (pids[i].level == 1)
-                        pid_print_list(i, arg_nowrap);
+                        pid_print_list(i, arg_wrap);
         }
 }
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index c68e2e51b..9d8e5d7f5 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
@@ -242,8 +243,7 @@ void netstats(void) {
                                 print_proc(i, itv, col);
                         }
                 }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index ecbcf35db..716a9cba4 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/socket.h>
 #include <linux/connector.h>
 #include <linux/netlink.h>
@@ -94,10 +95,21 @@ static int pid_is_firejail(pid_t pid) {
                 // list of firejail arguments that don't trigger sandbox creation
                 // the initial -- is not included
                 char *exclude_args[] = {
-                        "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls",
-                        "debug-errnos", "debug-protocols", "protocol.print",  "debug.caps",
-                        "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps",
-                        "fs.print", "get", "overlay-clean", NULL
+                        // all print options
+                        "apparmor.print", "caps.print", "cpu.print", "dns.print", "fs.print", "netfilter.print",
+                        "netfilter6.print", "profile.print", "protocol.print", "seccomp.print",
+                        // debug
+                        "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls", "debug-syscalls32",
+                        // file transfer
+                        "ls", "get", "put", "cat",
+                        // stats
+                        "tree", "list", "top",
+                        // network
+                        "netstats", "bandwidth",
+                        // etc
+                        "help", "version", "overlay-clean",
+
+                        NULL // end of list marker
                 };
 
                 int i;
@@ -162,6 +174,20 @@ static int procevent_netlink_setup(void) {
         if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
                 goto errexit;
 
+        // set a large socket rx buffer
+        // the regular default value as set in /proc/sys/net/core/rmem_default will fill the
+        //            buffer much quicker than we can process it
+        int bsize = 1024 * 1024; // 1MB
+        socklen_t blen = sizeof(int);
+        if (setsockopt(sock, SOL_SOCKET, SO_RCVBUFFORCE, &bsize, blen) == -1)
+                fprintf(stderr, "Warning: cannot set rx buffer size, using default system value\n");
+        else if (arg_debug) {
+                if (getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &bsize, &blen) == -1)
+                        fprintf(stderr, "Error: cannot read rx buffer size\n");
+                else
+                        printf("rx buffer size %d\n", bsize / 2); // the value returned is duble the real one, see man 7 socket
+        }
+
         // send monitoring message
         struct nlmsghdr nlmsghdr;
         memset(&nlmsghdr, 0, sizeof(nlmsghdr));
@@ -195,7 +221,7 @@ errexit:
 }
 
 
-static int procevent_monitor(const int sock, pid_t mypid) {
+static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t mypid) {
         ssize_t len;
         struct nlmsghdr *nlmsghdr;
 
@@ -205,9 +231,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
         tv.tv_usec = 0;
 
         while (1) {
-#ifdef HAVE_GCOV
                 __gcov_flush();
-#endif
 
 #define BUFFSIZE 4096
                 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
@@ -221,8 +245,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 
                 int rv = select(max, &readfds, NULL, NULL, &tv);
                 if (rv == -1) {
-                        fprintf(stderr, "recv: %s\n", strerror(errno));
-                        return -1;
+                        errExit("recv");
                 }
 
                 // timeout
@@ -233,15 +256,20 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                 }
 
 
-                if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) {
-                        return 0;
-                }
+                if ((len = recv(sock, buf, sizeof(buf), 0)) == 0)
+                        exit(0);
                 if (len == -1) {
-                        if (errno == EINTR) {
-                                return 0;
-                        } else {
-                                fprintf(stderr,"recv: %s\n", strerror(errno));
-                                return -1;
+                        if (errno == EINTR)
+                                continue;
+                        else if (errno == ENOBUFS) {
+                                // rx buffer is full, the kernel started dropping messages
+                                printf("*** Waning *** - message burst received, not all events are printed\n");
+//return -1;
+                                continue;
+                        }
+                        else {
+                                fprintf(stderr,"Error: rx socket recv call, errno %d, %s\n", errno, strerror(errno));
+                                exit(1);
                         }
                 }
 
@@ -291,6 +319,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                                 child %= max_pids;
                                                 pids[child].level = pids[pid].level + 1;
                                                 pids[child].uid = pid_get_uid(child);
+                                                pids[child].parent = pid;
                                         }
                                         sprintf(lineptr, " fork");
                                         break;
@@ -318,12 +347,22 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                         sprintf(lineptr, " exit");
                                         break;
 
+
+
                                 case PROC_EVENT_UID:
                                         pid = proc_ev->event_data.id.process_tgid;
 #ifdef DEBUG_PRCTL
         printf("%s: %d, event uid, pid %d\n", __FUNCTION__, __LINE__, pid);
 #endif
-                                        sprintf(lineptr, " uid ");
+                                        if (pids[pid].level == 1 ||
+                                            pids[pids[pid].parent].level == 1) {
+                                                sprintf(lineptr, "\n");
+                                                continue;
+                                        }
+                                        else
+                                                sprintf(lineptr, " uid (%d:%d)",
+                                                        proc_ev->event_data.id.r.ruid,
+                                                        proc_ev->event_data.id.e.euid);
                                         break;
 
                                 case PROC_EVENT_GID:
@@ -331,9 +370,19 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 #ifdef DEBUG_PRCTL
         printf("%s: %d, event gid, pid %d\n", __FUNCTION__, __LINE__, pid);
 #endif
-                                        sprintf(lineptr, " gid ");
+                                        if (pids[pid].level == 1 ||
+                                            pids[pids[pid].parent].level == 1) {
+                                                sprintf(lineptr, "\n");
+                                                continue;
+                                        }
+                                        else
+                                                sprintf(lineptr, " gid (%d:%d)",
+                                                        proc_ev->event_data.id.r.rgid,
+                                                        proc_ev->event_data.id.e.egid);
                                         break;
 
+
+
                                 case PROC_EVENT_SID:
                                         pid = proc_ev->event_data.sid.process_tgid;
 #ifdef DEBUG_PRCTL
@@ -353,7 +402,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                         int add_new = 0;
                         if (pids[pid].level < 0)        // not a firejail process
                                 continue;
-                        else if (pids[pid].level == 0) { // new porcess, do we track it?
+                        else if (pids[pid].level == 0) { // new process, do we track it?
                                 if (pid_is_firejail(pid) && mypid == 0) {
                                         pids[pid].level = 1;
                                         add_new = 1;
@@ -446,7 +495,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                 exit(0);
                 }
         }
-        return 0;
+        __builtin_unreachable();
 }
 
 void procevent(pid_t pid) {
@@ -464,6 +513,4 @@ void procevent(pid_t pid) {
         }
 
         procevent_monitor(sock, pid); // it will never return from here
-        assert(0);
-        close(sock); // quiet static analyzers
 }
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 76b268897..9cf5054b2 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -144,7 +144,7 @@ static void print_route(const char *fname) {
                 char use[64];
                 char metric[64];
                 char mask[64];
-                int rv = sscanf(start, "%s %s %s %s %s %s %s %s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask);
+                int rv = sscanf(start, "%63s %63s %63s %63s %63s %63s %63s %63s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask);
                 if (rv != 8)
                         continue;
 
@@ -161,7 +161,7 @@ static void print_route(const char *fname) {
 
 //              printf("#%s# #%s# #%s# #%s# #%s# #%s# #%s# #%s#\n", ifname, destination, gateway, flags, refcnt, use, metric, mask);
                 if (gw != 0)
-                        printf("     %u.%u.%u.%u/%u via %u.%u.%u.%u, dev %s, metric %s\n",
+                        printf("     %d.%d.%d.%d/%u via %d.%d.%d.%d, dev %s, metric %s\n",
                                 PRINT_IP(destip), mask2bits(destmask),
                                 PRINT_IP(gw),
                                 ifname,
@@ -169,7 +169,7 @@ static void print_route(const char *fname) {
                 else { // this is an interface
                         IfList *ifentry = list_find(destip, destmask);
                         if (ifentry) {
-                                printf("     %u.%u.%u.%u/%u, dev %s, scope link src %d.%d.%d.%d\n",
+                                printf("     %d.%d.%d.%d/%u, dev %s, scope link src %d.%d.%d.%d\n",
                                         PRINT_IP(destip), mask2bits(destmask),
                                         ifname,
                                         PRINT_IP(ifentry->ip));
@@ -189,7 +189,7 @@ void route(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1) {
                                 char *fname;
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index ce9d1dffb..04111b6c0 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -52,7 +52,7 @@ void seccomp(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_seccomp(child);
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 6ea642109..2217cc7de 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
@@ -273,6 +274,8 @@ void top(void) {
                 unsigned utime = 0;
                 unsigned stime = 0;
                 for (i = 0; i < max_pids; i++) {
+                        if (i == skip_process)
+                                continue;
                         if (pids[i].level == 1)
                                 pid_store_cpu(i, 0, &utime, &stime);
                 }
@@ -313,6 +316,8 @@ void top(void) {
 
                 // print processes
                 for (i = 0; i < max_pids; i++) {
+                        if (i == skip_process)
+                                continue;
                         if (pids[i].level == 1) {
                                 float cpu = 0;
                                 int cnt = 0; // process count
@@ -322,8 +327,7 @@ void top(void) {
                         }
                 }
                 head_print(col, row);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index 846c6ed75..899214b9f 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -25,8 +25,10 @@ void tree(pid_t pid) {
         // print processes
         int i;
         for (i = 0; i < max_pids; i++) {
+                if (i == skip_process)
+                        continue;
                 if (pids[i].level == 1)
-                        pid_print_tree(i, 0, arg_nowrap);
+                        pid_print_tree(i, 0, arg_wrap);
         }
         printf("\n");
 }
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 58e3b63f3..baaef3111 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,61 +19,67 @@
 */
 #include "firemon.h"
 
-void usage(void) {
-        printf("firemon - version %s\n", VERSION);
-        printf("Usage: firemon [OPTIONS] [PID]\n\n");
-        printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n");
-        printf("all processes started by Firejail are monitored. Descendants of these processes\n");
-        printf("are also being monitored. On Grsecurity systems only root user\n");
-        printf("can run this program.\n\n");
-        printf("Options:\n");
-        printf("\t--arp - print ARP table for each sandbox.\n\n");
-        printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
-        printf("\t--cgroup - print control group information for each sandbox.\n\n");
-        printf("\t--cpu - print CPU affinity for each sandbox.\n\n");
-        printf("\t--help, -? - this help screen.\n\n");
-        printf("\t--interface - print network interface information for each sandbox.\n\n");
-        printf("\t--list - list all sandboxes.\n\n");
-        printf("\t--name=name - print information only about named sandbox.\n\n");
-        printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
-        printf("\t\tnetwork namespace.\n\n");
-        printf("\t--nowrap - enable line wrapping in terminals.\n\n");
-        printf("\t--route - print route table for each sandbox.\n\n");
-        printf("\t--seccomp - print seccomp configuration for each sandbox.\n\n");
-        printf("\t--tree - print a tree of all sandboxed processes.\n\n");
-        printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n");
-        printf("\t--version - print program version and exit.\n\n");
+static char *help_str =
+        "Usage: firemon [OPTIONS] [PID]\n\n"
+        "Monitor processes started in a Firejail sandbox. Without any PID specified,\n"
+        "all processes started by Firejail are monitored. Descendants of these processes\n"
+        "are also being monitored. On Grsecurity systems only root user\n"
+        "can run this program.\n\n"
+        "Options:\n"
+        "\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"
+        "\t--arp - print ARP table for each sandbox.\n\n"
+        "\t--caps - print capabilities configuration for each sandbox.\n\n"
+        "\t--cgroup - print control group information for each sandbox.\n\n"
+        "\t--cpu - print CPU affinity for each sandbox.\n\n"
+        "\t--debug - print debug messages.\n\n"
+        "\t--help, -? - this help screen.\n\n"
+        "\t--interface - print network interface information for each sandbox.\n\n"
+        "\t--list - list all sandboxes.\n\n"
+        "\t--name=name - print information only about named sandbox.\n\n"
+        "\t--netstats - monitor network statistics for sandboxes creating a new\n"
+        "\t\tnetwork namespace.\n\n"
+        "\t--nowrap - enable line wrapping in terminals.\n\n"
+        "\t--route - print route table for each sandbox.\n\n"
+        "\t--seccomp - print seccomp configuration for each sandbox.\n\n"
+        "\t--tree - print a tree of all sandboxed processes.\n\n"
+        "\t--top - monitor the most CPU-intensive sandboxes.\n\n"
+        "\t--version - print program version and exit.\n\n"
+        "\t--x11 - print X11 display number.\n\n"
+
+        "Without any options, firemon monitors all fork, exec, id change, and exit\n"
+        "events in the sandbox. Monitoring a specific PID is also supported.\n\n"
 
-        printf("Without any options, firemon monitors all fork, exec, id change, and exit events\n");
-        printf("in the sandbox. Monitoring a specific PID is also supported.\n\n");
+        "Option --list prints a list of all sandboxes. The format for each entry is as\n"
+        "follows:\n\n"
+        "\tPID:USER:Command\n\n"
 
-        printf("Option --list prints a list of all sandboxes. The format for each entry is as\n");
-        printf("follows:\n\n");
-        printf("\tPID:USER:Command\n\n");
+        "Option --tree prints the tree of processes running in the sandbox. The format\n"
+        "for each process entry is as follows:\n\n"
+        "\tPID:USER:Command\n\n"
 
-        printf("Option --tree prints the tree of processes running in the sandbox. The format\n");
-        printf("for each process entry is as follows:\n\n");
-        printf("\tPID:USER:Command\n\n");
+        "Option --top is similar to the UNIX top command, however it applies only to\n"
+        "sandboxes. Listed below are the available fields (columns) in alphabetical\n"
+        "order:\n\n"
+        "\tCommand - command used to start the sandbox.\n"
+        "\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"
+        "\t       last screen update\n"
+        "\tPID - Unique process ID for the task controlling the sandbox.\n"
+        "\tPrcs - number of processes running in sandbox, including the\n"
+        "\t       controlling process.\n"
+        "\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"
+        "\t      It is a sum of the RES values for all processes running in the\n"
+        "\t      sandbox.\n"
+        "\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"
+        "\t      processes. It is a sum of the SHR values for all processes\n"
+        "\t      running in the sandbox, including the controlling process.\n"
+        "\tUptime - sandbox running time in hours:minutes:seconds format.\n"
+        "\tUser - The owner of the sandbox.\n"
+        "\n"
+        "License GPL version 2 or later\n"
+        "Homepage: https://firejail.wordpress.com\n"
+        "\n";
 
-        printf("Option --top is similar to the UNIX top command, however it applies only to\n");
-        printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n");
-        printf("order:\n\n");
-        printf("\tCommand - command used to start the sandbox.\n");
-        printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n");
-        printf("\t       last screen update\n");
-        printf("\tPID - Unique process ID for the task controlling the sandbox.\n");
-        printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
-        printf("\t       process.\n");
-        printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-        printf("\t      It is a sum of the RES values for all processes running in the\n");
-        printf("\t      sandbox.\n");
-        printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
-        printf("\t      processes. It is a sum of the SHR values for all processes running\n");
-        printf("\t      in the sandbox, including the controlling process.\n");
-        printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n");
-        printf("\tUser - The owner of the sandbox.\n");
-        printf("\n");
-        printf("License GPL version 2 or later\n");
-        printf("Homepage: http://firejail.wordpress.com\n");
-        printf("\n");
+void usage(void) {
+        printf("firemon - version %s\n", VERSION);
+        puts(help_str);
 }
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index 57d7c1e82..97e24b2d2 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -30,7 +30,7 @@ void x11(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
 
                         char *x11file;
                         // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index 7369c835b..ba87d16cd 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -1,45 +1,17 @@
+.PHONY: all
 all: fldd
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
+include ../common.mk
 
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-
-fldd: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
-
-clean:; rm -f *.o fldd *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/fldd/main.c b/src/fldd/main.c
index c04daa0ed..b71145793 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -19,8 +19,8 @@
 */
 
 #include "../include/common.h"
+#include "../include/ldd_utils.h"
 
-#include <elf.h>
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
@@ -29,33 +29,10 @@
 #include <unistd.h>
 #include <dirent.h>
 
-#ifdef __LP64__
-#define Elf_Ehdr Elf64_Ehdr
-#define Elf_Phdr Elf64_Phdr
-#define Elf_Shdr Elf64_Shdr
-#define Elf_Dyn Elf64_Dyn
-#else
-#define Elf_Ehdr Elf32_Ehdr
-#define Elf_Phdr Elf32_Phdr
-#define Elf_Shdr Elf32_Shdr
-#define Elf_Dyn Elf32_Dyn
-#endif
 
 static int arg_quiet = 0;
 static void copy_libs_for_lib(const char *lib);
 
-static const char * const default_lib_paths[] = {
-        "/lib",
-        "/lib/x86_64-linux-gnu",
-        "/lib64",
-        "/usr/lib",
-        "/usr/lib/x86_64-linux-gnu",
-        LIBDIR,
-        "/usr/local/lib",
-        NULL
-}; // Note: this array is duplicated in src/firejail/fs_lib.c
-
-
 typedef struct storage_t {
         struct storage_t *next;
         const char *name;
@@ -98,12 +75,14 @@ static void storage_print(Storage *ptr, int fd) {
 
 static bool ptr_ok(const void *ptr, const void *base, const void *end, const char *name) {
         bool r;
+        (void) name;
 
         r = (ptr >= base && ptr < end);
         return r;
 }
 
-static void copy_libs_for_exe(const char *exe) {
+
+static void parse_elf(const char *exe) {
         int f;
         f = open(exe, O_RDONLY);
         if (f < 0) {
@@ -111,7 +90,7 @@ static void copy_libs_for_exe(const char *exe) {
                         fprintf(stderr, "Warning fldd: cannot open %s, skipping...\n", exe);
                 return;
         }
-        
+
         struct stat s;
         char *base = NULL, *end;
         if (fstat(f, &s) == -1)
@@ -128,6 +107,12 @@ static void copy_libs_for_exe(const char *exe) {
                         fprintf(stderr, "Warning fldd: %s is not an ELF executable or library\n", exe);
                 goto close;
         }
+//unsigned char elfclass = ebuf->e_ident[EI_CLASS];
+//if (elfclass == ELFCLASS32)
+//printf("%s 32bit\n", exe);
+//else if (elfclass == ELFCLASS64)
+//printf("%s 64bit\n", exe);
+
 
         Elf_Phdr *pbuf = (Elf_Phdr *)(base + sizeof(*ebuf));
         while (ebuf->e_phnum-- > 0 && ptr_ok(pbuf, base, end, "pbuf")) {
@@ -213,7 +198,7 @@ static void copy_libs_for_exe(const char *exe) {
  close:
         if (base)
                 munmap(base, s.st_size);
-                        
+
         close(f);
 }
 
@@ -223,11 +208,11 @@ static void copy_libs_for_lib(const char *lib) {
                 char *fname;
                 if (asprintf(&fname, "%s/%s", lib_path->name, lib) == -1)
                         errExit("asprintf");
-                if (access(fname, R_OK) == 0) {
+                if (access(fname, R_OK) == 0 && is_lib_64(fname)) {
                         if (!storage_find(libs, fname)) {
                                 storage_add(&libs, fname);
                                 // libs may need other libs
-                                copy_libs_for_exe(fname);
+                                parse_elf(fname);
                         }
                         free(fname);
                         return;
@@ -266,9 +251,9 @@ static void walk_directory(const char *dirname) {
 
                         // check regular so library
                         char *ptr = strstr(entry->d_name, ".so");
-                        if (ptr) {
+                        if (ptr && is_lib_64(path)) {
                                 if (*(ptr + 3) == '\0' || *(ptr + 3) == '.') {
-                                        copy_libs_for_exe(path);
+                                        parse_elf(path);
                                         free(path);
                                         continue;
                                 }
@@ -276,12 +261,21 @@ static void walk_directory(const char *dirname) {
 
                         // check directory
                         // entry->d_type field is supported  in glibc since version 2.19 (Feb 2014)
-                        // we'll use stat to check for directories
+                        // we'll use stat to check for directories using the real path
+                        // (sometimes the path is a double symlink to a real file and stat would fail)
+                        char *rpath = realpath(path, NULL);
+                        if (!rpath) {
+                                free(path);
+                                continue;
+                        }
+                        free(path);
+
                         struct stat s;
-                        if (stat(path, &s) == -1)
+                        if (stat(rpath, &s) == -1)
                                 errExit("stat");
                         if (S_ISDIR(s.st_mode))
-                                walk_directory(path);
+                                walk_directory(rpath);
+                        free(rpath);
                 }
                 closedir(dir);
         }
@@ -312,11 +306,13 @@ printf("\n");
         }
 
 
-        if (strcmp(argv[1], "--help") == 0) {
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) {
                 usage();
                 return 0;
         }
 
+        warn_dumpable();
+
         // check program access
         if (access(argv[1], R_OK)) {
                 fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]);
@@ -327,16 +323,11 @@ printf("\n");
         if (quiet && strcmp(quiet, "yes") == 0)
                 arg_quiet = 1;
 
-        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
-                usage();
-                return 0;
-        }
-        
         int fd = STDOUT_FILENO;
         // attempt to open the file
         if (argc == 3) {
                 fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644);
-                if (!fd) {
+                if (fd == -1) {
                         fprintf(stderr, "Error fldd: invalid arguments\n");
                         usage();
                         exit(1);
@@ -352,8 +343,12 @@ printf("\n");
                 errExit("stat");
         if (S_ISDIR(s.st_mode))
                 walk_directory(argv[1]);
-        else
-                copy_libs_for_exe(argv[1]);
+        else {
+                if (is_lib_64(argv[1]))
+                        parse_elf(argv[1]);
+                else
+                        fprintf(stderr, "Warning fldd: %s is not a 64bit program/library\n", argv[1]);
+        }
 
 
         // print libraries and exit
diff --git a/src/floader/README.md b/src/floader/README.md
deleted file mode 100644
index c1e14b2a6..000000000
--- a/src/floader/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-READ ME
--------
-
-* Run 'make'
-* Add comma separated process names to ~/.loader.conf
-* export LD_PRELOAD=<path>./loader.so (ideally to .bashrc)
-* Run any application within shell
diff --git a/src/floader/loader.c b/src/floader/loader.c
deleted file mode 100644
index 6b9f92f18..000000000
--- a/src/floader/loader.c
+++ /dev/null
@@ -1,161 +0,0 @@
-/*
- * Copyright (C) 2017 Madura A. (madura.x86@gmail.com)
- *
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/mman.h>
-#include <fcntl.h>
-#include <unistd.h>
-
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-
-#define MAX_MATCHES 32
-#define MAX_ARGS 1024
-#define MAX_ARGS_LEN 4096
-static void loader_main() __attribute__((constructor));
-
-char cmdline[MAX_ARGS_LEN];
-char *args[MAX_ARGS];
-char loader[] = "firejail";
-char confFile[256];
-char *names[MAX_MATCHES];
-
-#ifdef DEBUG
-#define DBG printf
-#else
-#define DBG
-#endif
-void remove_trailing_spaces(char *str)
-{
-    while (!isspace(*str))
-    {
-        str++;
-    }
-
-    while (*str != '\0')
-    {
-        *str = '\0';
-        str++;
-    }
-}
-
-void read_cmdline()
-{
-    int fd = open("/proc/self/cmdline", O_RDONLY);
-    ssize_t ret = 0, total = 0;
-    char* wcmdbuf = cmdline;
-    while ((ret = read(fd, wcmdbuf, 1)) != 0)
-    {
-        wcmdbuf++;
-        total += ret;
-        if (total > MAX_ARGS_LEN)
-        {
-            printf("Not enough memory\n");
-            close(fd);
-            return ;
-        }
-    }
-    close(fd);
-}
-
-void make_args()
-{
-    int cI = 0, argI=0;
-    char* argstart = &cmdline[0];
-    for (;cI<MAX_ARGS_LEN;cI++)
-    {
-        if (cmdline[cI] == '\0')
-        {
-            args[argI]= argstart;
-            argstart = &cmdline[cI+1];
-            argI++;
-            if (*argstart  == '\0')
-            {
-                break;
-            }
-        }
-    }
-    args[argI] = argstart;
-    argI++;
-    args[argI] = NULL;
-}
-
-void loader_main()
-{
-    snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME"));
-
-    struct stat confFileStat;
-
-    stat(confFile, &confFileStat);
-
-    int confFd = open(confFile, O_RDONLY);
-
-    if (confFd == -1)
-    {
-        close(confFd);
-        return;
-    }
-    char* conf = (char*) malloc(confFileStat.st_size);
-    if (conf == NULL)
-    {
-        close(confFd);
-        return;
-    }
-    ssize_t ret  = read(confFd, conf, confFileStat.st_size);
-    if (ret == -1)
-    {
-        close(confFd);
-        return;
-    }
-
-    close(confFd);
-    size_t fI = 0;
-    int matchId = 0;
-    names[matchId] = conf;
-    matchId++;
-    for (;fI < confFileStat.st_size-1;fI++)
-    {
-        if (conf[fI] == ',')
-        {
-            names[matchId] = &conf[fI+1];
-            conf[fI] = '\0';
-
-            matchId++;
-        }
-    }
-
-    remove_trailing_spaces(names[matchId-1]);
-
-    read_cmdline();
-
-    make_args();
-
-#ifdef DEBUG
-    int xarg=0;
-    while (args[xarg] != NULL)
-    {
-        DBG(".%s\n", args[xarg]);
-        xarg++;
-    }
-#endif
-
-    int x;
-
-    for (x = 0;x<matchId;x++)
-    {
-        DBG("%s\n",names[x]);
-        if (strstr(args[0], names[x]) != NULL)
-        {
-            DBG("highjack!\n");
-
-            free(conf);
-
-            execvp(loader, args );
-        }
-    }
-
-}
diff --git a/src/floader/makefile b/src/floader/makefile
deleted file mode 100644
index eeb96571d..000000000
--- a/src/floader/makefile
+++ /dev/null
@@ -1,5 +0,0 @@
-all:
-        gcc -ggdb -shared -fPIC loader.c -o loader.so
-
-debug:
-        gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 3288e6354..7447c6d3f 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -1,45 +1,17 @@
+.PHONY: all
 all: fnet
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
-
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+include ../common.mk
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fnet: $(OBJS) ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
 
-clean:; rm -f *.o fnet *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
index 4736f3509..59798d32d 100644
--- a/src/fnet/arp.c
+++ b/src/fnet/arp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -60,7 +60,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
                 errExit("socket");
         struct ifreq ifr;
         memset(&ifr, 0, sizeof (ifr));
-        strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+        strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1);
         if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
                 errExit("ioctl");
         close(sock);
@@ -124,7 +124,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
                                 errExit("if_nametoindex");
                         addr.sll_family = AF_PACKET;
                         memcpy (addr.sll_addr, mac, 6);
-                        addr.sll_halen = htons(6);
+                        addr.sll_halen = ETH_ALEN;
 
                         // build the arp packet header
                         ArpHdr hdr;
@@ -149,10 +149,8 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
                         memcpy (frame + 14, &hdr, sizeof(hdr));
 
                         // send packet
-                        int len;
-                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+                        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                                 errExit("send");
-//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));
                         fflush(0);
                         dest++;
                 }
@@ -192,10 +190,10 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
 
                                 // printing
                                 if (header_printed == 0) {
-                                        printf("   Network scan:\n");
+                                        fmessage("   Network scan:\n");
                                         header_printed = 1;
                                 }
-                                printf("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
+                                fmessage("   %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
                                         PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));
                         }
                 }
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
index b4b7e6a37..c0154b53e 100644
--- a/src/fnet/fnet.h
+++ b/src/fnet/fnet.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -20,18 +20,21 @@
 #ifndef FNET_H
 #define FNET_H
 
+#include "../include/common.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
-#include "../include/common.h"
+#include <stdarg.h>
 
 // main.c
 extern int arg_quiet;
+extern void fmessage(char* fmt, ...); // TODO: this function is duplicated in src/firejail/util.c
 
 // veth.c
 int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
 int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_create_ipvlan(const char *dev, const char *parent, unsigned pid);
 int net_move_interface(const char *dev, unsigned pid);
 
 // interface.c
@@ -44,6 +47,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]);
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
 int net_if_mac(const char *ifname, const unsigned char mac[6]);
 void net_if_ip6(const char *ifname, const char *addr6);
+void net_if_waitll(const char *ifname);
 
 
 // arp.c
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index 8c1fd6ca4..91d91360d 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -28,6 +28,8 @@
 #include <net/if_arp.h>
 #include <net/route.h>
 #include <linux/if_bridge.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
 
 static void check_if_name(const char *ifname) {
         if (strlen(ifname) > IFNAMSIZ) {
@@ -58,7 +60,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) {
                 errExit("socket");
 
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+        strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1);
 #ifdef SIOCBRADDIF
         ifr.ifr_ifindex = ifindex;
         err = ioctl(sock, SIOCBRADDIF, &ifr);
@@ -90,7 +92,7 @@ void net_if_up(const char *ifname) {
         // get the existing interface flags
         struct ifreq ifr;
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_addr.sa_family = AF_INET;
 
         // read the existing flags
@@ -135,7 +137,7 @@ int net_get_mtu(const char *ifname) {
 
         memset(&ifr, 0, sizeof(ifr));
         ifr.ifr_addr.sa_family = AF_INET;
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
                 mtu = ifr.ifr_mtu;
         close(s);
@@ -154,7 +156,7 @@ void net_set_mtu(const char *ifname, int mtu) {
 
         memset(&ifr, 0, sizeof(ifr));
         ifr.ifr_addr.sa_family = AF_INET;
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_mtu = mtu;
         if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) {
                 if (!arg_quiet)
@@ -172,7 +174,7 @@ void net_ifprint(int scan) {
         if (getifaddrs(&ifaddr) == -1)
                 errExit("getifaddrs");
 
-        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
+        fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
                 "Interface", "MAC", "IP", "Mask", "Status");
         // walk through the linked list
         for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
@@ -208,7 +210,7 @@ void net_ifprint(int scan) {
                                 sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac));
 
                         // print
-                        printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
+                        fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
                                 ifa->ifa_name, macstr, ipstr, maskstr, status);
 
                         // network scanning
@@ -238,7 +240,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
                 errExit("socket");
 
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
 
         if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
@@ -258,7 +260,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
 
         struct ifreq ifr;
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_addr.sa_family = AF_INET;
 
         ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
@@ -292,7 +294,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) {
                 errExit("socket");
 
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
         memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
 
@@ -350,7 +352,7 @@ void net_if_ip6(const char *ifname, const char *addr6) {
         // find interface index
         struct ifreq ifr;
         memset(&ifr, 0, sizeof(ifr));
-        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
         ifr.ifr_addr.sa_family = AF_INET;
         if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) {
                 perror("ioctl SIOGIFINDEX");
@@ -370,3 +372,129 @@ void net_if_ip6(const char *ifname, const char *addr6) {
 
         close(sock);
 }
+
+static int net_netlink_address_tentative(struct nlmsghdr *current_header) {
+        struct ifaddrmsg *msg = NLMSG_DATA(current_header);
+        int has_flags = 0;
+#ifdef IFA_FLAGS
+        struct rtattr *rta = IFA_RTA(msg);
+        size_t msg_len = IFA_PAYLOAD(current_header);
+        while (RTA_OK(rta, msg_len)) {
+                if (rta->rta_type == IFA_FLAGS) {
+                        has_flags = 1;
+                        uint32_t *flags = RTA_DATA(rta);
+                        if (*flags & IFA_F_TENTATIVE)
+                                return 1;
+                }
+                rta = RTA_NEXT(rta, msg_len);
+        }
+#endif
+        // According to <linux/if_addr.h>, if an IFA_FLAGS attribute is present,
+        // the field ifa_flags should be ignored.
+        return !has_flags && (msg->ifa_flags & IFA_F_TENTATIVE);
+}
+
+static int net_netlink_if_has_ll(int sock, uint32_t index) {
+        struct {
+                struct nlmsghdr header;
+                struct ifaddrmsg message;
+        } req;
+        memset(&req, 0, sizeof(req));
+        req.header.nlmsg_len = NLMSG_LENGTH(sizeof(req.message));
+        req.header.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
+        req.header.nlmsg_type = RTM_GETADDR;
+        req.message.ifa_family = AF_INET6;
+        if (send(sock, &req, req.header.nlmsg_len, 0) != req.header.nlmsg_len)
+                errExit("send");
+
+        int found = 0;
+        int all_parts_processed = 0;
+        while (!all_parts_processed) {
+                char buf[16384];
+                ssize_t len = recv(sock, buf, sizeof(buf), 0);
+                if (len < 0)
+                        errExit("recv");
+                if (len < (ssize_t) sizeof(struct nlmsghdr)) {
+                        fprintf(stderr, "Received incomplete netlink message\n");
+                        exit(1);
+                }
+
+                struct nlmsghdr *current_header = (struct nlmsghdr *) buf;
+                while (NLMSG_OK(current_header, len)) {
+                        switch (current_header->nlmsg_type) {
+                        case RTM_NEWADDR: {
+                                struct ifaddrmsg *msg = NLMSG_DATA(current_header);
+                                if (!found && msg->ifa_index == index && msg->ifa_scope == RT_SCOPE_LINK &&
+                                                !net_netlink_address_tentative(current_header))
+                                        found = 1;
+                        }
+                                break;
+                        case NLMSG_NOOP:
+                                break;
+                        case NLMSG_DONE:
+                                all_parts_processed = 1;
+                                break;
+                        case NLMSG_ERROR: {
+                                struct nlmsgerr *err = NLMSG_DATA(current_header);
+                                fprintf(stderr, "Netlink error: %d\n", err->error);
+                                exit(1);
+                        }
+                                break;
+                        default:
+                                fprintf(stderr, "Unknown netlink message type: %u\n", current_header->nlmsg_type);
+                                exit(1);
+                                break;
+                        }
+
+                        current_header = NLMSG_NEXT(current_header, len);
+                }
+        }
+
+        return found;
+}
+
+// wait for a link-local IPv6 address for DHCPv6
+// ex: firejail --net=br0 --ip6=dhcp
+void net_if_waitll(const char *ifname) {
+        // find interface index
+        int inet6_sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
+        if (inet6_sock < 0) {
+                fprintf(stderr, "Error fnet: IPv6 is not supported on this system\n");
+                exit(1);
+        }
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
+        ifr.ifr_addr.sa_family = AF_INET;
+        if (ioctl(inet6_sock, SIOGIFINDEX, &ifr) < 0) {
+                perror("ioctl SIOGIFINDEX");
+                exit(1);
+        }
+        close(inet6_sock);
+        if (ifr.ifr_ifindex < 0) {
+                fprintf(stderr, "Error fnet: interface index is negative\n");
+                exit(1);
+        }
+        uint32_t index = (uint32_t) ifr.ifr_ifindex;
+
+        // poll for link-local address
+        int netlink_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+        if (netlink_sock < 0)
+                errExit("socket");
+        int tries = 0;
+        int found = 0;
+        while (tries < 60 && !found) {
+                if (tries >= 1)
+                        usleep(500000);
+
+                found = net_netlink_if_has_ll(netlink_sock, index);
+
+                tries++;
+        }
+        close(netlink_sock);
+
+        if (!found) {
+                fprintf(stderr, "Waiting for link-local IPv6 address of %s timed out\n", ifname);
+                exit(1);
+        }
+}
diff --git a/src/fnet/main.c b/src/fnet/main.c
index f44760b5c..df8f7226c 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,8 +18,24 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fnet.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/utsname.h>
+
 int arg_quiet = 0;
 
+void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c
+        if (arg_quiet)
+                return;
+
+        va_list args;
+        va_start(args,fmt);
+        vfprintf(stderr, fmt, args);
+        va_end(args);
+        fflush(0);
+}
+
+
 static void usage(void) {
         printf("Usage:\n");
         printf("\tfnet create veth dev1 dev2 bridge child\n");
@@ -29,8 +45,9 @@ static void usage(void) {
         printf("\tfnet printif scan\n");
         printf("\tfnet config interface dev ip mask mtu\n");
         printf("\tfnet config mac addr\n");
-        printf("\tfnet config ipv6 dev ipn");
-        printf("\tfmet ifup dev\n");
+        printf("\tfnet config ipv6 dev ip\n");
+        printf("\tfnet ifup dev\n");
+  printf("\tfnet waitll dev\n");
 }
 
 int main(int argc, char **argv) {
@@ -47,16 +64,18 @@ printf("\n");
                 usage();
                 return 1;
         }
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+
+        warn_dumpable();
 
         char *quiet = getenv("FIREJAIL_QUIET");
         if (quiet && strcmp(quiet, "yes") == 0)
                 arg_quiet = 1;
 
-        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
-                usage();
-                return 0;
-        }
-        else if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
+        if (argc == 3 && strcmp(argv[1], "ifup") == 0) {
                 net_if_up(argv[2]);
         }
         else if (argc == 2 && strcmp(argv[1], "printif") == 0) {
@@ -74,7 +93,33 @@ printf("\n");
                 net_if_up(argv[3]);
         }
         else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
-                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+                // use ipvlan for wireless devices
+                // ipvlan driver was introduced in Linux kernel 3.19
+
+                // check kernel version
+                struct utsname u;
+                int rv = uname(&u);
+                if (rv != 0)
+                        errExit("uname");
+                int major;
+                int minor;
+                if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                        fprintf(stderr, "Error fnet: cannot extract Linux kernel version: %s\n", u.version);
+                        exit(1);
+                }
+
+                if (major <= 3 && minor < 18)
+                        net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+                else {
+                        struct stat s;
+                        char *fname;
+                        if (asprintf(&fname, "/sys/class/net/%s/wireless", argv[4]) == -1)
+                                errExit("asprintf");
+                        if (stat(fname, &s) == 0) // wireless
+                                net_create_ipvlan(argv[3], argv[4], atoi(argv[5]));
+                        else // regular ethernet
+                                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+                }
         }
         else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {
                 char *dev = argv[3];
@@ -99,6 +144,9 @@ printf("\n");
         else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) {
                 net_if_ip6(argv[3], argv[4]);
         }
+  else if (argc == 3 && strcmp(argv[1], "waitll") == 0) {
+    net_if_waitll(argv[2]);
+  }
         else {
                 fprintf(stderr, "Error fnet: invalid arguments\n");
                 return 1;
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
index d37c93a19..e09b1b1c5 100644
--- a/src/fnet/veth.c
+++ b/src/fnet/veth.c
@@ -3,10 +3,10 @@
  * Original source code:
  *
  * Information:
- *     http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
+ *     https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
  *
  * Download:
- *     http://www.kernel.org/pub/linux/utils/net/iproute2/
+ *     https://www.kernel.org/pub/linux/utils/net/iproute2/
  *
  * Repository:
  *     git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
@@ -26,7 +26,7 @@
  *
  */
  /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -50,6 +50,13 @@
 #include <linux/veth.h>
 #include <net/if.h>
 
+// Debian Jessie and distributions before that don't have support for IPVLAN
+// in /usr/include/linux/if_link.h. We only need a definition for IPVLAN_MODE_L2.
+// The kernel version detection happens at run time.
+#ifndef IFLA_IPVLAN_MAX
+#define IPVLAN_MODE_L2 0
+#endif
+
 struct iplink_req
 {
         struct nlmsghdr         n;
@@ -165,8 +172,66 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
         addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4);
 
         data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
-//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
+        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
+
+        // send message
+        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
+                exit(2);
+
+        rtnl_close(&rth);
+
+        return 0;
+}
+
+int net_create_ipvlan(const char *dev, const char *parent, unsigned pid) {
+        int len;
+        struct iplink_req req;
+        assert(dev);
+        assert(parent);
+
+        if (rtnl_open(&rth, 0) < 0) {
+                fprintf(stderr, "cannot open netlink\n");
+                exit(1);
+        }
+
+        memset(&req, 0, sizeof(req));
+
+        req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+        req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;
+        req.n.nlmsg_type = RTM_NEWLINK;
+        req.i.ifi_family = 0;
 
+        // find parent ifindex
+        int parent_ifindex = if_nametoindex(parent);
+        if (parent_ifindex <= 0) {
+                fprintf(stderr, "Error: cannot find network device %s\n", parent);
+                exit(1);
+        }
+
+        // add parent
+        addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4);
+
+        // add new interface name
+        len = strlen(dev) + 1;
+        addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
+
+        // place the interface in child namespace
+        addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
+
+
+        // add  link info for the new interface
+        struct rtattr *linkinfo = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "ipvlan", strlen("ipvlan"));
+
+        // set macvlan bridge mode
+        struct rtattr * data = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0);
+        int macvlan_type = IPVLAN_MODE_L2;
+        addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 2);
+
+        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
+//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
 
         data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
         linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
new file mode 100644
index 000000000..825262482
--- /dev/null
+++ b/src/fnetfilter/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: fnetfilter
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnetfilter: $(OBJS) ../lib/common.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
new file mode 100644
index 000000000..979f082d0
--- /dev/null
+++ b/src/fnetfilter/main.c
@@ -0,0 +1,212 @@
+ /*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "../include/common.h"
+
+#define MAXBUF 4098
+#define MAXARGS 16
+static char *args[MAXARGS] = {0};
+static int argcnt = 0;
+int arg_quiet = 0;
+
+
+static char *default_filter =
+"*filter\n"
+":INPUT DROP [0:0]\n"
+":FORWARD DROP [0:0]\n"
+":OUTPUT ACCEPT [0:0]\n"
+"-A INPUT -i lo -j ACCEPT\n"
+"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+"# echo replay is handled by -m state RELATED/ESTABLISHED above\n"
+"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
+"# disable STUN\n"
+"-A OUTPUT -p udp --dport 3478 -j DROP\n"
+"-A OUTPUT -p udp --dport 3479 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
+"COMMIT\n";
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnetfilter netfilter-command destination-file\n");
+}
+
+static void err_exit_cannot_open_file(const char *fname) {
+        fprintf(stderr, "Error fnetfilter: cannot open %s\n", fname);
+        exit(1);
+}
+
+
+static void copy(const char *src, const char *dest) {
+        FILE *fp1 = fopen(src, "r");
+        if (!fp1)
+                err_exit_cannot_open_file(src);
+
+        FILE *fp2 = fopen(dest, "w");
+        if (!fp2)
+                err_exit_cannot_open_file(dest);
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp1))
+                fprintf(fp2, "%s", buf);
+
+        fclose(fp1);
+        fclose(fp2);
+}
+
+static void process_template(char *src, const char *dest) {
+        char *arg_start = strchr(src, ',');
+        assert(arg_start);
+        *arg_start = '\0';
+        arg_start++;
+        if (*arg_start == '\0') {
+                fprintf(stderr, "Error fnetfilter: you need to provide at least one argument\n");
+                exit(1);
+        }
+
+        // extract the arguments from command line
+        char *token = strtok(arg_start, ",");
+        while (token) {
+                if (argcnt == MAXARGS) {
+                        fprintf(stderr, "Error fnetfilter: only up to %u arguments are supported\n", (unsigned) MAXARGS);
+                        exit(1);
+                }
+                // look for abnormal things
+                int len = strlen(token);
+                if (strcspn(token, "\\&!?\"'<>%^(){};,*[]") != (size_t)len) {
+                        fprintf(stderr, "Error fnetfilter: invalid argument in netfilter command\n");
+                        exit(1);
+                }
+                args[argcnt] = token;
+                argcnt++;
+                token = strtok(NULL, ",");
+        }
+#if 0
+{
+printf("argcnt %d\n", argcnt);
+int i;
+for (i = 0; i < argcnt; i++)
+        printf("%s\n", args[i]);
+}
+#endif
+
+        // open the files
+        FILE *fp1 = fopen(src, "r");
+        if (!fp1)
+                err_exit_cannot_open_file(src);
+
+        FILE *fp2 = fopen(dest, "w");
+        if (!fp2)
+                err_exit_cannot_open_file(dest);
+
+        int line = 0;
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp1)) {
+                line++;
+                char *ptr = buf;
+                while (*ptr != '\0') {
+                        if (*ptr != '$')
+                                fputc(*ptr, fp2);
+                        else {
+                                // parsing
+                                int index = 0;
+                                int rv = sscanf(ptr, "$ARG%d", &index) ;
+                                if (rv != 1) {
+                                        fprintf(stderr, "Error fnetfilter: invalid template argument on line %d\n", line);
+                                        exit(1);
+                                }
+
+                                // print argument
+                                if (index < 1 || index > argcnt) {
+                                        fprintf(stderr, "Error fnetfilter: $ARG%d on line %d was not defined\n", index, line);
+                                        exit(1);
+                                }
+                                fprintf(fp2, "%s", args[index - 1]);
+
+                                // march to the end of argument
+                                ptr += 4;
+                                while (isdigit(*ptr))
+                                        ptr++;
+                                ptr--;
+                        }
+                        ptr++;
+                }
+        }
+
+        fclose(fp1);
+        fclose(fp2);
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+
+        char *quiet = getenv("FIREJAIL_QUIET");
+        if (quiet && strcmp(quiet, "yes") == 0)
+                arg_quiet = 1;
+
+        if (argc > 1 && (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0)) {
+                usage();
+                return 0;
+        }
+
+        if (argc != 2 && argc != 3) {
+                usage();
+                return 1;
+        }
+
+        warn_dumpable();
+
+        char *destfile = (argc == 3)? argv[2]: argv[1];
+        char *command = (argc == 3)? argv[1]: NULL;
+//printf("command %s\n", command);
+//printf("destfile %s\n", destfile);
+        // destfile is a real filename
+        int len = strlen(destfile);
+        if (strcspn(destfile, "\\&!?\"'<>%^(){};,*[]") != (size_t)len)
+                err_exit_cannot_open_file(destfile);
+
+        // handle default config (command = NULL, destfile)
+        if (command == NULL) {
+                // create a default filter file
+                FILE *fp = fopen(destfile, "w");
+                if (!fp)
+                        err_exit_cannot_open_file(destfile);
+                fprintf(fp, "%s\n", default_filter);
+                fclose(fp);
+        }
+        else {
+                if (strrchr(command, ','))
+                        process_template(command, destfile);
+                else
+                        copy(command, destfile);
+        }
+
+        return 0;
+}
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
new file mode 100644
index 000000000..a2187e89c
--- /dev/null
+++ b/src/fsec-optimize/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: fsec-optimize
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
new file mode 100644
index 000000000..fc9dd7db8
--- /dev/null
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FSEC_OPTIMIZE_H
+#define FSEC_OPTIMIZE_H
+#include "../include/common.h"
+#include "../include/seccomp.h"
+#include <sys/mman.h>
+
+// optimize.c
+struct sock_filter *duplicate(struct sock_filter *filter, int entries);
+int optimize(struct sock_filter * filter, int entries);
+
+#endif
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
new file mode 100644
index 000000000..84bf2d4f9
--- /dev/null
+++ b/src/fsec-optimize/main.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fsec_optimize.h"
+#include "../include/syscall.h"
+
+int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfsec-optimize file - optimize seccomp filter\n");
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+        if (argc != 2) {
+                usage();
+                return 1;
+        }
+
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) {
+                usage();
+                return 0;
+        }
+
+        warn_dumpable();
+
+        char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION");
+        if (error_action) {
+                if (strcmp(error_action, "kill") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
+                else {
+                        arg_seccomp_error_action = errno_find_name(error_action);
+                        if (arg_seccomp_error_action == -1)
+                                errExit("seccomp-error-action: unknown errno");
+                        arg_seccomp_error_action |= SECCOMP_RET_ERRNO;
+                }
+        }
+
+        char *fname = argv[1];
+
+        // open input file
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                goto errexit;
+
+        // calculate the number of entries
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1) // todo: check maximum size of seccomp filter (4KB?)
+                goto errexit;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+
+        // read filter
+        struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+        if (filter == MAP_FAILED)
+                goto errexit;
+        close(fd);
+
+        // duplicate the filter memory and unmap the file
+        struct sock_filter *outfilter = duplicate(filter, entries);
+        if (munmap(filter, size) == -1)
+                perror("Error un-mmapping the file");
+
+        // optimize filter
+        entries = optimize(outfilter, entries);
+
+        // write the new file and free memory
+        fd = open(argv[1], O_WRONLY | O_TRUNC | O_CREAT, 0755);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open output file\n");
+                return 1;
+        }
+        size = write(fd, outfilter, entries * sizeof(struct sock_filter));
+        if (size != (int) (entries * sizeof(struct sock_filter))) {
+                fprintf(stderr, "Error: cannot write output file\n");
+                return 1;
+        }
+        close(fd);
+        free(outfilter);
+
+        return 0;
+errexit:
+        if (fd != -1)
+                close(fd);
+        fprintf(stderr, "Error: cannot read %s\n", fname);
+        exit(1);
+
+}
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c
new file mode 100644
index 000000000..4c02de59d
--- /dev/null
+++ b/src/fsec-optimize/optimizer.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fsec_optimize.h"
+
+// From /usr/include/linux/filter.h
+//struct sock_filter {  /* Filter block */
+//      __u16   code;   /* Actual filter code */
+//      __u8    jt;     /* Jump true */
+//      __u8    jf;     /* Jump false */
+//      __u32   k;      /* Generic multiuse field */
+//};
+
+
+#define LIMIT_BLACKLISTS 4      // we optimize blacklists only if we have more than
+
+static inline int is_blacklist(struct sock_filter *bpf) {
+        if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K &&
+            (bpf + 1)->code == BPF_RET + BPF_K &&
+            (bpf + 1)->k == (__u32)arg_seccomp_error_action)
+                return 1;
+        return 0;
+}
+
+static int count_blacklists(struct sock_filter *filter, int entries) {
+        int cnt = 0;
+        int i;
+
+        for (i = 0; i < (entries - 1); i++, filter++) { // is_blacklist works on two consecutive lines; using entries - 1
+                if (is_blacklist(filter))
+                        cnt++;
+        }
+
+        return cnt;
+}
+
+typedef struct {
+        int to_remove;
+        int to_fix_jumps;
+} Action;
+
+static int optimize_blacklists(struct sock_filter *filter, int entries) {
+        assert(entries);
+        assert(filter);
+        int i;
+        int j;
+
+        // step1: extract information
+        Action action[entries];
+        memset(&action[0], 0, sizeof(Action) * entries);
+        int remove_cnt = 0;
+        for (i = 0; i < (entries - 1); i++) { // is_blacklist works on two consecutive lines; using entries - 1
+                if (is_blacklist(filter + i)) {
+                        action[i]. to_fix_jumps = 1;
+                        i++;
+                        action[i].to_remove = 1;
+                        remove_cnt++;
+                }
+        }
+
+        // step2: remove lines
+        struct sock_filter *filter_step2 = duplicate(filter, entries);
+        Action action_step2[entries];
+        memset(&action_step2[0], 0, sizeof(Action) * entries);
+        for (i = 0, j = 0; i < entries; i++) {
+                if (!action[i].to_remove) {
+                        memcpy(&filter_step2[j], &filter[i], sizeof(struct sock_filter));
+                        memcpy(&action_step2[j], &action[i], sizeof(Action));
+                        j++;
+                }
+                else {
+                        // do nothing, we are removing this line
+                }
+        }
+
+        // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries
+        filter_step2[j].code = BPF_RET + BPF_K;
+        filter_step2[j].k = arg_seccomp_error_action;
+        entries = j + 1;
+
+        // step 4: recalculate jumps
+        for (i = 0; i < entries; i++) {
+                if (action_step2[i].to_fix_jumps) {
+                        filter_step2[i].jt = entries - i - 2;
+                        filter_step2[i].jf = 0;
+                }
+        }
+
+        // update
+        memcpy(filter, filter_step2, entries * sizeof(struct sock_filter));
+        free(filter_step2);
+        return entries;
+}
+
+int optimize(struct sock_filter *filter, int entries) {
+        assert(filter);
+        assert(entries);
+
+        //**********************************
+        // optimize blacklist statements
+        //**********************************
+        // count "ret KILL"
+        int cnt = count_blacklists(filter, entries);
+        if (cnt > LIMIT_BLACKLISTS)
+                entries = optimize_blacklists(filter, entries);
+        return entries;
+}
+
+struct sock_filter *duplicate(struct sock_filter *filter, int entries) {
+        int len = sizeof(struct sock_filter) * entries;
+        struct sock_filter *rv = malloc(len);
+        if (!rv) {
+                errExit("malloc");
+                exit(1);
+        }
+
+        memcpy(rv, filter, len);
+        return rv;
+}
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
new file mode 100644
index 000000000..824fb5daf
--- /dev/null
+++ b/src/fsec-print/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: fsec-print
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/libpostexecseccomp/libpostexecseccomp.h b/src/fsec-print/fsec_print.h
index c4aca540a..75a82c11a 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.h
+++ b/src/fsec-print/fsec_print.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,9 +17,14 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#ifndef LIBPOSTEXECSECCOMP_H
-#define LIBPOSTEXECSECCOMP_H
+#ifndef FSEC_PRINT_H
+#define FSEC_PRINT_H
+#include "../include/common.h"
+#include "../include/seccomp.h"
+#include "../include/syscall.h"
+#include <sys/mman.h>
 
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp.postexec"
+// print.c
+void print(struct sock_filter *filter, int entries);
 
 #endif
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
new file mode 100644
index 000000000..5bca93d50
--- /dev/null
+++ b/src/fsec-print/main.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fsec_print.h"
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfsec-print file - disassemble seccomp filter\n");
+}
+
+int arg_quiet = 0;
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+//system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+        if (argc != 2) {
+                usage();
+                return 1;
+        }
+
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) {
+                usage();
+                return 0;
+        }
+
+        warn_dumpable();
+
+        char *fname = argv[1];
+
+        // open input file
+        int fd = open(fname, O_RDONLY);
+        if (fd == -1)
+                goto errexit;
+
+        // calculate the number of entries
+        int size = lseek(fd, 0, SEEK_END);
+        if (size == -1) // todo: check maximum size of seccomp filter (4KB?)
+                goto errexit;
+        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
+
+        // read filter
+        struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+        if (filter == MAP_FAILED)
+                goto errexit;
+
+
+        // print filter
+        print(filter, entries);
+
+        // free mapped memory
+        if (munmap(filter, size) == -1)
+                perror("Error un-mmapping the file");
+
+        // close file
+        close(fd);
+        return 0;
+errexit:
+        if (fd != -1)
+                close(fd);
+        fprintf(stderr, "Error: cannot read %s\n", fname);
+        exit(1);
+
+}
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
new file mode 100644
index 000000000..143a7a53e
--- /dev/null
+++ b/src/fsec-print/print.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *
+ *
+ * Parts of this code was lifted from libseccomp project, license LGPL 2.1.
+ * This is the original copyright notice in libseccomp code:
+ *
+ *
+ *
+ * BPF Disassembler
+ *
+ * Copyright (c) 2012 Red Hat <pmoore@redhat.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ *
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <https://www.gnu.org/licenses>.
+ */
+
+#include "fsec_print.h"
+
+// From /usr/include/linux/filter.h
+//struct sock_filter {  /* Filter block */
+//      __u16   code;   /* Actual filter code */
+//      __u8    jt;     /* Jump true */
+//      __u8    jf;     /* Jump false */
+//      __u32   k;      /* Generic multiuse field */
+//};
+
+
+static const char *bpf_decode_op(const struct sock_filter *bpf) {
+        switch (bpf->code) {
+        case BPF_LD+BPF_W+BPF_IMM:
+        case BPF_LD+BPF_W+BPF_ABS:
+        case BPF_LD+BPF_W+BPF_IND:
+        case BPF_LD+BPF_W+BPF_MEM:
+        case BPF_LD+BPF_W+BPF_LEN:
+        case BPF_LD+BPF_W+BPF_MSH:
+                return "ld";
+        case BPF_LD+BPF_H+BPF_IMM:
+        case BPF_LD+BPF_H+BPF_ABS:
+        case BPF_LD+BPF_H+BPF_IND:
+        case BPF_LD+BPF_H+BPF_MEM:
+        case BPF_LD+BPF_H+BPF_LEN:
+        case BPF_LD+BPF_H+BPF_MSH:
+                return "ldh";
+        case BPF_LD+BPF_B+BPF_IMM:
+        case BPF_LD+BPF_B+BPF_ABS:
+        case BPF_LD+BPF_B+BPF_IND:
+        case BPF_LD+BPF_B+BPF_MEM:
+        case BPF_LD+BPF_B+BPF_LEN:
+        case BPF_LD+BPF_B+BPF_MSH:
+                return "ldb";
+        case BPF_LDX+BPF_W+BPF_IMM:
+        case BPF_LDX+BPF_W+BPF_ABS:
+        case BPF_LDX+BPF_W+BPF_IND:
+        case BPF_LDX+BPF_W+BPF_MEM:
+        case BPF_LDX+BPF_W+BPF_LEN:
+        case BPF_LDX+BPF_W+BPF_MSH:
+        case BPF_LDX+BPF_H+BPF_IMM:
+        case BPF_LDX+BPF_H+BPF_ABS:
+        case BPF_LDX+BPF_H+BPF_IND:
+        case BPF_LDX+BPF_H+BPF_MEM:
+        case BPF_LDX+BPF_H+BPF_LEN:
+        case BPF_LDX+BPF_H+BPF_MSH:
+        case BPF_LDX+BPF_B+BPF_IMM:
+        case BPF_LDX+BPF_B+BPF_ABS:
+        case BPF_LDX+BPF_B+BPF_IND:
+        case BPF_LDX+BPF_B+BPF_MEM:
+        case BPF_LDX+BPF_B+BPF_LEN:
+        case BPF_LDX+BPF_B+BPF_MSH:
+                return "ldx";
+        case BPF_ST:
+                return "st";
+        case BPF_STX:
+                return "stx";
+        case BPF_ALU+BPF_ADD+BPF_K:
+        case BPF_ALU+BPF_ADD+BPF_X:
+                return "add";
+        case BPF_ALU+BPF_SUB+BPF_K:
+        case BPF_ALU+BPF_SUB+BPF_X:
+                return "sub";
+        case BPF_ALU+BPF_MUL+BPF_K:
+        case BPF_ALU+BPF_MUL+BPF_X:
+                return "mul";
+        case BPF_ALU+BPF_DIV+BPF_K:
+        case BPF_ALU+BPF_DIV+BPF_X:
+                return "div";
+        case BPF_ALU+BPF_OR+BPF_K:
+        case BPF_ALU+BPF_OR+BPF_X:
+                return "or";
+        case BPF_ALU+BPF_AND+BPF_K:
+        case BPF_ALU+BPF_AND+BPF_X:
+                return "and";
+        case BPF_ALU+BPF_LSH+BPF_K:
+        case BPF_ALU+BPF_LSH+BPF_X:
+                return "lsh";
+        case BPF_ALU+BPF_RSH+BPF_K:
+        case BPF_ALU+BPF_RSH+BPF_X:
+                return "rsh";
+        case BPF_ALU+BPF_NEG+BPF_K:
+        case BPF_ALU+BPF_NEG+BPF_X:
+                return "neg";
+        case BPF_ALU+BPF_MOD+BPF_K:
+        case BPF_ALU+BPF_MOD+BPF_X:
+                return "mod";
+        case BPF_ALU+BPF_XOR+BPF_K:
+        case BPF_ALU+BPF_XOR+BPF_X:
+                return "xor";
+        case BPF_JMP+BPF_JA+BPF_K:
+        case BPF_JMP+BPF_JA+BPF_X:
+                return "jmp";
+        case BPF_JMP+BPF_JEQ+BPF_K:
+        case BPF_JMP+BPF_JEQ+BPF_X:
+                return "jeq";
+        case BPF_JMP+BPF_JGT+BPF_K:
+        case BPF_JMP+BPF_JGT+BPF_X:
+                return "jgt";
+        case BPF_JMP+BPF_JGE+BPF_K:
+        case BPF_JMP+BPF_JGE+BPF_X:
+                return "jge";
+        case BPF_JMP+BPF_JSET+BPF_K:
+        case BPF_JMP+BPF_JSET+BPF_X:
+                return "jset";
+        case BPF_RET+BPF_K:
+        case BPF_RET+BPF_X:
+        case BPF_RET+BPF_A:
+                return "ret";
+        case BPF_MISC+BPF_TAX:
+                return "tax";
+        case BPF_MISC+BPF_TXA:
+                return "txa";
+        }
+        return "???";
+}
+
+static void bpf_decode_action(uint32_t k) {
+        uint32_t act = k & SECCOMP_RET_ACTION;
+        uint32_t data = k & SECCOMP_RET_DATA;
+
+        switch (act) {
+        case SECCOMP_RET_KILL:
+                printf("KILL");
+                break;
+        case SECCOMP_RET_TRAP:
+                printf("TRAP");
+                break;
+        case SECCOMP_RET_ERRNO:
+                printf("ERRNO(%u)", data);
+                break;
+        case SECCOMP_RET_TRACE:
+                printf("TRACE(%u)", data);
+                break;
+        case SECCOMP_RET_LOG:
+                printf("LOG");
+                break;
+        case SECCOMP_RET_ALLOW:
+                printf("ALLOW");
+                break;
+        default:
+                printf("0x%.8x", k);
+        }
+}
+
+
+// implementing a simple state machine around accumulator
+// in order to translate the syscall number
+int syscall_loaded = 0;
+int native_arch = 0;
+
+static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) {
+        switch (BPF_CLASS(bpf->code)) {
+        case BPF_LD:
+        case BPF_LDX:
+                switch (BPF_MODE(bpf->code)) {
+                case BPF_ABS:
+                        syscall_loaded = 0;
+                        if (bpf->k == offsetof(struct seccomp_data, arch))
+                                printf("data.architecture");
+                        else if (bpf->k == offsetof(struct seccomp_data, nr)) {
+                                printf("data.syscall-number");
+                                syscall_loaded = 1;
+                        }
+                        else if (bpf->k == offsetof(struct seccomp_data, instruction_pointer))
+                                printf("data.instruction_pointer");
+                        else {
+                                int index = bpf->k - offsetof(struct seccomp_data, args);
+                                printf("data.args[%x]", index);
+                        }
+                        break;
+                case BPF_MEM:
+                        printf("$temp[%u]", bpf->k);
+                        break;
+                case BPF_IMM:
+                        printf("%x", bpf->k);
+                        break;
+                case BPF_IND:
+                        printf("$data[X + %x]", bpf->k);
+                        break;
+                case BPF_LEN:
+                        printf("len($data)");
+                        break;
+                case BPF_MSH:
+                        printf("4 * $data[%x] & 0x0f", bpf->k);
+                        break;
+                }
+                break;
+        case BPF_ST:
+        case BPF_STX:
+                printf("$temp[%u]", bpf->k);
+                break;
+        case BPF_ALU:
+                if (BPF_SRC(bpf->code) == BPF_K) {
+                        switch (BPF_OP(bpf->code)) {
+                        case BPF_OR:
+                        case BPF_AND:
+                                printf("%.8x", bpf->k);
+                                break;
+                        default:
+                                printf("%x", bpf->k);
+                        }
+                }
+                else
+                        printf("%u", bpf->k);
+                break;
+        case BPF_JMP:
+                if (BPF_OP(bpf->code) == BPF_JA) {
+                        printf("%.4x", (line + 1) + bpf->k);
+                }
+                else {
+                        const char *name = NULL;
+                        if (syscall_loaded && native_arch)
+                                name = syscall_find_nr(bpf->k);
+                        if (bpf->k == ARCH_32) {
+                                printf("ARCH_32 %.4x (false %.4x)",
+                                       (line + 1) + bpf->jt,
+                                       (line + 1) + bpf->jf);
+                                 native_arch = (ARCH_NR == ARCH_32)? 1: 0;
+                        }
+                        else if (bpf->k == ARCH_64) {
+                                printf("ARCH_64 %.4x (false %.4x)",
+                                       (line + 1) + bpf->jt,
+                                       (line + 1) + bpf->jf);
+                                 native_arch = (ARCH_NR == ARCH_64)? 1: 0;
+                        }
+                        else if (bpf->k == X32_SYSCALL_BIT)
+                                printf("X32_ABI %.4x (false %.4x)",
+                                       (line + 1) + bpf->jt,
+                                       (line + 1) + bpf->jf);
+                        else if (name)
+                                printf("%s %.4x (false %.4x)",
+                                       name,
+                                       (line + 1) + bpf->jt,
+                                       (line + 1) + bpf->jf);
+                        else
+                                printf("%x %.4x (false %.4x)",
+                                       bpf->k,
+                                       (line + 1) + bpf->jt,
+                                       (line + 1) + bpf->jf);
+                }
+                break;
+        case BPF_RET:
+                if (BPF_RVAL(bpf->code) == BPF_A) {
+                        /* XXX - accumulator? */
+                        printf("$acc");
+                }
+                else if (BPF_SRC(bpf->code) == BPF_K) {
+                        bpf_decode_action(bpf->k);
+                }
+                else if (BPF_SRC(bpf->code) == BPF_X) {
+                        /* XXX - any idea? */
+                        printf("???");
+                }
+                break;
+        case BPF_MISC:
+                break;
+        default:
+                printf("???");
+        }
+}
+
+void print(struct sock_filter *filter, int entries) {
+        int i;
+
+        /* header */
+        printf(" line  OP JT JF    K\n");
+        printf("=================================\n");
+        struct sock_filter *bpf = filter;
+        for (i = 0; i < entries; i++, bpf++) {
+
+                /* convert the bpf statement */
+//              bpf.code = ttoh16(arch, bpf.code);
+//              bpf.k = ttoh32(arch, bpf.k);
+
+                /* display a hex dump */
+                printf(" %.4x: %.2x %.2x %.2x %.8x",
+                       i, bpf->code, bpf->jt, bpf->jf, bpf->k);
+
+                /* display the assembler statements */
+                printf("   ");
+                printf("%-3s", bpf_decode_op(bpf));
+                printf(" ");
+                bpf_decode_args(bpf, i);
+
+                printf("\n");
+        }
+}
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index df4343d36..41abfce17 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -1,45 +1,17 @@
+.PHONY: all
 all: fseccomp
 
-CC=@CC@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-sysconfdir=@sysconfdir@
-
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
-HAVE_CHROOT=@HAVE_CHROOT@
-HAVE_BIND=@HAVE_BIND@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_NETWORK=@HAVE_NETWORK@
-HAVE_USERNS=@HAVE_USERNS@
-HAVE_X11=@HAVE_X11@
-HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
-HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
-HAVE_APPARMOR=@HAVE_APPARMOR@
-HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
-HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+include ../common.mk
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fseccomp: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
-clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index 2deb282f5..97eac9ed8 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,21 +24,11 @@
 #include <string.h>
 #include <assert.h>
 #include "../include/common.h"
+#include "../include/syscall.h"
 
 // main.c
 extern int arg_quiet;
 
-// syscall.c
-void syscall_print(void);
-int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg);
-const char *syscall_find_nr(int nr);
-void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist);
-
-// errno.c
-void errno_print(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-
 // protocol.c
 void protocol_print(void);
 void protocol_build_filter(const char *prlist, const char *fname);
@@ -49,25 +39,27 @@ void seccomp_secondary_32(const char *fname);
 void seccomp_secondary_block(const char *fname);
 
 // seccomp_file.c
-void write_to_file(int fd, const void *data, int size);
-void filter_init(int fd);
-void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
+void write_to_file(int fd, const void *data, size_t size);
+void filter_init(int fd, bool native);
+void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
 void filter_end_blacklist(int fd);
 void filter_end_whitelist(int fd);
 
 // seccomp.c
 // default list
-void seccomp_default(const char *fname, int allow_debuggers);
+void seccomp_default(const char *fname, int allow_debuggers, bool native);
 // drop list
-void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
+void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
 // default+drop list
-void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
+void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
 // whitelisted filter
-void seccomp_keep(const char *fname1, const char *fname2, char *list);
+void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native);
 // block writable and executable memory
 void memory_deny_write_execute(const char *fname);
+void memory_deny_write_execute_32(const char *fname);
 
 // seccomp_print
 void filter_print(const char *fname);
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index ae0ae64ef..326c29a44 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,11 +18,14 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fseccomp.h"
+#include "../include/seccomp.h"
 int arg_quiet = 0;
+int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
 static void usage(void) {
         printf("Usage:\n");
         printf("\tfseccomp debug-syscalls\n");
+        printf("\tfseccomp debug-syscalls32\n");
         printf("\tfseccomp debug-errnos\n");
         printf("\tfseccomp debug-protocols\n");
         printf("\tfseccomp protocol build list file\n");
@@ -31,13 +34,20 @@ static void usage(void) {
         printf("\tfseccomp secondary block file\n");
         printf("\tfseccomp default file\n");
         printf("\tfseccomp default file allow-debuggers\n");
+        printf("\tfseccomp default32 file\n");
+        printf("\tfseccomp default32 file allow-debuggers\n");
         printf("\tfseccomp drop file1 file2 list\n");
         printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
+        printf("\tfseccomp drop32 file1 file2 list\n");
+        printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
         printf("\tfseccomp default drop file1 file2 list\n");
         printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
+        printf("\tfseccomp default32 drop file1 file2 list\n");
+        printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
         printf("\tfseccomp keep file1 file2 list\n");
+        printf("\tfseccomp keep32 file1 file2 list\n");
         printf("\tfseccomp memory-deny-write-execute file\n");
-        printf("\tfseccomp print file\n");
+        printf("\tfseccomp memory-deny-write-execute.32 file\n");
 }
 
 int main(int argc, char **argv) {
@@ -54,47 +64,77 @@ printf("\n");
                 usage();
                 return 1;
         }
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+
+        warn_dumpable();
 
         char *quiet = getenv("FIREJAIL_QUIET");
         if (quiet && strcmp(quiet, "yes") == 0)
                 arg_quiet = 1;
 
-        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
-                usage();
-                return 0;
+        char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION");
+        if (error_action) {
+                if (strcmp(error_action, "kill") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
+                else {
+                        arg_seccomp_error_action = errno_find_name(error_action);
+                        if (arg_seccomp_error_action == -1)
+                                errExit("seccomp-error-action: unknown errno");
+                        arg_seccomp_error_action |= SECCOMP_RET_ERRNO;
+                }
         }
-        else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
+
+        if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
                 syscall_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
+                syscall_print_32();
         else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
                 errno_print();
         else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
                 protocol_print();
         else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0)
                 protocol_build_filter(argv[3], argv[4]);
-        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
-                seccomp_secondary_64(argv[3]);
         else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
                 seccomp_secondary_32(argv[3]);
         else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
                 seccomp_secondary_block(argv[3]);
         else if (argc == 3 && strcmp(argv[1], "default") == 0)
-                seccomp_default(argv[2], 0);
+                seccomp_default(argv[2], 0, true);
         else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
-                seccomp_default(argv[2], 1);
+                seccomp_default(argv[2], 1, true);
+        else if (argc == 3 && strcmp(argv[1], "default32") == 0)
+                seccomp_default(argv[2], 0, false);
+        else if (argc == 4 && strcmp(argv[1], "default32") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
+                seccomp_default(argv[2], 1, false);
         else if (argc == 5 && strcmp(argv[1], "drop") == 0)
-                seccomp_drop(argv[2], argv[3], argv[4], 0);
+                seccomp_drop(argv[2], argv[3], argv[4], 0, true);
         else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
-                seccomp_drop(argv[2], argv[3], argv[4], 1);
+                seccomp_drop(argv[2], argv[3], argv[4], 1, true);
+        else if (argc == 5 && strcmp(argv[1], "drop32") == 0)
+                seccomp_drop(argv[2], argv[3], argv[4], 0, false);
+        else if (argc == 6 && strcmp(argv[1], "drop32") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
+                seccomp_drop(argv[2], argv[3], argv[4], 1, false);
         else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
-                seccomp_default_drop(argv[3], argv[4], argv[5], 0);
+                seccomp_default_drop(argv[3], argv[4], argv[5], 0, true);
         else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
-                seccomp_default_drop(argv[3], argv[4], argv[5], 1);
+                seccomp_default_drop(argv[3], argv[4], argv[5], 1, true);
+        else if (argc == 6 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0)
+                seccomp_default_drop(argv[3], argv[4], argv[5], 0, false);
+        else if (argc == 7 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
+                seccomp_default_drop(argv[3], argv[4], argv[5], 1, false);
         else if (argc == 5 && strcmp(argv[1], "keep") == 0)
-                seccomp_keep(argv[2], argv[3], argv[4]);
+                seccomp_keep(argv[2], argv[3], argv[4], true);
+        else if (argc == 5 && strcmp(argv[1], "keep32") == 0)
+                seccomp_keep(argv[2], argv[3], argv[4], false);
         else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
                 memory_deny_write_execute(argv[2]);
-        else if (argc == 3 && strcmp(argv[1], "print") == 0)
-                filter_print(argv[2]);
+        else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute.32") == 0)
+                memory_deny_write_execute_32(argv[2]);
         else {
                 fprintf(stderr, "Error fseccomp: invalid arguments\n");
                 return 1;
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 43bc3d562..48dda61dd 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -57,6 +57,7 @@ static char *protocol[] = {
         "inet6",
         "netlink",
         "packet",
+        "bluetooth",
         NULL
 };
 
@@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = {
         WHITELIST(AF_INET),
         WHITELIST(AF_INET6),
         WHITELIST(AF_NETLINK),
-        WHITELIST(AF_PACKET)
+        WHITELIST(AF_PACKET),
+        WHITELIST(AF_BLUETOOTH)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
@@ -122,30 +124,27 @@ void protocol_build_filter(const char *prlist, const char *fname) {
 
         // header
         struct sock_filter filter_start[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                ONLY(SYS_socket),
-                EXAMINE_ARGUMENT(0)
+#if defined __x86_64__
+                /* check for native arch */
+                BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0),
+                /* i386 filter */
+                EXAMINE_SYSCALL, // 1
+                // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp
+                ONLY(359), // 1 + 2
+                BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1
+#else
+#warning 32 bit protocol filter not implemented yet for your architecture
+#endif
+                VALIDATE_ARCHITECTURE, // 3
+                EXAMINE_SYSCALL, // 3 + 1
+                ONLY(SYS_socket), // 3 + 1 + 2
+
+                EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1
         };
         memcpy(ptr, &filter_start[0], sizeof(filter_start));
         ptr += sizeof(filter_start);
 
-#if 0
-printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
-#endif
-
-
         // parse list and add commands
         char *tmplist = strdup(prlist);
         if (!tmplist)
@@ -163,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
                 memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
                 ptr += whitelist_len * sizeof(struct sock_filter);
                 token = strtok(NULL, ",");
-
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
-
-
         }
         free(tmplist);
 
@@ -189,19 +172,6 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
         memcpy(ptr, &filter_end[0], sizeof(filter_end));
         ptr += sizeof(filter_end);
 
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
         // save filter to file
         int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index e14a473fe..99e671799 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -24,12 +24,12 @@
 #include <sys/syscall.h>
 #include <sys/types.h>
 
-static void add_default_list(int fd, int allow_debuggers) {
+static void add_default_list(int fd, int allow_debuggers, bool native) {
         int r;
         if (!allow_debuggers)
-                r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL);
+                r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL, native);
         else
-                r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL);
+                r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL, native);
 
         assert(r == 0);
 //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
@@ -46,7 +46,7 @@ static void add_default_list(int fd, int allow_debuggers) {
 }
 
 // default list
-void seccomp_default(const char *fname, int allow_debuggers) {
+void seccomp_default(const char *fname, int allow_debuggers, bool native) {
         assert(fname);
 
         // open file
@@ -57,8 +57,8 @@ void seccomp_default(const char *fname, int allow_debuggers) {
         }
 
         // build filter (no post-exec filter needed because default list is fine for us)
-        filter_init(fd);
-        add_default_list(fd, allow_debuggers);
+        filter_init(fd, native);
+        add_default_list(fd, allow_debuggers, native);
         filter_end_blacklist(fd);
 
         // close file
@@ -66,7 +66,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
 }
 
 // drop list
-void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
+void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native) {
         assert(fname1);
         assert(fname2);
         (void) allow_debuggers; // todo: to implemnet it
@@ -79,11 +79,15 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
         }
 
         // build pre-exec filter: don't blacklist any syscalls in @default-keep
-        filter_init(fd);
+        filter_init(fd, native);
+
+        // allow exceptions in form of !syscall
+        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL, native);
+
         char *prelist, *postlist;
-        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
+        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist, native);
         if (prelist)
-                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
+                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL, native)) {
                         fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                         exit(1);
                 }
@@ -102,8 +106,8 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
         }
 
         // build post-exec filter: blacklist remaining syscalls
-        filter_init(fd);
-        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
+        filter_init(fd, native);
+        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL, native)) {
                 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                 exit(1);
         }
@@ -114,7 +118,7 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
 }
 
 // default+drop
-void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
+void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native) {
         assert(fname1);
         assert(fname2);
 
@@ -127,12 +131,16 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
 
         // build pre-exec filter: blacklist @default, don't blacklist
         // any listed syscalls in @default-keep
-        filter_init(fd);
-        add_default_list(fd, allow_debuggers);
+        filter_init(fd, native);
+
+        // allow exceptions in form of !syscall
+        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL, native);
+
+        add_default_list(fd, allow_debuggers, native);
         char *prelist, *postlist;
-        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
+        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist, native);
         if (prelist)
-                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
+                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL, native)) {
                         fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                         exit(1);
                 }
@@ -152,8 +160,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
         }
 
         // build post-exec filter: blacklist remaining syscalls
-        filter_init(fd);
-        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
+        filter_init(fd, native);
+        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL, native)) {
                 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                 exit(1);
         }
@@ -163,9 +171,9 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
         close(fd);
 }
 
-void seccomp_keep(const char *fname1, const char *fname2, char *list) {
+void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native) {
         (void) fname2;
-        
+
         // open file for pre-exec filter
         int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd < 0) {
@@ -174,13 +182,17 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
         }
 
         // build pre-exec filter: whitelist also @default-keep
-        filter_init(fd);
+        filter_init(fd, native);
+
+        // allow exceptions in form of !syscall
+        syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL, native);
+
         // these syscalls are used by firejail after the seccomp filter is initialized
         int r;
-        r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
+        r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL, native);
         assert(r == 0);
 
-        if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
+        if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL, native)) {
                 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                 exit(1);
         }
@@ -194,6 +206,15 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
 #if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__)
 # define filter_syscall SYS_mmap
 # undef block_syscall
+#if defined(__x86_64__)
+// i386 syscalls
+# define filter_syscall_32 192
+# define block_syscall_32 90
+# define mprotect_32 125
+# define pkey_mprotect_32 380
+# define shmat_32 397
+# define memfd_create_32 356
+#endif
 #elif defined(__i386__)
 # define filter_syscall SYS_mmap2
 # define block_syscall SYS_mmap
@@ -204,6 +225,12 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
 # warning "Platform does not support seccomp memory-deny-write-execute filter yet"
 # undef filter_syscall
 # undef block_syscall
+# undef filter_syscall_32
+# undef block_syscall_32
+# undef mprotect_32
+# undef pkey_mprotect_32
+# undef shmat_32
+# undef memfd_create_32
 #endif
 
 void memory_deny_write_execute(const char *fname) {
@@ -214,10 +241,10 @@ void memory_deny_write_execute(const char *fname) {
                 exit(1);
         }
 
-        filter_init(fd);
+        filter_init(fd, true);
 
         // build filter
-        static const struct sock_filter filter[] = {
+        struct sock_filter filter[] = {
 #ifdef block_syscall
                 // block old multiplexing mmap syscall for i386
                 BLACKLIST(block_syscall),
@@ -228,7 +255,7 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW,
 #endif
 
@@ -237,9 +264,19 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW,
 
+                // same for pkey_mprotect(,,PROT_EXEC), where available
+#ifdef SYS_pkey_mprotect
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_pkey_mprotect, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+
 // shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
 #ifdef SYS_shmat
                 // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
@@ -247,7 +284,15 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef SYS_memfd_create
+                // block memfd_create as it can be used to create
+                // arbitrary memory contents which can be later mapped
+                // as executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW
 #endif
         };
@@ -258,3 +303,75 @@ void memory_deny_write_execute(const char *fname) {
         // close file
         close(fd);
 }
+
+void memory_deny_write_execute_32(const char *fname) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+
+        filter_init(fd, false);
+
+        // build filter
+        struct sock_filter filter[] = {
+#if defined(__x86_64__)
+#ifdef block_syscall_32
+                // block old multiplexing mmap syscall for i386
+                BLACKLIST(block_syscall_32),
+#endif
+#ifdef filter_syscall_32
+                // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef mprotect_32
+                // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, mprotect_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef pkey_mprotect_32
+                // same for pkey_mprotect(,,PROT_EXEC), where available
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, pkey_mprotect_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+
+#ifdef shmat_32
+                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, shmat_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef memfd_create_32
+                // block memfd_create as it can be used to create
+                // arbitrary memory contents which can be later mapped
+                // as executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, memfd_create_32, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+#endif
+#endif
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+
+        filter_end_blacklist(fd);
+
+        // close file
+        close(fd);
+}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index 2d5ee115d..846c7f335 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -21,11 +21,11 @@
 #include "../include/seccomp.h"
 #include <sys/syscall.h>
 
-void write_to_file(int fd, const void *data, int size) {
+void write_to_file(int fd, const void *data, size_t size) {
         assert(data);
         assert(size);
 
-        int written = 0;
+        size_t written = 0;
         while (written < size) {
                 int rv = write(fd, (unsigned char *) data + written, size - written);
                 if (rv == -1) {
@@ -36,8 +36,8 @@ void write_to_file(int fd, const void *data, int size) {
         }
 }
 
-void filter_init(int fd) {
-        struct sock_filter filter[] = {
+void filter_init(int fd, bool native) {
+        struct sock_filter filter_native[] = {
                 VALIDATE_ARCHITECTURE,
 #if defined(__x86_64__)
                 EXAMINE_SYSCALL,
@@ -46,6 +46,10 @@ void filter_init(int fd) {
                 EXAMINE_SYSCALL
 #endif
         };
+        struct sock_filter filter_32[] = {
+                VALIDATE_ARCHITECTURE_32,
+                EXAMINE_SYSCALL
+        };
 
 #if 0
 {
@@ -57,31 +61,85 @@ void filter_init(int fd) {
 }
 #endif
 
-        write_to_file(fd, filter, sizeof(filter));
+        if (native)
+                write_to_file(fd, filter_native, sizeof(filter_native));
+        else
+                write_to_file(fd, filter_32, sizeof(filter_32));
 }
 
-void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
-        (void) arg;
-        (void) ptrarg;
-
+static void write_whitelist(int fd, int syscall) {
         struct sock_filter filter[] = {
                 WHITELIST(syscall)
         };
         write_to_file(fd, filter, sizeof(filter));
 }
 
-void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) {
-        (void) arg;
-        (void) ptrarg;
-
+static void write_blacklist(int fd, int syscall) {
         struct sock_filter filter[] = {
                 BLACKLIST(syscall)
         };
         write_to_file(fd, filter, sizeof(filter));
 }
 
-void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) {
+void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
         (void) ptrarg;
+        (void) native;
+
+        if (syscall >= 0) {
+                write_whitelist(fd, syscall);
+        }
+}
+
+// handle seccomp list exceptions (seccomp x,y,!z)
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+
+        if (syscall < 0) {
+                write_whitelist(fd, -syscall);
+        }
+}
+
+void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+
+        if (syscall >= 0) {
+                write_blacklist(fd, syscall);
+        }
+}
+
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+
+        if (syscall >= 0) {
+                int saved_error_action = arg_seccomp_error_action;
+                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                write_blacklist(fd, syscall);
+                arg_seccomp_error_action = saved_error_action;
+        }
+}
+
+// handle seccomp list exceptions (seccomp x,y,!z)
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+
+        if (syscall < 0) {
+                write_blacklist(fd, -syscall);
+        }
+}
+
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) ptrarg;
+        (void) native;
+
         struct sock_filter filter[] = {
                 BLACKLIST_ERRNO(syscall, arg)
         };
@@ -97,7 +155,7 @@ void filter_end_blacklist(int fd) {
 
 void filter_end_whitelist(int fd) {
         struct sock_filter filter[] = {
-                KILL_PROCESS
+                KILL_OR_RETURN_ERRNO
         };
         write_to_file(fd, filter, sizeof(filter));
 }
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
deleted file mode 100644
index e8df2bda5..000000000
--- a/src/fseccomp/seccomp_print.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "fseccomp.h"
-#include "../include/seccomp.h"
-#include <sys/syscall.h>
-
-static struct sock_filter *filter = NULL;
-static int filter_cnt = 0;
-
-static void load_seccomp(const char *fname) {
-        assert(fname);
-
-        // open filter file
-        int fd = open(fname, O_RDONLY);
-        if (fd == -1)
-                goto errexit;
-
-        // calculate the number of entries
-        int size = lseek(fd, 0, SEEK_END);
-        if (size == -1)
-                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
-        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
-        filter_cnt = entries;
-
-        // read filter
-        filter = malloc(size);
-        if (filter == NULL)
-                goto errexit;
-        memset(filter, 0, size);
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                if (rv == -1)
-                        goto errexit;
-                rd += rv;
-        }
-
-        // close file
-        close(fd);
-        return;
-
-errexit:
-        fprintf(stderr, "Error fseccomp: cannot read %s\n", fname);
-        exit(1);
-}
-
-static int detect_filter_type(void) {
-        // the filter ishould already be load in filter variable
-        assert(filter);
-
-        printf("SECCOMP Filter\n");
-        
-        // testing for main seccomp filter, protocol, mdwe - platform architecture
-        const struct sock_filter start_main[] = {
-                VALIDATE_ARCHITECTURE,
-#if defined(__x86_64__)
-                EXAMINE_SYSCALL,
-                HANDLE_X32
-#else
-                EXAMINE_SYSCALL
-#endif
-        };
-        
-        if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE\n");
-                printf("  EXAMINE_SYSCALL\n");
-#if defined(__x86_64__)
-                printf("  HANDLE_X32\n");
-#endif
-                return sizeof(start_main) / sizeof(struct sock_filter);
-        }
-        
-        
-        // testing for secondary 64 bit filter
-        const struct sock_filter start_secondary_64[] = {
-                VALIDATE_ARCHITECTURE_64,
-                EXAMINE_SYSCALL,
-        };
-        
-        if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE_64\n");
-                printf("  EXAMINE_SYSCALL\n");
-                return sizeof(start_secondary_64) / sizeof(struct sock_filter);
-        }
-        
-        // testing for secondary 32 bit filter
-        const struct sock_filter start_secondary_32[] = {
-                VALIDATE_ARCHITECTURE_32,
-                EXAMINE_SYSCALL,
-        };
-        
-        if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE_32\n");
-                printf("  EXAMINE_SYSCALL\n");
-                return sizeof(start_secondary_32) / sizeof(struct sock_filter);
-        }
-
-        const struct sock_filter start_secondary_block[] = {
-                VALIDATE_ARCHITECTURE_KILL,
-#if defined(__x86_64__)
-                EXAMINE_SYSCALL,
-                HANDLE_X32_KILL,
-#else
-                EXAMINE_SYSCALL
-#endif
-        };
-
-        if (memcmp(&start_secondary_block[0], filter, sizeof(start_secondary_block)) == 0) {
-                printf("  VALIDATE_ARCHITECTURE_KILL\n");
-                printf("  EXAMINE_SYSCALL\n");
-#if defined(__x86_64__)
-                printf("  HANDLE_X32_KILL\n");
-#endif
-                return sizeof(start_secondary_block) / sizeof(struct sock_filter);
-        }
-        
-        return 0; // filter unrecognized
-}
-
-// debug filter
-void filter_print(const char *fname) {
-        assert(fname);
-        load_seccomp(fname);
-
-        int i = detect_filter_type();
-        if (i == 0) {
-                printf("Invalid seccomp filter %s\n", fname);
-                return;
-        }
-        
-        // loop trough the rest of commands
-        while (i < filter_cnt) {
-                // minimal parsing!
-                struct sock_filter *s = (struct sock_filter *) &filter[i];
-                if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_ALLOW ) {
-                        printf("  WHITELIST %d %s\n", s->k, syscall_find_nr(s->k));
-                        i += 2;
-                }
-                else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && (s + 1)->k == SECCOMP_RET_KILL ) {
-                        printf("  BLACKLIST %d %s\n", s->k, syscall_find_nr(s->k));
-                        i += 2;
-                }
-                else if (s->code == BPF_JMP+BPF_JEQ+BPF_K && (s + 1)->code == BPF_RET+BPF_K && ((s + 1)->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) {
-                        printf("  BLACKLIST_ERRNO %d %s %d %s\n", s->k, syscall_find_nr(s->k), (s + 1)->k & SECCOMP_RET_DATA, errno_find_nr((s + 1)->k & SECCOMP_RET_DATA));
-                        i += 2;
-                }
-                else if (s->code == BPF_RET+BPF_K && (s->k & ~SECCOMP_RET_DATA) == SECCOMP_RET_ERRNO) {
-                        printf("  RETURN_ERRNO %d %s\n", s->k & SECCOMP_RET_DATA, errno_find_nr(s->k & SECCOMP_RET_DATA));
-                        i++;
-                }
-                else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_KILL) {
-                        printf("  KILL_PROCESS\n");
-                        i++;
-                }
-                else if (s->code == BPF_RET+BPF_K && s->k == SECCOMP_RET_ALLOW) {
-                        printf("  RETURN_ALLOW\n");
-                        i++;
-                }
-                else {
-                        printf("  UNKNOWN ENTRY %x!\n", s->code);
-                        i++;
-                }
-        }
-}
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index da6a693e6..540892026 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -42,71 +42,6 @@ static void write_filter(const char *fname, size_t size, const void *filter) {
         close(dst);
 }
 
-void seccomp_secondary_64(const char *fname) {
-        // hardcoded syscall values
-        struct sock_filter filter[] = {
-                VALIDATE_ARCHITECTURE_64,
-                EXAMINE_SYSCALL,
-                BLACKLIST(165), // mount
-                BLACKLIST(166), // umount2
-// todo: implement --allow-debuggers
-                BLACKLIST(101), // ptrace
-                BLACKLIST(246), // kexec_load
-                BLACKLIST(304), // open_by_handle_at
-                BLACKLIST(303), // name_to_handle_at
-                BLACKLIST(174), // create_module
-                BLACKLIST(175), // init_module
-                BLACKLIST(313), // finit_module
-                BLACKLIST(176), // delete_module
-                BLACKLIST(172), // iopl
-                BLACKLIST(173), // ioperm
-                BLACKLIST(251), // ioprio_set
-                BLACKLIST(167), // swapon
-                BLACKLIST(168), // swapoff
-                BLACKLIST(103), // syslog
-                BLACKLIST(310), // process_vm_readv
-                BLACKLIST(311), // process_vm_writev
-                BLACKLIST(139), // sysfs
-                BLACKLIST(156), // _sysctl
-                BLACKLIST(159), // adjtimex
-                BLACKLIST(305), // clock_adjtime
-                BLACKLIST(212), // lookup_dcookie
-                BLACKLIST(298), // perf_event_open
-                BLACKLIST(300), // fanotify_init
-                BLACKLIST(312), // kcmp
-                BLACKLIST(248), // add_key
-                BLACKLIST(249), // request_key
-                BLACKLIST(250), // keyctl
-                BLACKLIST(134), // uselib
-                BLACKLIST(163), // acct
-                BLACKLIST(154), // modify_ldt
-                BLACKLIST(155), // pivot_root
-                BLACKLIST(206), // io_setup
-                BLACKLIST(207), // io_destroy
-                BLACKLIST(208), // io_getevents
-                BLACKLIST(209), // io_submit
-                BLACKLIST(210), // io_cancel
-                BLACKLIST(216), // remap_file_pages
-                BLACKLIST(237), // mbind
-// breaking Firefox nightly when playing youtube videos
-// TODO: test again when firefox sandbox is finally released
-//              BLACKLIST(239), // get_mempolicy
-                BLACKLIST(238), // set_mempolicy
-                BLACKLIST(256), // migrate_pages
-                BLACKLIST(279), // move_pages
-                BLACKLIST(278), // vmsplice
-                BLACKLIST(161), // chroot
-                BLACKLIST(184), // tuxcall
-                BLACKLIST(169), // reboot
-                BLACKLIST(180), // nfsservctl
-                BLACKLIST(177), // get_kernel_syms
-
-                RETURN_ALLOW
-        };
-
-        // save filter to file
-        write_filter(fname, sizeof(filter), filter);
-}
 
 // 32 bit arch filter installed on 64 bit architectures
 void seccomp_secondary_32(const char *fname) {
@@ -191,7 +126,7 @@ void seccomp_secondary_block(const char *fname) {
                 EXAMINE_SYSCALL,
 #if defined(__x86_64__)
                 // block x32
-                HANDLE_X32_KILL,
+                HANDLE_X32,
 #endif
                 // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality)
                 // 0: if  personality(2), continue to 1, else goto 7 (allow)
@@ -207,7 +142,7 @@ void seccomp_secondary_block(const char *fname) {
                 // 5: if MSW(arg0) == 0, goto 7 (allow) else continue to 6 (kill)
                 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, jmp_from_to(5, 7), 0),
                 // 6:
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 // 7:
                 RETURN_ALLOW
         };
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
deleted file mode 100644
index 69b6e5271..000000000
--- a/src/fseccomp/syscall.c
+++ /dev/null
@@ -1,590 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#define _GNU_SOURCE
-#include "fseccomp.h"
-#include <stdio.h>
-#include <sys/syscall.h>
-
-typedef struct {
-        const char * const name;
-        int nr;
-} SyscallEntry;
-
-typedef struct {
-        const char * const name;
-        const char * const list;
-} SyscallGroupList;
-
-typedef struct {
-        const char *slist;
-        char *prelist, *postlist;
-        bool found;
-        int syscall;
-} SyscallCheckList;
-
-static const SyscallEntry syslist[] = {
-//
-// code generated using tools/extract-syscall
-//
-#include "../include/syscall.h"
-//
-// end of generated code
-//
-}; // end of syslist
-
-static const SyscallGroupList sysgroups[] = {
-        { .name = "@clock", .list =
-#ifdef SYS_adjtimex
-          "adjtimex,"
-#endif
-#ifdef SYS_clock_adjtime
-          "clock_adjtime,"
-#endif
-#ifdef SYS_clock_settime
-          "clock_settime,"
-#endif
-#ifdef SYS_settimeofday
-          "settimeofday,"
-#endif
-#ifdef SYS_stime
-          "stime"
-#endif
-        },
-        { .name = "@cpu-emulation", .list =
-#ifdef SYS_modify_ldt
-          "modify_ldt,"
-#endif
-#ifdef SYS_subpage_prot
-          "subpage_prot,"
-#endif
-#ifdef SYS_switch_endian
-          "switch_endian,"
-#endif
-#ifdef SYS_vm86
-          "vm86,"
-#endif
-#ifdef SYS_vm86old
-          "vm86old"
-#endif
-#if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old)
-          "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed
-#endif
-        },
-        { .name = "@debug", .list =
-#ifdef SYS_lookup_dcookie
-          "lookup_dcookie,"
-#endif
-#ifdef SYS_perf_event_open
-          "perf_event_open,"
-#endif
-#ifdef SYS_process_vm_writev
-          "process_vm_writev,"
-#endif
-#ifdef SYS_rtas
-          "rtas,"
-#endif
-#ifdef SYS_s390_runtime_instr
-          "s390_runtime_instr,"
-#endif
-#ifdef SYS_sys_debug_setcontext
-          "sys_debug_setcontext,"
-#endif
-        },
-        { .name = "@default", .list =
-          "@cpu-emulation,"
-          "@debug,"
-          "@obsolete,"
-          "@privileged,"
-          "@resources,"
-#ifdef SYS_open_by_handle_at
-          "open_by_handle_at,"
-#endif
-#ifdef SYS_name_to_handle_at
-          "name_to_handle_at,"
-#endif
-#ifdef SYS_ioprio_set
-          "ioprio_set,"
-#endif
-#ifdef SYS_ni_syscall
-          "ni_syscall,"
-#endif
-#ifdef SYS_syslog
-          "syslog,"
-#endif
-#ifdef SYS_fanotify_init
-          "fanotify_init,"
-#endif
-#ifdef SYS_kcmp
-          "kcmp,"
-#endif
-#ifdef SYS_add_key
-          "add_key,"
-#endif
-#ifdef SYS_request_key
-          "request_key,"
-#endif
-#ifdef SYS_keyctl
-          "keyctl,"
-#endif
-#ifdef SYS_io_setup
-          "io_setup,"
-#endif
-#ifdef SYS_io_destroy
-          "io_destroy,"
-#endif
-#ifdef SYS_io_getevents
-          "io_getevents,"
-#endif
-#ifdef SYS_io_submit
-          "io_submit,"
-#endif
-#ifdef SYS_io_cancel
-          "io_cancel,"
-#endif
-#ifdef SYS_remap_file_pages
-          "remap_file_pages,"
-#endif
-#ifdef SYS_vmsplice
-          "vmsplice,"
-#endif
-#ifdef SYS_personality
-          "personality,"
-#endif
-#ifdef SYS_umount
-          "umount,"
-#endif
-#ifdef SYS_userfaultfd
-          "userfaultfd"
-#endif
-        },
-        { .name = "@default-nodebuggers", .list =
-          "@default,"
-#ifdef SYS_ptrace
-          "ptrace,"
-#endif
-#ifdef SYS_process_vm_readv
-          "process_vm_readv"
-#endif
-        },
-        { .name = "@default-keep", .list =
-          "execve,"
-          "prctl"
-        },
-        { .name = "@module", .list =
-#ifdef SYS_delete_module
-          "delete_module,"
-#endif
-#ifdef SYS_finit_module
-          "finit_module,"
-#endif
-#ifdef SYS_init_module
-          "init_module"
-#endif
-        },
-        { .name = "@obsolete", .list =
-#ifdef SYS__sysctl
-          "_sysctl,"
-#endif
-#ifdef SYS_afs_syscall
-          "afs_syscall,"
-#endif
-#ifdef SYS_bdflush
-          "bdflush,"
-#endif
-#ifdef SYS_break
-          "break,"
-#endif
-#ifdef SYS_create_module
-          "create_module,"
-#endif
-#ifdef SYS_ftime
-          "ftime,"
-#endif
-#ifdef SYS_get_kernel_syms
-          "get_kernel_syms,"
-#endif
-#ifdef SYS_getpmsg
-          "getpmsg,"
-#endif
-#ifdef SYS_gtty
-          "gtty,"
-#endif
-#ifdef SYS_lock
-          "lock,"
-#endif
-#ifdef SYS_mpx
-          "mpx,"
-#endif
-#ifdef SYS_prof
-          "prof,"
-#endif
-#ifdef SYS_profil
-          "profil,"
-#endif
-#ifdef SYS_putpmsg
-          "putpmsg,"
-#endif
-#ifdef SYS_query_module
-          "query_module,"
-#endif
-#ifdef SYS_security
-          "security,"
-#endif
-#ifdef SYS_sgetmask
-          "sgetmask,"
-#endif
-#ifdef SYS_ssetmask
-          "ssetmask,"
-#endif
-#ifdef SYS_stty
-          "stty,"
-#endif
-#ifdef SYS_sysfs
-          "sysfs,"
-#endif
-#ifdef SYS_tuxcall
-          "tuxcall,"
-#endif
-#ifdef SYS_ulimit
-          "ulimit,"
-#endif
-#ifdef SYS_uselib
-          "uselib,"
-#endif
-#ifdef SYS_ustat
-          "ustat,"
-#endif
-#ifdef SYS_vserver
-          "vserver"
-#endif
-#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
-          "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
-#endif
-        },
-        { .name = "@privileged", .list =
-          "@clock,"
-          "@module,"
-          "@raw-io,"
-          "@reboot,"
-          "@swap,"
-#ifdef SYS_acct
-          "acct,"
-#endif
-#ifdef SYS_bpf
-          "bpf,"
-#endif
-#ifdef SYS_chroot
-          "chroot,"
-#endif
-#ifdef SYS_mount
-          "mount,"
-#endif
-#ifdef SYS_nfsservctl
-          "nfsservctl,"
-#endif
-#ifdef SYS_pivot_root
-          "pivot_root,"
-#endif
-#ifdef SYS_setdomainname
-          "setdomainname,"
-#endif
-#ifdef SYS_sethostname
-          "sethostname,"
-#endif
-#ifdef SYS_umount2
-          "umount2,"
-#endif
-#ifdef SYS_vhangup
-          "vhangup"
-#endif
-        },
-        { .name = "@raw-io", .list =
-#ifdef SYS_ioperm
-          "ioperm,"
-#endif
-#ifdef SYS_iopl
-          "iopl,"
-#endif
-#ifdef SYS_pciconfig_iobase
-          "pciconfig_iobase,"
-#endif
-#ifdef SYS_pciconfig_read
-          "pciconfig_read,"
-#endif
-#ifdef SYS_pciconfig_write
-          "pciconfig_write,"
-#endif
-#ifdef SYS_s390_mmio_read
-          "s390_mmio_read,"
-#endif
-#ifdef SYS_s390_mmio_write
-          "s390_mmio_write"
-#endif
-#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
-          "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
-#endif
-        },
-        { .name = "@reboot", .list =
-#ifdef SYS_kexec_load
-          "kexec_load,"
-#endif
-#ifdef SYS_kexec_file_load
-          "kexec_file_load,"
-#endif
-#ifdef SYS_reboot
-          "reboot,"
-#endif
-        },
-        { .name = "@resources", .list =
-#ifdef SYS_set_mempolicy
-          "set_mempolicy,"
-#endif
-#ifdef SYS_migrate_pages
-          "migrate_pages,"
-#endif
-#ifdef SYS_move_pages
-          "move_pages,"
-#endif
-#ifdef SYS_mbind
-          "mbind"
-#endif
-        },
-        { .name = "@swap", .list =
-#ifdef SYS_swapon
-          "swapon,"
-#endif
-#ifdef SYS_swapoff
-          "swapoff"
-#endif
-        }
-};
-
-// return -1 if error, or syscall number
-static int syscall_find_name(const char *name) {
-        int i;
-        int elems = sizeof(syslist) / sizeof(syslist[0]);
-        for (i = 0; i < elems; i++) {
-                if (strcmp(name, syslist[i].name) == 0)
-                        return syslist[i].nr;
-        }
-
-        return -1;
-}
-
-const char *syscall_find_nr(int nr) {
-        int i;
-        int elems = sizeof(syslist) / sizeof(syslist[0]);
-        for (i = 0; i < elems; i++) {
-                if (nr == syslist[i].nr)
-                        return syslist[i].name;
-        }
-
-        return "unknown";
-}
-
-void syscall_print(void) {
-        int i;
-        int elems = sizeof(syslist) / sizeof(syslist[0]);
-        for (i = 0; i < elems; i++) {
-                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
-        }
-        printf("\n");
-}
-
-static const char *syscall_find_group(const char *name) {
-        int i;
-        int elems = sizeof(sysgroups) / sizeof(sysgroups[0]);
-        for (i = 0; i < elems; i++) {
-                if (strcmp(name, sysgroups[i].name) == 0)
-                        return sysgroups[i].list;
-        }
-
-        return NULL;
-}
-
-// allowed input:
-// - syscall
-// - syscall(error)
-static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
-        assert(name);
-        if (strlen(name) == 0)
-                goto error;
-        *error_nr = -1;
-
-        // syntax check
-        char *str = strdup(name);
-        if (!str)
-                errExit("strdup");
-
-        char *syscall_name = str;
-        char *error_name = strchr(str, ':');
-        if (error_name) {
-                *error_name = '\0';
-                error_name++;
-        }
-        if (strlen(syscall_name) == 0) {
-                free(str);
-                goto error;
-        }
-
-        if (*syscall_name == '$')
-                *syscall_nr = strtol(syscall_name + 1, NULL, 0);
-        else
-                *syscall_nr = syscall_find_name(syscall_name);
-        if (error_name) {
-                *error_nr = errno_find_name(error_name);
-                if (*error_nr == -1)
-                        *syscall_nr = -1;
-        }
-
-        free(str);
-        return;
-
-error:
-        fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
-        exit(1);
-}
-
-// return 1 if error, 0 if OK
-int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg) {
-        // don't allow empty lists
-        if (slist == NULL || *slist == '\0') {
-                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                exit(1);
-        }
-
-        // work on a copy of the string
-        char *str = strdup(slist);
-        if (!str)
-                errExit("strdup");
-
-        char *saveptr;
-        char *ptr = strtok_r(str, ",", &saveptr);
-        if (ptr == NULL) {
-                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
-                exit(1);
-        }
-
-        while (ptr) {
-                int syscall_nr;
-                int error_nr;
-                if (*ptr == '@') {
-                        const char *new_list = syscall_find_group(ptr);
-                        if (!new_list) {
-                                fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr);
-                                exit(1);
-                        }
-                        syscall_check_list(new_list, callback, fd, arg, ptrarg);
-                }
-                else {
-                        syscall_process_name(ptr, &syscall_nr, &error_nr);
-                        if (syscall_nr == -1) {
-                                if (!arg_quiet)
-                                        fprintf(stderr, "Warning fseccomp: syscall \"%s\" not available on this platform\n", ptr);
-                        }
-                        else if (callback != NULL) {
-                                if (error_nr != -1 && fd != 0) {
-                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
-                                }
-                                else if (error_nr != -1 && fd == 0) {
-                                        callback(fd, syscall_nr, error_nr, ptrarg);
-                                }
-                                else {
-                                        callback(fd, syscall_nr, arg, ptrarg);
-                                }
-                        }
-                }
-                ptr = strtok_r(NULL, ",", &saveptr);
-        }
-
-        free(str);
-        return 0;
-}
-
-static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
-        (void)fd;
-        (void) arg;
-        SyscallCheckList *ptr = ptrarg;
-        if (syscall == ptr->syscall)
-                ptr->found = true;
-}
-
-// go through list2 and find matches for problem syscall
-static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
-        (void) fd;
-        (void)arg;
-        SyscallCheckList *ptr = ptrarg;
-        SyscallCheckList sl;
-        sl.found = false;
-        sl.syscall = syscall;
-        syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl);
-        // if found in the problem list, add to post-exec list
-        if (sl.found) {
-                if (ptr->postlist) {
-                        if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1)
-                                errExit("asprintf");
-                }
-                else
-                        ptr->postlist = strdup(syscall_find_nr(syscall));
-        }
-        else { // no problem, add to pre-exec list
-                // build syscall:error_no
-                char *newcall;
-                if (arg != 0) {
-                        if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1)
-                                errExit("asprintf");
-                }
-                else {
-                        newcall = strdup(syscall_find_nr(syscall));
-                        if (!newcall)
-                                errExit("strdup");
-                }
-
-                if (ptr->prelist) {
-                        if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1)
-                                errExit("asprintf");
-                }
-                else
-                        ptr->prelist = newcall;
-        }
-}
-
-// go through list and find matches for syscalls in list @default-keep
-void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist) {
-        (void) fd;
-        SyscallCheckList sl;
-        // these syscalls are used by firejail after the seccomp filter is initialized
-        sl.slist = slist;
-        sl.prelist = NULL;
-        sl.postlist = NULL;
-        syscall_check_list(list, syscall_in_list, 0, 0, &sl);
-        if (!arg_quiet) {
-                printf("Seccomp list in: %s,", list);
-                if (sl.slist)
-                        printf(" check list: %s,", sl.slist);
-                if (sl.prelist)
-                        printf(" prelist: %s,", sl.prelist);
-                if (sl.postlist)
-                        printf(" postlist: %s", sl.postlist);
-                printf("\n");
-        }
-        *prelist = sl.prelist;
-        *postlist = sl.postlist;
-}
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index 470137895..f9a6c4f06 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -1,4 +1,17 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+TCFILE=""
+if [ -x "/usr/sbin/tc" ]; then
+        TCFILE="/usr/sbin/tc"
+elif [ -x "/sbin/tc" ]; then
+        TCFILE="/sbin/tc";
+else
+        echo "Error: traffic control utility (tc) not found";
+        exit 1
+fi
 
 usage() {
         echo "Usage:"
@@ -8,8 +21,8 @@ usage() {
 }
 
 if [ "$1" = "--status" ]; then
-        /sbin/tc -s qdisc ls
-        /sbin/tc -s class ls
+        $TCFILE -s qdisc ls
+        $TCFILE -s class ls
         exit
 fi
 
@@ -21,17 +34,17 @@ if [ "$1" = "--clear" ]; then
         fi
 
         DEV=$2
-        echo "Removing bandwith limits"
-        /sbin/tc qdisc del dev $DEV root  2> /dev/null > /dev/null
-        /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
+        echo "Removing bandwidth limits"
+        $TCFILE qdisc del dev $DEV root  2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null
         exit
 
 fi
 
 if [ "$1" = "--set" ]; then
         DEV=$2
-        echo "Removing bandwith limit"
-        /sbin/tc qdisc del dev $DEV ingress #2> /dev/null > /dev/null
+        echo "Removing bandwidth limit"
+        $TCFILE qdisc del dev $DEV ingress #2> /dev/null > /dev/null
 
         if [ $# -ne 4 ]; then
                 echo "Error: missing parameters"
@@ -51,16 +64,16 @@ if [ "$1" = "--set" ]; then
         echo "Upload speed  ${OUT}kbps"
 
         echo "cleaning limits"
-        /sbin/tc qdisc del dev $DEV root  2> /dev/null > /dev/null
-        /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV root  2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null
 
         echo "configuring tc ingress"
-        /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null
-        /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
+        $TCFILE qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null
+        $TCFILE filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
            0.0.0.0/0 police rate ${IN}kbit burst 10k drop flowid :1 #2> /dev/null > /dev/null
 
         echo "configuring tc egress"
-        /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null
+        $TCFILE qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null
         exit
 fi
 
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index fd39f0cb7..05caf81be 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -1,27 +1,17 @@
+.PHONY: all
 all: ftee
 
-CC=@CC@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+include ../common.mk
 
 %.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 ftee: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
 
-clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h
index 48f3b5fdf..a556efb75 100644
--- a/src/ftee/ftee.h
+++ b/src/ftee/ftee.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 2f6adb9c8..4d447f2c4 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/common.h b/src/include/common.h
index 4c517e427..5bcbaad88 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -32,7 +32,11 @@
 #include <ctype.h>
 #include <assert.h>
 
-#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
+// dbus proxy path used by firejail and firemon
+#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
+
+
+#define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
@@ -109,25 +113,14 @@ static inline int mac_not_zero(const unsigned char mac[6]) {
         return 0;
 }
 
-// rtdsc timestamp on x86-64/amd64  processors
-static inline unsigned long long getticks(void) {
-#if defined(__x86_64__)
-        unsigned a, d;
-        asm volatile("rdtsc" : "=a" (a), "=d" (d));
-        return ((unsigned long long)a) | (((unsigned long long)d) << 32);
-#elif defined(__i386__)
-        unsigned long long ret;
-        __asm__ __volatile__("rdtsc" : "=A" (ret));
-        return ret;
-#else
-        return 0; // not implemented
-#endif
-}
-
+void timetrace_start(void);
+float timetrace_end(void);
 int join_namespace(pid_t pid, char *type);
 int name2pid(const char *name, pid_t *pid);
 char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
+void warn_dumpable(void);
+const char *gnu_basename(const char *path);
 #endif
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
index 4e6db514d..8d8dd95f6 100644
--- a/src/include/euid_common.h
+++ b/src/include/euid_common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h
new file mode 100644
index 000000000..cf17fa0cf
--- /dev/null
+++ b/src/include/firejail_user.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef FIREJAIL_USER_H
+#define FIREJAIL_USER_H
+
+extern int uid_min;
+extern int gid_min;
+
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name);
+
+// add a user to the database
+void firejail_user_add(const char *name);
+
+#endif
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..4aafb8e18
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+
+#ifdef HAS_GCOV
+#include <gcov.h>
+
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+#else
+#define __gcov_dump() ((void)0)
+#define __gcov_reset() ((void)0)
+#define __gcov_flush() ((void)0)
+#endif /* HAS_GCOV */
+
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/include/ldd_utils.h b/src/include/ldd_utils.h
new file mode 100644
index 000000000..ffd6e189f
--- /dev/null
+++ b/src/include/ldd_utils.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef LDD_UTILS_H
+#define LDD_UTILS_H
+
+#include "../include/common.h"
+#include <elf.h>
+
+#ifdef __LP64__
+#define Elf_Ehdr Elf64_Ehdr
+#define Elf_Phdr Elf64_Phdr
+#define Elf_Shdr Elf64_Shdr
+#define Elf_Dyn Elf64_Dyn
+#else
+#define Elf_Ehdr Elf32_Ehdr
+#define Elf_Phdr Elf32_Phdr
+#define Elf_Shdr Elf32_Shdr
+#define Elf_Dyn Elf32_Dyn
+#endif
+
+extern const char * const default_lib_paths[];
+
+// return 1 if this is a 64 bit program/library
+int is_lib_64(const char *exe);
+
+
+
+#endif
diff --git a/src/include/libnetlink.h b/src/include/libnetlink.h
index 01fd2675d..0310ecad3 100644
--- a/src/include/libnetlink.h
+++ b/src/include/libnetlink.h
@@ -3,10 +3,10 @@
  * Original source code:
  *
  * Information:
- *     http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
+ *     https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
  *
  * Download:
- *     http://www.kernel.org/pub/linux/utils/net/iproute2/
+ *     https://www.kernel.org/pub/linux/utils/net/iproute2/
  *
  * Repository:
  *     git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
diff --git a/src/include/pid.h b/src/include/pid.h
index ca152f972..17e51f660 100644
--- a/src/include/pid.h
+++ b/src/include/pid.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
new file mode 100644
index 000000000..3db750da3
--- /dev/null
+++ b/src/include/rundefs.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef RUNDEFS_H
+#define RUNDEFS_H
+// filesystem
+#define RUN_FIREJAIL_BASEDIR            "/run"
+#define RUN_FIREJAIL_DIR                RUN_FIREJAIL_BASEDIR "/firejail"
+#define RUN_FIREJAIL_APPIMAGE_DIR       RUN_FIREJAIL_DIR "/appimage"
+#define RUN_FIREJAIL_NAME_DIR           RUN_FIREJAIL_DIR "/name" // also used in src/lib/pid.c - todo: move it in a common place
+#define RUN_FIREJAIL_LIB_DIR            RUN_FIREJAIL_DIR "/lib"
+#define RUN_FIREJAIL_X11_DIR            RUN_FIREJAIL_DIR "/x11"
+#define RUN_FIREJAIL_NETWORK_DIR        RUN_FIREJAIL_DIR "/network"
+#define RUN_FIREJAIL_BANDWIDTH_DIR      RUN_FIREJAIL_DIR "/bandwidth"
+#define RUN_FIREJAIL_PROFILE_DIR        RUN_FIREJAIL_DIR "/profile"
+#define RUN_FIREJAIL_DBUS_DIR RUN_FIREJAIL_DIR "/dbus"
+#define RUN_NETWORK_LOCK_FILE           RUN_FIREJAIL_DIR "/firejail-network.lock"
+#define RUN_DIRECTORY_LOCK_FILE         RUN_FIREJAIL_DIR "/firejail-run.lock"
+#define RUN_RO_DIR                      RUN_FIREJAIL_DIR "/firejail.ro.dir"
+#define RUN_RO_FILE                     RUN_FIREJAIL_DIR "/firejail.ro.file"
+#define RUN_MNT_DIR                     RUN_FIREJAIL_DIR "/mnt" // a tmpfs is mounted on this directory before any of the files below are created
+#define RUN_CGROUP_CFG                  RUN_MNT_DIR "/cgroup"
+#define RUN_CPU_CFG                     RUN_MNT_DIR "/cpu"
+#define RUN_GROUPS_CFG                  RUN_MNT_DIR "/groups"
+#define RUN_PROTOCOL_CFG                RUN_MNT_DIR "/protocol"
+#define RUN_NONEWPRIVS_CFG              RUN_MNT_DIR "/nonewprivs"
+#define RUN_HOME_DIR                    RUN_MNT_DIR "/home"
+#define RUN_ETC_DIR                     RUN_MNT_DIR "/etc"
+#define RUN_USR_ETC_DIR         RUN_MNT_DIR "/usretc"
+#define RUN_OPT_DIR                     RUN_MNT_DIR "/opt"
+#define RUN_SRV_DIR                     RUN_MNT_DIR "/srv"
+#define RUN_BIN_DIR                     RUN_MNT_DIR "/bin"
+#define RUN_PULSE_DIR                   RUN_MNT_DIR "/pulse"
+#define RUN_LIB_DIR                     RUN_MNT_DIR "/lib"
+#define RUN_LIB_FILE                    RUN_MNT_DIR "/libfiles"
+#define RUN_DNS_ETC                     RUN_MNT_DIR "/dns-etc"
+#define RUN_DHCLIENT_DIR                        RUN_MNT_DIR "/dhclient-dir"
+#define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
+#define RUN_DHCLIENT_6_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient6.leases"
+#define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
+#define RUN_DHCLIENT_4_PID_FILE                 RUN_DHCLIENT_DIR "/dhclient.pid"
+#define RUN_DHCLIENT_6_PID_FILE                 RUN_DHCLIENT_DIR "/dhclient6.pid"
+#define RUN_DBUS_DIR        RUN_MNT_DIR "/dbus"
+#define RUN_DBUS_USER_SOCKET        RUN_DBUS_DIR "/user"
+#define RUN_DBUS_SYSTEM_SOCKET      RUN_DBUS_DIR "/system"
+
+#define RUN_SECCOMP_DIR                 RUN_MNT_DIR "/seccomp"
+#define RUN_SECCOMP_LIST                RUN_SECCOMP_DIR "/seccomp.list"         // list of seccomp files installed
+#define RUN_SECCOMP_PROTOCOL            RUN_SECCOMP_DIR "/seccomp.protocol"             // protocol filter
+#define RUN_SECCOMP_CFG                 RUN_SECCOMP_DIR "/seccomp"                      // configured filter
+#define RUN_SECCOMP_32                  RUN_SECCOMP_DIR "/seccomp.32"                   // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_MDWX                RUN_SECCOMP_DIR "/seccomp.mdwx"                 // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX_32             RUN_SECCOMP_DIR "/seccomp.mdwx.32"
+#define RUN_SECCOMP_BLOCK_SECONDARY     RUN_SECCOMP_DIR "/seccomp.block_secondary"      // secondary arch blocking filter
+#define RUN_SECCOMP_POSTEXEC            RUN_SECCOMP_DIR "/seccomp.postexec"             // filter for post-exec library
+#define RUN_SECCOMP_POSTEXEC_32         RUN_SECCOMP_DIR "/seccomp.postexec32"           // filter for post-exec library
+#define PATH_SECCOMP_DEFAULT            LIBDIR "/firejail/seccomp"                      // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG      LIBDIR "/firejail/seccomp.debug"                // debug filter built during make
+#define PATH_SECCOMP_32                 LIBDIR "/firejail/seccomp.32"                   // 32bit arch filter built during make
+#define PATH_SECCOMP_DEBUG_32           LIBDIR "/firejail/seccomp.debug32"              // 32bit arch debug filter built during make
+#define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"                 // filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
+#define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
+
+#define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
+#define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
+#define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"              // private options
+#define RUN_XAUTH_FILE                  RUN_MNT_DIR "/xauth"                    // x11=xorg
+#define RUN_XAUTHORITY_SEC_DIR          RUN_MNT_DIR "/.sec.Xauthority"          // x11=xorg
+#define RUN_ASOUNDRC_FILE               RUN_MNT_DIR "/.asoundrc"
+#define RUN_HOSTNAME_FILE               RUN_MNT_DIR "/hostname"
+#define RUN_HOSTS_FILE                  RUN_MNT_DIR "/hosts"
+#define RUN_MACHINEID                   RUN_MNT_DIR "/machine-id"
+#define RUN_LDPRELOAD_FILE              RUN_MNT_DIR "/ld.so.preload"
+#define RUN_UTMP_FILE                   RUN_MNT_DIR "/utmp"
+#define RUN_PASSWD_FILE                 RUN_MNT_DIR "/passwd"
+#define RUN_GROUP_FILE                  RUN_MNT_DIR "/group"
+#define RUN_FSLOGGER_FILE               RUN_MNT_DIR "/fslogger"
+#define RUN_TRACE_FILE                  RUN_MNT_DIR "/trace"
+#define RUN_UMASK_FILE                  RUN_MNT_DIR "/umask"
+#define RUN_JOIN_FILE                   RUN_MNT_DIR "/join"
+#define RUN_OVERLAY_ROOT                RUN_MNT_DIR "/oroot"
+
+#endif
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index b8bfce96b..43bb73a04 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -67,28 +67,41 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 
+// From /usr/include/linux/filter.h
+//struct sock_filter {  /* Filter block */
+//      __u16   code;   /* Actual filter code */
+//      __u8    jt;     /* Jump true */
+//      __u8    jf;     /* Jump false */
+//      __u32   k;      /* Generic multiuse field */
+//};
+
+// for old platforms (Debian "wheezy", etc.)
+#ifndef BPF_MOD
+#define BPF_MOD 0x90
+#endif
+#ifndef BPF_XOR
+#define BPF_XOR 0xa0
+#endif
+#ifndef SECCOMP_RET_ACTION
+#define SECCOMP_RET_ACTION 0x7fff0000U
+#endif
+#ifndef SECCOMP_RET_TRACE
+#define SECCOMP_RET_TRACE 0x7ff00000U
+#endif
+
+
+
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
 # define PR_SET_NO_NEW_PRIVS 38
 #endif
 
-#if HAVE_SECCOMP_H
 #include <linux/seccomp.h>
-#else
-#define SECCOMP_MODE_FILTER     2
-#define SECCOMP_RET_KILL        0x00000000U
-#define SECCOMP_RET_TRAP        0x00030000U
-#define SECCOMP_RET_ALLOW       0x7fff0000U
-#define SECCOMP_RET_ERRNO       0x00050000U
-#define SECCOMP_RET_DATA        0x0000ffffU
-struct seccomp_data {
-    int nr;
-    __u32 arch;
-    __u64 instruction_pointer;
-    __u64 args[6];
-};
+#ifndef SECCOMP_RET_LOG
+#define SECCOMP_RET_LOG         0x7ffc0000U
 #endif
 
+
 #if defined(__i386__)
 # define ARCH_NR        AUDIT_ARCH_I386
 # define ARCH_32        AUDIT_ARCH_I386
@@ -188,7 +201,7 @@ struct seccomp_data {
 #define VALIDATE_ARCHITECTURE_KILL \
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
-     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+     KILL_OR_RETURN_ERRNO
 
 #define VALIDATE_ARCHITECTURE_64 \
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
@@ -200,17 +213,16 @@ struct seccomp_data {
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \
      BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 
+#ifndef X32_SYSCALL_BIT
+#define X32_SYSCALL_BIT 0x40000000
+#endif
+
 #if defined(__x86_64__)
 // handle X32 ABI
-#define X32_SYSCALL_BIT 0x40000000
 #define HANDLE_X32 \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
-                RETURN_ERRNO(EPERM)
-#define HANDLE_X32_KILL \
-                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
-                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
-                KILL_PROCESS
+                KILL_OR_RETURN_ERRNO
 #endif
 
 #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS,  \
@@ -225,7 +237,7 @@ struct seccomp_data {
 
 #define BLACKLIST(syscall_nr)   \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),      \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+        KILL_OR_RETURN_ERRNO
 
 #define WHITELIST(syscall_nr) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
@@ -241,7 +253,10 @@ struct seccomp_data {
 #define RETURN_ERRNO(nr) \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
 
-#define KILL_PROCESS \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+extern int arg_seccomp_error_action;    // error action: errno, log or kill
+#define DEFAULT_SECCOMP_ERROR_ACTION EPERM
+
+#define KILL_OR_RETURN_ERRNO \
+        BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
 
 #endif
diff --git a/src/include/syscall.h b/src/include/syscall.h
index df9a03ffb..015dd01b9 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,5130 +17,29 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef SYSCALL_H
+#define SYSCALL_H
+
+#include <stdbool.h>
+
+// main.c
+extern int arg_quiet;
+
+// seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native);
+
+// errno.c
+void errno_print(void);
+int errno_find_name(const char *name);
+const char *errno_find_nr(int nr);
+
+// syscall.c
+void syscall_print(void);
+void syscall_print_32(void);
+typedef void (filter_fn)(int fd, int syscall, int arg, void *ptrarg, bool native);
+int syscall_check_list(const char *slist, filter_fn *callback, int fd, int arg, void *ptrarg, bool native);
+const char *syscall_find_nr(int nr);
+void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist, bool native);
 
-// content extracted from /bits/syscall.h file form glibc 2.22
-// using ../tools/extract_syscall tool
-#if !defined __x86_64__
-#ifdef SYS__llseek
-#ifdef __NR__llseek
-        {"_llseek", __NR__llseek},
-#endif
-#endif
-#ifdef SYS__newselect
-#ifdef __NR__newselect
-        {"_newselect", __NR__newselect},
-#endif
-#endif
-#ifdef SYS__sysctl
-#ifdef __NR__sysctl
-        {"_sysctl", __NR__sysctl},
-#endif
-#endif
-#ifdef SYS_accept4
-#ifdef __NR_accept4
-        {"accept4", __NR_accept4},
-#endif
-#endif
-#ifdef SYS_access
-#ifdef __NR_access
-        {"access", __NR_access},
-#endif
-#endif
-#ifdef SYS_acct
-#ifdef __NR_acct
-        {"acct", __NR_acct},
-#endif
-#endif
-#ifdef SYS_add_key
-#ifdef __NR_add_key
-        {"add_key", __NR_add_key},
-#endif
-#endif
-#ifdef SYS_adjtimex
-#ifdef __NR_adjtimex
-        {"adjtimex", __NR_adjtimex},
-#endif
-#endif
-#ifdef SYS_afs_syscall
-#ifdef __NR_afs_syscall
-        {"afs_syscall", __NR_afs_syscall},
-#endif
-#endif
-#ifdef SYS_alarm
-#ifdef __NR_alarm
-        {"alarm", __NR_alarm},
-#endif
-#endif
-#ifdef SYS_bdflush
-#ifdef __NR_bdflush
-        {"bdflush", __NR_bdflush},
-#endif
-#endif
-#ifdef SYS_bind
-#ifdef __NR_bind
-        {"bind", __NR_bind},
-#endif
-#endif
-#ifdef SYS_bpf
-#ifdef __NR_bpf
-        {"bpf", __NR_bpf},
-#endif
-#endif
-#ifdef SYS_break
-#ifdef __NR_break
-        {"break", __NR_break},
-#endif
-#endif
-#ifdef SYS_brk
-#ifdef __NR_brk
-        {"brk", __NR_brk},
-#endif
-#endif
-#ifdef SYS_capget
-#ifdef __NR_capget
-        {"capget", __NR_capget},
-#endif
-#endif
-#ifdef SYS_capset
-#ifdef __NR_capset
-        {"capset", __NR_capset},
-#endif
-#endif
-#ifdef SYS_chdir
-#ifdef __NR_chdir
-        {"chdir", __NR_chdir},
-#endif
-#endif
-#ifdef SYS_chmod
-#ifdef __NR_chmod
-        {"chmod", __NR_chmod},
-#endif
-#endif
-#ifdef SYS_chown
-#ifdef __NR_chown
-        {"chown", __NR_chown},
-#endif
-#endif
-#ifdef SYS_chown32
-#ifdef __NR_chown32
-        {"chown32", __NR_chown32},
-#endif
-#endif
-#ifdef SYS_chroot
-#ifdef __NR_chroot
-        {"chroot", __NR_chroot},
-#endif
-#endif
-#ifdef SYS_clock_adjtime
-#ifdef __NR_clock_adjtime
-        {"clock_adjtime", __NR_clock_adjtime},
-#endif
-#endif
-#ifdef SYS_clock_getres
-#ifdef __NR_clock_getres
-        {"clock_getres", __NR_clock_getres},
-#endif
-#endif
-#ifdef SYS_clock_gettime
-#ifdef __NR_clock_gettime
-        {"clock_gettime", __NR_clock_gettime},
-#endif
-#endif
-#ifdef SYS_clock_nanosleep
-#ifdef __NR_clock_nanosleep
-        {"clock_nanosleep", __NR_clock_nanosleep},
-#endif
-#endif
-#ifdef SYS_clock_settime
-#ifdef __NR_clock_settime
-        {"clock_settime", __NR_clock_settime},
-#endif
-#endif
-#ifdef SYS_clone
-#ifdef __NR_clone
-        {"clone", __NR_clone},
-#endif
-#endif
-#ifdef SYS_close
-#ifdef __NR_close
-        {"close", __NR_close},
-#endif
-#endif
-#ifdef SYS_connect
-#ifdef __NR_connect
-        {"connect", __NR_connect},
-#endif
-#endif
-#ifdef SYS_copy_file_range
-#ifdef __NR_copy_file_range
-        {"copy_file_range", __NR_copy_file_range},
-#endif
-#endif
-#ifdef SYS_creat
-#ifdef __NR_creat
-        {"creat", __NR_creat},
-#endif
-#endif
-#ifdef SYS_create_module
-#ifdef __NR_create_module
-        {"create_module", __NR_create_module},
-#endif
-#endif
-#ifdef SYS_delete_module
-#ifdef __NR_delete_module
-        {"delete_module", __NR_delete_module},
-#endif
-#endif
-#ifdef SYS_dup
-#ifdef __NR_dup
-        {"dup", __NR_dup},
-#endif
-#endif
-#ifdef SYS_dup2
-#ifdef __NR_dup2
-        {"dup2", __NR_dup2},
-#endif
-#endif
-#ifdef SYS_dup3
-#ifdef __NR_dup3
-        {"dup3", __NR_dup3},
-#endif
-#endif
-#ifdef SYS_epoll_create
-#ifdef __NR_epoll_create
-        {"epoll_create", __NR_epoll_create},
-#endif
-#endif
-#ifdef SYS_epoll_create1
-#ifdef __NR_epoll_create1
-        {"epoll_create1", __NR_epoll_create1},
-#endif
-#endif
-#ifdef SYS_epoll_ctl
-#ifdef __NR_epoll_ctl
-        {"epoll_ctl", __NR_epoll_ctl},
-#endif
-#endif
-#ifdef SYS_epoll_pwait
-#ifdef __NR_epoll_pwait
-        {"epoll_pwait", __NR_epoll_pwait},
-#endif
-#endif
-#ifdef SYS_epoll_wait
-#ifdef __NR_epoll_wait
-        {"epoll_wait", __NR_epoll_wait},
-#endif
-#endif
-#ifdef SYS_eventfd
-#ifdef __NR_eventfd
-        {"eventfd", __NR_eventfd},
-#endif
-#endif
-#ifdef SYS_eventfd2
-#ifdef __NR_eventfd2
-        {"eventfd2", __NR_eventfd2},
-#endif
-#endif
-#ifdef SYS_execve
-#ifdef __NR_execve
-        {"execve", __NR_execve},
-#endif
-#endif
-#ifdef SYS_execveat
-#ifdef __NR_execveat
-        {"execveat", __NR_execveat},
-#endif
-#endif
-#ifdef SYS_exit
-#ifdef __NR_exit
-        {"exit", __NR_exit},
-#endif
-#endif
-#ifdef SYS_exit_group
-#ifdef __NR_exit_group
-        {"exit_group", __NR_exit_group},
-#endif
-#endif
-#ifdef SYS_faccessat
-#ifdef __NR_faccessat
-        {"faccessat", __NR_faccessat},
-#endif
-#endif
-#ifdef SYS_fadvise64
-#ifdef __NR_fadvise64
-        {"fadvise64", __NR_fadvise64},
-#endif
-#endif
-#ifdef SYS_fadvise64_64
-#ifdef __NR_fadvise64_64
-        {"fadvise64_64", __NR_fadvise64_64},
-#endif
-#endif
-#ifdef SYS_fallocate
-#ifdef __NR_fallocate
-        {"fallocate", __NR_fallocate},
-#endif
-#endif
-#ifdef SYS_fanotify_init
-#ifdef __NR_fanotify_init
-        {"fanotify_init", __NR_fanotify_init},
-#endif
-#endif
-#ifdef SYS_fanotify_mark
-#ifdef __NR_fanotify_mark
-        {"fanotify_mark", __NR_fanotify_mark},
-#endif
-#endif
-#ifdef SYS_fchdir
-#ifdef __NR_fchdir
-        {"fchdir", __NR_fchdir},
-#endif
-#endif
-#ifdef SYS_fchmod
-#ifdef __NR_fchmod
-        {"fchmod", __NR_fchmod},
-#endif
-#endif
-#ifdef SYS_fchmodat
-#ifdef __NR_fchmodat
-        {"fchmodat", __NR_fchmodat},
-#endif
-#endif
-#ifdef SYS_fchown
-#ifdef __NR_fchown
-        {"fchown", __NR_fchown},
-#endif
-#endif
-#ifdef SYS_fchown32
-#ifdef __NR_fchown32
-        {"fchown32", __NR_fchown32},
-#endif
-#endif
-#ifdef SYS_fchownat
-#ifdef __NR_fchownat
-        {"fchownat", __NR_fchownat},
-#endif
-#endif
-#ifdef SYS_fcntl
-#ifdef __NR_fcntl
-        {"fcntl", __NR_fcntl},
-#endif
-#endif
-#ifdef SYS_fcntl64
-#ifdef __NR_fcntl64
-        {"fcntl64", __NR_fcntl64},
-#endif
-#endif
-#ifdef SYS_fdatasync
-#ifdef __NR_fdatasync
-        {"fdatasync", __NR_fdatasync},
-#endif
-#endif
-#ifdef SYS_fgetxattr
-#ifdef __NR_fgetxattr
-        {"fgetxattr", __NR_fgetxattr},
-#endif
-#endif
-#ifdef SYS_finit_module
-#ifdef __NR_finit_module
-        {"finit_module", __NR_finit_module},
-#endif
-#endif
-#ifdef SYS_flistxattr
-#ifdef __NR_flistxattr
-        {"flistxattr", __NR_flistxattr},
-#endif
-#endif
-#ifdef SYS_flock
-#ifdef __NR_flock
-        {"flock", __NR_flock},
-#endif
-#endif
-#ifdef SYS_fork
-#ifdef __NR_fork
-        {"fork", __NR_fork},
-#endif
-#endif
-#ifdef SYS_fremovexattr
-#ifdef __NR_fremovexattr
-        {"fremovexattr", __NR_fremovexattr},
-#endif
-#endif
-#ifdef SYS_fsetxattr
-#ifdef __NR_fsetxattr
-        {"fsetxattr", __NR_fsetxattr},
-#endif
-#endif
-#ifdef SYS_fstat
-#ifdef __NR_fstat
-        {"fstat", __NR_fstat},
-#endif
-#endif
-#ifdef SYS_fstat64
-#ifdef __NR_fstat64
-        {"fstat64", __NR_fstat64},
-#endif
-#endif
-#ifdef SYS_fstatat64
-#ifdef __NR_fstatat64
-        {"fstatat64", __NR_fstatat64},
-#endif
-#endif
-#ifdef SYS_fstatfs
-#ifdef __NR_fstatfs
-        {"fstatfs", __NR_fstatfs},
-#endif
-#endif
-#ifdef SYS_fstatfs64
-#ifdef __NR_fstatfs64
-        {"fstatfs64", __NR_fstatfs64},
-#endif
-#endif
-#ifdef SYS_fsync
-#ifdef __NR_fsync
-        {"fsync", __NR_fsync},
-#endif
-#endif
-#ifdef SYS_ftime
-#ifdef __NR_ftime
-        {"ftime", __NR_ftime},
-#endif
-#endif
-#ifdef SYS_ftruncate
-#ifdef __NR_ftruncate
-        {"ftruncate", __NR_ftruncate},
-#endif
-#endif
-#ifdef SYS_ftruncate64
-#ifdef __NR_ftruncate64
-        {"ftruncate64", __NR_ftruncate64},
-#endif
-#endif
-#ifdef SYS_futex
-#ifdef __NR_futex
-        {"futex", __NR_futex},
-#endif
-#endif
-#ifdef SYS_futimesat
-#ifdef __NR_futimesat
-        {"futimesat", __NR_futimesat},
-#endif
-#endif
-#ifdef SYS_get_kernel_syms
-#ifdef __NR_get_kernel_syms
-        {"get_kernel_syms", __NR_get_kernel_syms},
-#endif
-#endif
-#ifdef SYS_get_mempolicy
-#ifdef __NR_get_mempolicy
-        {"get_mempolicy", __NR_get_mempolicy},
-#endif
-#endif
-#ifdef SYS_get_robust_list
-#ifdef __NR_get_robust_list
-        {"get_robust_list", __NR_get_robust_list},
-#endif
-#endif
-#ifdef SYS_get_thread_area
-#ifdef __NR_get_thread_area
-        {"get_thread_area", __NR_get_thread_area},
-#endif
-#endif
-#ifdef SYS_getcpu
-#ifdef __NR_getcpu
-        {"getcpu", __NR_getcpu},
-#endif
-#endif
-#ifdef SYS_getcwd
-#ifdef __NR_getcwd
-        {"getcwd", __NR_getcwd},
-#endif
-#endif
-#ifdef SYS_getdents
-#ifdef __NR_getdents
-        {"getdents", __NR_getdents},
-#endif
-#endif
-#ifdef SYS_getdents64
-#ifdef __NR_getdents64
-        {"getdents64", __NR_getdents64},
-#endif
-#endif
-#ifdef SYS_getegid
-#ifdef __NR_getegid
-        {"getegid", __NR_getegid},
-#endif
-#endif
-#ifdef SYS_getegid32
-#ifdef __NR_getegid32
-        {"getegid32", __NR_getegid32},
-#endif
-#endif
-#ifdef SYS_geteuid
-#ifdef __NR_geteuid
-        {"geteuid", __NR_geteuid},
-#endif
-#endif
-#ifdef SYS_geteuid32
-#ifdef __NR_geteuid32
-        {"geteuid32", __NR_geteuid32},
-#endif
-#endif
-#ifdef SYS_getgid
-#ifdef __NR_getgid
-        {"getgid", __NR_getgid},
-#endif
-#endif
-#ifdef SYS_getgid32
-#ifdef __NR_getgid32
-        {"getgid32", __NR_getgid32},
-#endif
-#endif
-#ifdef SYS_getgroups
-#ifdef __NR_getgroups
-        {"getgroups", __NR_getgroups},
-#endif
-#endif
-#ifdef SYS_getgroups32
-#ifdef __NR_getgroups32
-        {"getgroups32", __NR_getgroups32},
-#endif
-#endif
-#ifdef SYS_getitimer
-#ifdef __NR_getitimer
-        {"getitimer", __NR_getitimer},
-#endif
-#endif
-#ifdef SYS_getpeername
-#ifdef __NR_getpeername
-        {"getpeername", __NR_getpeername},
-#endif
-#endif
-#ifdef SYS_getpgid
-#ifdef __NR_getpgid
-        {"getpgid", __NR_getpgid},
-#endif
-#endif
-#ifdef SYS_getpgrp
-#ifdef __NR_getpgrp
-        {"getpgrp", __NR_getpgrp},
-#endif
-#endif
-#ifdef SYS_getpid
-#ifdef __NR_getpid
-        {"getpid", __NR_getpid},
-#endif
-#endif
-#ifdef SYS_getpmsg
-#ifdef __NR_getpmsg
-        {"getpmsg", __NR_getpmsg},
-#endif
-#endif
-#ifdef SYS_getppid
-#ifdef __NR_getppid
-        {"getppid", __NR_getppid},
-#endif
-#endif
-#ifdef SYS_getpriority
-#ifdef __NR_getpriority
-        {"getpriority", __NR_getpriority},
-#endif
-#endif
-#ifdef SYS_getrandom
-#ifdef __NR_getrandom
-        {"getrandom", __NR_getrandom},
-#endif
-#endif
-#ifdef SYS_getresgid
-#ifdef __NR_getresgid
-        {"getresgid", __NR_getresgid},
-#endif
-#endif
-#ifdef SYS_getresgid32
-#ifdef __NR_getresgid32
-        {"getresgid32", __NR_getresgid32},
-#endif
-#endif
-#ifdef SYS_getresuid
-#ifdef __NR_getresuid
-        {"getresuid", __NR_getresuid},
-#endif
-#endif
-#ifdef SYS_getresuid32
-#ifdef __NR_getresuid32
-        {"getresuid32", __NR_getresuid32},
-#endif
-#endif
-#ifdef SYS_getrlimit
-#ifdef __NR_getrlimit
-        {"getrlimit", __NR_getrlimit},
-#endif
-#endif
-#ifdef SYS_getrusage
-#ifdef __NR_getrusage
-        {"getrusage", __NR_getrusage},
-#endif
-#endif
-#ifdef SYS_getsid
-#ifdef __NR_getsid
-        {"getsid", __NR_getsid},
-#endif
-#endif
-#ifdef SYS_getsockname
-#ifdef __NR_getsockname
-        {"getsockname", __NR_getsockname},
-#endif
-#endif
-#ifdef SYS_getsockopt
-#ifdef __NR_getsockopt
-        {"getsockopt", __NR_getsockopt},
-#endif
-#endif
-#ifdef SYS_gettid
-#ifdef __NR_gettid
-        {"gettid", __NR_gettid},
-#endif
-#endif
-#ifdef SYS_gettimeofday
-#ifdef __NR_gettimeofday
-        {"gettimeofday", __NR_gettimeofday},
-#endif
-#endif
-#ifdef SYS_getuid
-#ifdef __NR_getuid
-        {"getuid", __NR_getuid},
-#endif
-#endif
-#ifdef SYS_getuid32
-#ifdef __NR_getuid32
-        {"getuid32", __NR_getuid32},
-#endif
-#endif
-#ifdef SYS_getxattr
-#ifdef __NR_getxattr
-        {"getxattr", __NR_getxattr},
-#endif
-#endif
-#ifdef SYS_gtty
-#ifdef __NR_gtty
-        {"gtty", __NR_gtty},
-#endif
-#endif
-#ifdef SYS_idle
-#ifdef __NR_idle
-        {"idle", __NR_idle},
-#endif
-#endif
-#ifdef SYS_init_module
-#ifdef __NR_init_module
-        {"init_module", __NR_init_module},
-#endif
-#endif
-#ifdef SYS_inotify_add_watch
-#ifdef __NR_inotify_add_watch
-        {"inotify_add_watch", __NR_inotify_add_watch},
-#endif
-#endif
-#ifdef SYS_inotify_init
-#ifdef __NR_inotify_init
-        {"inotify_init", __NR_inotify_init},
-#endif
-#endif
-#ifdef SYS_inotify_init1
-#ifdef __NR_inotify_init1
-        {"inotify_init1", __NR_inotify_init1},
-#endif
-#endif
-#ifdef SYS_inotify_rm_watch
-#ifdef __NR_inotify_rm_watch
-        {"inotify_rm_watch", __NR_inotify_rm_watch},
-#endif
-#endif
-#ifdef SYS_io_cancel
-#ifdef __NR_io_cancel
-        {"io_cancel", __NR_io_cancel},
-#endif
-#endif
-#ifdef SYS_io_destroy
-#ifdef __NR_io_destroy
-        {"io_destroy", __NR_io_destroy},
-#endif
-#endif
-#ifdef SYS_io_getevents
-#ifdef __NR_io_getevents
-        {"io_getevents", __NR_io_getevents},
-#endif
-#endif
-#ifdef SYS_io_setup
-#ifdef __NR_io_setup
-        {"io_setup", __NR_io_setup},
-#endif
-#endif
-#ifdef SYS_io_submit
-#ifdef __NR_io_submit
-        {"io_submit", __NR_io_submit},
-#endif
-#endif
-#ifdef SYS_ioctl
-#ifdef __NR_ioctl
-        {"ioctl", __NR_ioctl},
-#endif
-#endif
-#ifdef SYS_ioperm
-#ifdef __NR_ioperm
-        {"ioperm", __NR_ioperm},
-#endif
-#endif
-#ifdef SYS_iopl
-#ifdef __NR_iopl
-        {"iopl", __NR_iopl},
-#endif
-#endif
-#ifdef SYS_ioprio_get
-#ifdef __NR_ioprio_get
-        {"ioprio_get", __NR_ioprio_get},
-#endif
-#endif
-#ifdef SYS_ioprio_set
-#ifdef __NR_ioprio_set
-        {"ioprio_set", __NR_ioprio_set},
-#endif
-#endif
-#ifdef SYS_ipc
-#ifdef __NR_ipc
-        {"ipc", __NR_ipc},
-#endif
-#endif
-#ifdef SYS_kcmp
-#ifdef __NR_kcmp
-        {"kcmp", __NR_kcmp},
-#endif
-#endif
-#ifdef SYS_kexec_load
-#ifdef __NR_kexec_load
-        {"kexec_load", __NR_kexec_load},
-#endif
-#endif
-#ifdef SYS_keyctl
-#ifdef __NR_keyctl
-        {"keyctl", __NR_keyctl},
-#endif
-#endif
-#ifdef SYS_kill
-#ifdef __NR_kill
-        {"kill", __NR_kill},
-#endif
-#endif
-#ifdef SYS_lchown
-#ifdef __NR_lchown
-        {"lchown", __NR_lchown},
-#endif
-#endif
-#ifdef SYS_lchown32
-#ifdef __NR_lchown32
-        {"lchown32", __NR_lchown32},
-#endif
-#endif
-#ifdef SYS_lgetxattr
-#ifdef __NR_lgetxattr
-        {"lgetxattr", __NR_lgetxattr},
-#endif
-#endif
-#ifdef SYS_link
-#ifdef __NR_link
-        {"link", __NR_link},
-#endif
-#endif
-#ifdef SYS_linkat
-#ifdef __NR_linkat
-        {"linkat", __NR_linkat},
-#endif
-#endif
-#ifdef SYS_listen
-#ifdef __NR_listen
-        {"listen", __NR_listen},
-#endif
-#endif
-#ifdef SYS_listxattr
-#ifdef __NR_listxattr
-        {"listxattr", __NR_listxattr},
-#endif
-#endif
-#ifdef SYS_llistxattr
-#ifdef __NR_llistxattr
-        {"llistxattr", __NR_llistxattr},
-#endif
-#endif
-#ifdef SYS_lock
-#ifdef __NR_lock
-        {"lock", __NR_lock},
-#endif
-#endif
-#ifdef SYS_lookup_dcookie
-#ifdef __NR_lookup_dcookie
-        {"lookup_dcookie", __NR_lookup_dcookie},
-#endif
-#endif
-#ifdef SYS_lremovexattr
-#ifdef __NR_lremovexattr
-        {"lremovexattr", __NR_lremovexattr},
-#endif
-#endif
-#ifdef SYS_lseek
-#ifdef __NR_lseek
-        {"lseek", __NR_lseek},
-#endif
-#endif
-#ifdef SYS_lsetxattr
-#ifdef __NR_lsetxattr
-        {"lsetxattr", __NR_lsetxattr},
-#endif
-#endif
-#ifdef SYS_lstat
-#ifdef __NR_lstat
-        {"lstat", __NR_lstat},
-#endif
-#endif
-#ifdef SYS_lstat64
-#ifdef __NR_lstat64
-        {"lstat64", __NR_lstat64},
-#endif
-#endif
-#ifdef SYS_madvise
-#ifdef __NR_madvise
-        {"madvise", __NR_madvise},
-#endif
-#endif
-#ifdef SYS_mbind
-#ifdef __NR_mbind
-        {"mbind", __NR_mbind},
-#endif
-#endif
-#ifdef SYS_membarrier
-#ifdef __NR_membarrier
-        {"membarrier", __NR_membarrier},
-#endif
-#endif
-#ifdef SYS_memfd_create
-#ifdef __NR_memfd_create
-        {"memfd_create", __NR_memfd_create},
-#endif
-#endif
-#ifdef SYS_migrate_pages
-#ifdef __NR_migrate_pages
-        {"migrate_pages", __NR_migrate_pages},
-#endif
-#endif
-#ifdef SYS_mincore
-#ifdef __NR_mincore
-        {"mincore", __NR_mincore},
-#endif
-#endif
-#ifdef SYS_mkdir
-#ifdef __NR_mkdir
-        {"mkdir", __NR_mkdir},
-#endif
-#endif
-#ifdef SYS_mkdirat
-#ifdef __NR_mkdirat
-        {"mkdirat", __NR_mkdirat},
-#endif
-#endif
-#ifdef SYS_mknod
-#ifdef __NR_mknod
-        {"mknod", __NR_mknod},
-#endif
-#endif
-#ifdef SYS_mknodat
-#ifdef __NR_mknodat
-        {"mknodat", __NR_mknodat},
-#endif
-#endif
-#ifdef SYS_mlock
-#ifdef __NR_mlock
-        {"mlock", __NR_mlock},
-#endif
-#endif
-#ifdef SYS_mlock2
-#ifdef __NR_mlock2
-        {"mlock2", __NR_mlock2},
-#endif
-#endif
-#ifdef SYS_mlockall
-#ifdef __NR_mlockall
-        {"mlockall", __NR_mlockall},
-#endif
-#endif
-#ifdef SYS_mmap
-#ifdef __NR_mmap
-        {"mmap", __NR_mmap},
-#endif
-#endif
-#ifdef SYS_mmap2
-#ifdef __NR_mmap2
-        {"mmap2", __NR_mmap2},
-#endif
-#endif
-#ifdef SYS_modify_ldt
-#ifdef __NR_modify_ldt
-        {"modify_ldt", __NR_modify_ldt},
-#endif
-#endif
-#ifdef SYS_mount
-#ifdef __NR_mount
-        {"mount", __NR_mount},
-#endif
-#endif
-#ifdef SYS_move_pages
-#ifdef __NR_move_pages
-        {"move_pages", __NR_move_pages},
-#endif
-#endif
-#ifdef SYS_mprotect
-#ifdef __NR_mprotect
-        {"mprotect", __NR_mprotect},
-#endif
-#endif
-#ifdef SYS_mpx
-#ifdef __NR_mpx
-        {"mpx", __NR_mpx},
-#endif
-#endif
-#ifdef SYS_mq_getsetattr
-#ifdef __NR_mq_getsetattr
-        {"mq_getsetattr", __NR_mq_getsetattr},
-#endif
-#endif
-#ifdef SYS_mq_notify
-#ifdef __NR_mq_notify
-        {"mq_notify", __NR_mq_notify},
-#endif
-#endif
-#ifdef SYS_mq_open
-#ifdef __NR_mq_open
-        {"mq_open", __NR_mq_open},
-#endif
-#endif
-#ifdef SYS_mq_timedreceive
-#ifdef __NR_mq_timedreceive
-        {"mq_timedreceive", __NR_mq_timedreceive},
-#endif
-#endif
-#ifdef SYS_mq_timedsend
-#ifdef __NR_mq_timedsend
-        {"mq_timedsend", __NR_mq_timedsend},
-#endif
-#endif
-#ifdef SYS_mq_unlink
-#ifdef __NR_mq_unlink
-        {"mq_unlink", __NR_mq_unlink},
-#endif
-#endif
-#ifdef SYS_mremap
-#ifdef __NR_mremap
-        {"mremap", __NR_mremap},
-#endif
-#endif
-#ifdef SYS_msync
-#ifdef __NR_msync
-        {"msync", __NR_msync},
-#endif
-#endif
-#ifdef SYS_munlock
-#ifdef __NR_munlock
-        {"munlock", __NR_munlock},
-#endif
-#endif
-#ifdef SYS_munlockall
-#ifdef __NR_munlockall
-        {"munlockall", __NR_munlockall},
-#endif
-#endif
-#ifdef SYS_munmap
-#ifdef __NR_munmap
-        {"munmap", __NR_munmap},
-#endif
-#endif
-#ifdef SYS_name_to_handle_at
-#ifdef __NR_name_to_handle_at
-        {"name_to_handle_at", __NR_name_to_handle_at},
-#endif
-#endif
-#ifdef SYS_nanosleep
-#ifdef __NR_nanosleep
-        {"nanosleep", __NR_nanosleep},
-#endif
-#endif
-#ifdef SYS_nfsservctl
-#ifdef __NR_nfsservctl
-        {"nfsservctl", __NR_nfsservctl},
-#endif
-#endif
-#ifdef SYS_nice
-#ifdef __NR_nice
-        {"nice", __NR_nice},
-#endif
-#endif
-#ifdef SYS_oldfstat
-#ifdef __NR_oldfstat
-        {"oldfstat", __NR_oldfstat},
-#endif
-#endif
-#ifdef SYS_oldlstat
-#ifdef __NR_oldlstat
-        {"oldlstat", __NR_oldlstat},
-#endif
-#endif
-#ifdef SYS_oldolduname
-#ifdef __NR_oldolduname
-        {"oldolduname", __NR_oldolduname},
-#endif
-#endif
-#ifdef SYS_oldstat
-#ifdef __NR_oldstat
-        {"oldstat", __NR_oldstat},
-#endif
-#endif
-#ifdef SYS_olduname
-#ifdef __NR_olduname
-        {"olduname", __NR_olduname},
-#endif
-#endif
-#ifdef SYS_open
-#ifdef __NR_open
-        {"open", __NR_open},
-#endif
-#endif
-#ifdef SYS_open_by_handle_at
-#ifdef __NR_open_by_handle_at
-        {"open_by_handle_at", __NR_open_by_handle_at},
-#endif
-#endif
-#ifdef SYS_openat
-#ifdef __NR_openat
-        {"openat", __NR_openat},
-#endif
-#endif
-#ifdef SYS_pause
-#ifdef __NR_pause
-        {"pause", __NR_pause},
-#endif
-#endif
-#ifdef SYS_perf_event_open
-#ifdef __NR_perf_event_open
-        {"perf_event_open", __NR_perf_event_open},
-#endif
-#endif
-#ifdef SYS_personality
-#ifdef __NR_personality
-        {"personality", __NR_personality},
-#endif
-#endif
-#ifdef SYS_pipe
-#ifdef __NR_pipe
-        {"pipe", __NR_pipe},
-#endif
-#endif
-#ifdef SYS_pipe2
-#ifdef __NR_pipe2
-        {"pipe2", __NR_pipe2},
-#endif
-#endif
-#ifdef SYS_pivot_root
-#ifdef __NR_pivot_root
-        {"pivot_root", __NR_pivot_root},
-#endif
-#endif
-#ifdef SYS_poll
-#ifdef __NR_poll
-        {"poll", __NR_poll},
-#endif
-#endif
-#ifdef SYS_ppoll
-#ifdef __NR_ppoll
-        {"ppoll", __NR_ppoll},
-#endif
-#endif
-#ifdef SYS_prctl
-#ifdef __NR_prctl
-        {"prctl", __NR_prctl},
-#endif
-#endif
-#ifdef SYS_pread64
-#ifdef __NR_pread64
-        {"pread64", __NR_pread64},
-#endif
-#endif
-#ifdef SYS_preadv
-#ifdef __NR_preadv
-        {"preadv", __NR_preadv},
-#endif
-#endif
-#ifdef SYS_preadv2
-#ifdef __NR_preadv2
-        {"preadv2", __NR_preadv2},
-#endif
-#endif
-#ifdef SYS_prlimit64
-#ifdef __NR_prlimit64
-        {"prlimit64", __NR_prlimit64},
-#endif
-#endif
-#ifdef SYS_process_vm_readv
-#ifdef __NR_process_vm_readv
-        {"process_vm_readv", __NR_process_vm_readv},
-#endif
-#endif
-#ifdef SYS_process_vm_writev
-#ifdef __NR_process_vm_writev
-        {"process_vm_writev", __NR_process_vm_writev},
-#endif
-#endif
-#ifdef SYS_prof
-#ifdef __NR_prof
-        {"prof", __NR_prof},
-#endif
-#endif
-#ifdef SYS_profil
-#ifdef __NR_profil
-        {"profil", __NR_profil},
-#endif
-#endif
-#ifdef SYS_pselect6
-#ifdef __NR_pselect6
-        {"pselect6", __NR_pselect6},
-#endif
-#endif
-#ifdef SYS_ptrace
-#ifdef __NR_ptrace
-        {"ptrace", __NR_ptrace},
-#endif
-#endif
-#ifdef SYS_putpmsg
-#ifdef __NR_putpmsg
-        {"putpmsg", __NR_putpmsg},
-#endif
-#endif
-#ifdef SYS_pwrite64
-#ifdef __NR_pwrite64
-        {"pwrite64", __NR_pwrite64},
-#endif
-#endif
-#ifdef SYS_pwritev
-#ifdef __NR_pwritev
-        {"pwritev", __NR_pwritev},
-#endif
-#endif
-#ifdef SYS_pwritev2
-#ifdef __NR_pwritev2
-        {"pwritev2", __NR_pwritev2},
-#endif
-#endif
-#ifdef SYS_query_module
-#ifdef __NR_query_module
-        {"query_module", __NR_query_module},
-#endif
-#endif
-#ifdef SYS_quotactl
-#ifdef __NR_quotactl
-        {"quotactl", __NR_quotactl},
-#endif
-#endif
-#ifdef SYS_read
-#ifdef __NR_read
-        {"read", __NR_read},
-#endif
-#endif
-#ifdef SYS_readahead
-#ifdef __NR_readahead
-        {"readahead", __NR_readahead},
-#endif
-#endif
-#ifdef SYS_readdir
-#ifdef __NR_readdir
-        {"readdir", __NR_readdir},
-#endif
-#endif
-#ifdef SYS_readlink
-#ifdef __NR_readlink
-        {"readlink", __NR_readlink},
-#endif
-#endif
-#ifdef SYS_readlinkat
-#ifdef __NR_readlinkat
-        {"readlinkat", __NR_readlinkat},
-#endif
-#endif
-#ifdef SYS_readv
-#ifdef __NR_readv
-        {"readv", __NR_readv},
-#endif
-#endif
-#ifdef SYS_reboot
-#ifdef __NR_reboot
-        {"reboot", __NR_reboot},
-#endif
-#endif
-#ifdef SYS_recvfrom
-#ifdef __NR_recvfrom
-        {"recvfrom", __NR_recvfrom},
-#endif
-#endif
-#ifdef SYS_recvmmsg
-#ifdef __NR_recvmmsg
-        {"recvmmsg", __NR_recvmmsg},
-#endif
-#endif
-#ifdef SYS_recvmsg
-#ifdef __NR_recvmsg
-        {"recvmsg", __NR_recvmsg},
-#endif
-#endif
-#ifdef SYS_remap_file_pages
-#ifdef __NR_remap_file_pages
-        {"remap_file_pages", __NR_remap_file_pages},
-#endif
-#endif
-#ifdef SYS_removexattr
-#ifdef __NR_removexattr
-        {"removexattr", __NR_removexattr},
-#endif
-#endif
-#ifdef SYS_rename
-#ifdef __NR_rename
-        {"rename", __NR_rename},
-#endif
-#endif
-#ifdef SYS_renameat
-#ifdef __NR_renameat
-        {"renameat", __NR_renameat},
-#endif
-#endif
-#ifdef SYS_renameat2
-#ifdef __NR_renameat2
-        {"renameat2", __NR_renameat2},
-#endif
-#endif
-#ifdef SYS_request_key
-#ifdef __NR_request_key
-        {"request_key", __NR_request_key},
-#endif
-#endif
-#ifdef SYS_restart_syscall
-#ifdef __NR_restart_syscall
-        {"restart_syscall", __NR_restart_syscall},
-#endif
-#endif
-#ifdef SYS_rmdir
-#ifdef __NR_rmdir
-        {"rmdir", __NR_rmdir},
-#endif
-#endif
-#ifdef SYS_rt_sigaction
-#ifdef __NR_rt_sigaction
-        {"rt_sigaction", __NR_rt_sigaction},
-#endif
-#endif
-#ifdef SYS_rt_sigpending
-#ifdef __NR_rt_sigpending
-        {"rt_sigpending", __NR_rt_sigpending},
-#endif
-#endif
-#ifdef SYS_rt_sigprocmask
-#ifdef __NR_rt_sigprocmask
-        {"rt_sigprocmask", __NR_rt_sigprocmask},
-#endif
-#endif
-#ifdef SYS_rt_sigqueueinfo
-#ifdef __NR_rt_sigqueueinfo
-        {"rt_sigqueueinfo", __NR_rt_sigqueueinfo},
-#endif
-#endif
-#ifdef SYS_rt_sigreturn
-#ifdef __NR_rt_sigreturn
-        {"rt_sigreturn", __NR_rt_sigreturn},
-#endif
-#endif
-#ifdef SYS_rt_sigsuspend
-#ifdef __NR_rt_sigsuspend
-        {"rt_sigsuspend", __NR_rt_sigsuspend},
-#endif
-#endif
-#ifdef SYS_rt_sigtimedwait
-#ifdef __NR_rt_sigtimedwait
-        {"rt_sigtimedwait", __NR_rt_sigtimedwait},
-#endif
-#endif
-#ifdef SYS_rt_tgsigqueueinfo
-#ifdef __NR_rt_tgsigqueueinfo
-        {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_max
-#ifdef __NR_sched_get_priority_max
-        {"sched_get_priority_max", __NR_sched_get_priority_max},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_min
-#ifdef __NR_sched_get_priority_min
-        {"sched_get_priority_min", __NR_sched_get_priority_min},
-#endif
-#endif
-#ifdef SYS_sched_getaffinity
-#ifdef __NR_sched_getaffinity
-        {"sched_getaffinity", __NR_sched_getaffinity},
-#endif
-#endif
-#ifdef SYS_sched_getattr
-#ifdef __NR_sched_getattr
-        {"sched_getattr", __NR_sched_getattr},
-#endif
-#endif
-#ifdef SYS_sched_getparam
-#ifdef __NR_sched_getparam
-        {"sched_getparam", __NR_sched_getparam},
-#endif
-#endif
-#ifdef SYS_sched_getscheduler
-#ifdef __NR_sched_getscheduler
-        {"sched_getscheduler", __NR_sched_getscheduler},
-#endif
-#endif
-#ifdef SYS_sched_rr_get_interval
-#ifdef __NR_sched_rr_get_interval
-        {"sched_rr_get_interval", __NR_sched_rr_get_interval},
-#endif
-#endif
-#ifdef SYS_sched_setaffinity
-#ifdef __NR_sched_setaffinity
-        {"sched_setaffinity", __NR_sched_setaffinity},
-#endif
-#endif
-#ifdef SYS_sched_setattr
-#ifdef __NR_sched_setattr
-        {"sched_setattr", __NR_sched_setattr},
-#endif
-#endif
-#ifdef SYS_sched_setparam
-#ifdef __NR_sched_setparam
-        {"sched_setparam", __NR_sched_setparam},
-#endif
-#endif
-#ifdef SYS_sched_setscheduler
-#ifdef __NR_sched_setscheduler
-        {"sched_setscheduler", __NR_sched_setscheduler},
-#endif
-#endif
-#ifdef SYS_sched_yield
-#ifdef __NR_sched_yield
-        {"sched_yield", __NR_sched_yield},
-#endif
-#endif
-#ifdef SYS_seccomp
-#ifdef __NR_seccomp
-        {"seccomp", __NR_seccomp},
-#endif
-#endif
-#ifdef SYS_select
-#ifdef __NR_select
-        {"select", __NR_select},
-#endif
-#endif
-#ifdef SYS_sendfile
-#ifdef __NR_sendfile
-        {"sendfile", __NR_sendfile},
-#endif
-#endif
-#ifdef SYS_sendfile64
-#ifdef __NR_sendfile64
-        {"sendfile64", __NR_sendfile64},
-#endif
-#endif
-#ifdef SYS_sendmmsg
-#ifdef __NR_sendmmsg
-        {"sendmmsg", __NR_sendmmsg},
-#endif
-#endif
-#ifdef SYS_sendmsg
-#ifdef __NR_sendmsg
-        {"sendmsg", __NR_sendmsg},
-#endif
-#endif
-#ifdef SYS_sendto
-#ifdef __NR_sendto
-        {"sendto", __NR_sendto},
-#endif
-#endif
-#ifdef SYS_set_mempolicy
-#ifdef __NR_set_mempolicy
-        {"set_mempolicy", __NR_set_mempolicy},
-#endif
-#endif
-#ifdef SYS_set_robust_list
-#ifdef __NR_set_robust_list
-        {"set_robust_list", __NR_set_robust_list},
-#endif
-#endif
-#ifdef SYS_set_thread_area
-#ifdef __NR_set_thread_area
-        {"set_thread_area", __NR_set_thread_area},
-#endif
-#endif
-#ifdef SYS_set_tid_address
-#ifdef __NR_set_tid_address
-        {"set_tid_address", __NR_set_tid_address},
-#endif
-#endif
-#ifdef SYS_setdomainname
-#ifdef __NR_setdomainname
-        {"setdomainname", __NR_setdomainname},
-#endif
-#endif
-#ifdef SYS_setfsgid
-#ifdef __NR_setfsgid
-        {"setfsgid", __NR_setfsgid},
-#endif
-#endif
-#ifdef SYS_setfsgid32
-#ifdef __NR_setfsgid32
-        {"setfsgid32", __NR_setfsgid32},
-#endif
-#endif
-#ifdef SYS_setfsuid
-#ifdef __NR_setfsuid
-        {"setfsuid", __NR_setfsuid},
-#endif
-#endif
-#ifdef SYS_setfsuid32
-#ifdef __NR_setfsuid32
-        {"setfsuid32", __NR_setfsuid32},
-#endif
-#endif
-#ifdef SYS_setgid
-#ifdef __NR_setgid
-        {"setgid", __NR_setgid},
-#endif
-#endif
-#ifdef SYS_setgid32
-#ifdef __NR_setgid32
-        {"setgid32", __NR_setgid32},
-#endif
-#endif
-#ifdef SYS_setgroups
-#ifdef __NR_setgroups
-        {"setgroups", __NR_setgroups},
-#endif
-#endif
-#ifdef SYS_setgroups32
-#ifdef __NR_setgroups32
-        {"setgroups32", __NR_setgroups32},
-#endif
-#endif
-#ifdef SYS_sethostname
-#ifdef __NR_sethostname
-        {"sethostname", __NR_sethostname},
-#endif
-#endif
-#ifdef SYS_setitimer
-#ifdef __NR_setitimer
-        {"setitimer", __NR_setitimer},
-#endif
-#endif
-#ifdef SYS_setns
-#ifdef __NR_setns
-        {"setns", __NR_setns},
-#endif
-#endif
-#ifdef SYS_setpgid
-#ifdef __NR_setpgid
-        {"setpgid", __NR_setpgid},
-#endif
-#endif
-#ifdef SYS_setpriority
-#ifdef __NR_setpriority
-        {"setpriority", __NR_setpriority},
-#endif
-#endif
-#ifdef SYS_setregid
-#ifdef __NR_setregid
-        {"setregid", __NR_setregid},
-#endif
-#endif
-#ifdef SYS_setregid32
-#ifdef __NR_setregid32
-        {"setregid32", __NR_setregid32},
-#endif
-#endif
-#ifdef SYS_setresgid
-#ifdef __NR_setresgid
-        {"setresgid", __NR_setresgid},
-#endif
-#endif
-#ifdef SYS_setresgid32
-#ifdef __NR_setresgid32
-        {"setresgid32", __NR_setresgid32},
-#endif
-#endif
-#ifdef SYS_setresuid
-#ifdef __NR_setresuid
-        {"setresuid", __NR_setresuid},
-#endif
-#endif
-#ifdef SYS_setresuid32
-#ifdef __NR_setresuid32
-        {"setresuid32", __NR_setresuid32},
-#endif
-#endif
-#ifdef SYS_setreuid
-#ifdef __NR_setreuid
-        {"setreuid", __NR_setreuid},
-#endif
-#endif
-#ifdef SYS_setreuid32
-#ifdef __NR_setreuid32
-        {"setreuid32", __NR_setreuid32},
-#endif
-#endif
-#ifdef SYS_setrlimit
-#ifdef __NR_setrlimit
-        {"setrlimit", __NR_setrlimit},
-#endif
-#endif
-#ifdef SYS_setsid
-#ifdef __NR_setsid
-        {"setsid", __NR_setsid},
-#endif
-#endif
-#ifdef SYS_setsockopt
-#ifdef __NR_setsockopt
-        {"setsockopt", __NR_setsockopt},
-#endif
-#endif
-#ifdef SYS_settimeofday
-#ifdef __NR_settimeofday
-        {"settimeofday", __NR_settimeofday},
-#endif
-#endif
-#ifdef SYS_setuid
-#ifdef __NR_setuid
-        {"setuid", __NR_setuid},
-#endif
-#endif
-#ifdef SYS_setuid32
-#ifdef __NR_setuid32
-        {"setuid32", __NR_setuid32},
-#endif
-#endif
-#ifdef SYS_setxattr
-#ifdef __NR_setxattr
-        {"setxattr", __NR_setxattr},
-#endif
-#endif
-#ifdef SYS_sgetmask
-#ifdef __NR_sgetmask
-        {"sgetmask", __NR_sgetmask},
-#endif
-#endif
-#ifdef SYS_shutdown
-#ifdef __NR_shutdown
-        {"shutdown", __NR_shutdown},
-#endif
-#endif
-#ifdef SYS_sigaction
-#ifdef __NR_sigaction
-        {"sigaction", __NR_sigaction},
-#endif
-#endif
-#ifdef SYS_sigaltstack
-#ifdef __NR_sigaltstack
-        {"sigaltstack", __NR_sigaltstack},
-#endif
-#endif
-#ifdef SYS_signal
-#ifdef __NR_signal
-        {"signal", __NR_signal},
-#endif
-#endif
-#ifdef SYS_signalfd
-#ifdef __NR_signalfd
-        {"signalfd", __NR_signalfd},
-#endif
-#endif
-#ifdef SYS_signalfd4
-#ifdef __NR_signalfd4
-        {"signalfd4", __NR_signalfd4},
-#endif
-#endif
-#ifdef SYS_sigpending
-#ifdef __NR_sigpending
-        {"sigpending", __NR_sigpending},
-#endif
-#endif
-#ifdef SYS_sigprocmask
-#ifdef __NR_sigprocmask
-        {"sigprocmask", __NR_sigprocmask},
-#endif
-#endif
-#ifdef SYS_sigreturn
-#ifdef __NR_sigreturn
-        {"sigreturn", __NR_sigreturn},
-#endif
-#endif
-#ifdef SYS_sigsuspend
-#ifdef __NR_sigsuspend
-        {"sigsuspend", __NR_sigsuspend},
-#endif
-#endif
-#ifdef SYS_socket
-#ifdef __NR_socket
-        {"socket", __NR_socket},
-#endif
-#endif
-#ifdef SYS_socketcall
-#ifdef __NR_socketcall
-        {"socketcall", __NR_socketcall},
-#endif
-#endif
-#ifdef SYS_socketpair
-#ifdef __NR_socketpair
-        {"socketpair", __NR_socketpair},
-#endif
-#endif
-#ifdef SYS_splice
-#ifdef __NR_splice
-        {"splice", __NR_splice},
-#endif
-#endif
-#ifdef SYS_ssetmask
-#ifdef __NR_ssetmask
-        {"ssetmask", __NR_ssetmask},
-#endif
-#endif
-#ifdef SYS_stat
-#ifdef __NR_stat
-        {"stat", __NR_stat},
-#endif
-#endif
-#ifdef SYS_stat64
-#ifdef __NR_stat64
-        {"stat64", __NR_stat64},
-#endif
-#endif
-#ifdef SYS_statfs
-#ifdef __NR_statfs
-        {"statfs", __NR_statfs},
-#endif
-#endif
-#ifdef SYS_statfs64
-#ifdef __NR_statfs64
-        {"statfs64", __NR_statfs64},
-#endif
-#endif
-#ifdef SYS_stime
-#ifdef __NR_stime
-        {"stime", __NR_stime},
-#endif
-#endif
-#ifdef SYS_stty
-#ifdef __NR_stty
-        {"stty", __NR_stty},
-#endif
-#endif
-#ifdef SYS_swapoff
-#ifdef __NR_swapoff
-        {"swapoff", __NR_swapoff},
-#endif
-#endif
-#ifdef SYS_swapon
-#ifdef __NR_swapon
-        {"swapon", __NR_swapon},
-#endif
-#endif
-#ifdef SYS_symlink
-#ifdef __NR_symlink
-        {"symlink", __NR_symlink},
-#endif
-#endif
-#ifdef SYS_symlinkat
-#ifdef __NR_symlinkat
-        {"symlinkat", __NR_symlinkat},
-#endif
-#endif
-#ifdef SYS_sync
-#ifdef __NR_sync
-        {"sync", __NR_sync},
-#endif
-#endif
-#ifdef SYS_sync_file_range
-#ifdef __NR_sync_file_range
-        {"sync_file_range", __NR_sync_file_range},
-#endif
-#endif
-#ifdef SYS_syncfs
-#ifdef __NR_syncfs
-        {"syncfs", __NR_syncfs},
-#endif
-#endif
-#ifdef SYS_sysfs
-#ifdef __NR_sysfs
-        {"sysfs", __NR_sysfs},
-#endif
-#endif
-#ifdef SYS_sysinfo
-#ifdef __NR_sysinfo
-        {"sysinfo", __NR_sysinfo},
-#endif
-#endif
-#ifdef SYS_syslog
-#ifdef __NR_syslog
-        {"syslog", __NR_syslog},
-#endif
-#endif
-#ifdef SYS_tee
-#ifdef __NR_tee
-        {"tee", __NR_tee},
-#endif
-#endif
-#ifdef SYS_tgkill
-#ifdef __NR_tgkill
-        {"tgkill", __NR_tgkill},
-#endif
-#endif
-#ifdef SYS_time
-#ifdef __NR_time
-        {"time", __NR_time},
-#endif
-#endif
-#ifdef SYS_timer_create
-#ifdef __NR_timer_create
-        {"timer_create", __NR_timer_create},
-#endif
-#endif
-#ifdef SYS_timer_delete
-#ifdef __NR_timer_delete
-        {"timer_delete", __NR_timer_delete},
-#endif
-#endif
-#ifdef SYS_timer_getoverrun
-#ifdef __NR_timer_getoverrun
-        {"timer_getoverrun", __NR_timer_getoverrun},
-#endif
-#endif
-#ifdef SYS_timer_gettime
-#ifdef __NR_timer_gettime
-        {"timer_gettime", __NR_timer_gettime},
-#endif
-#endif
-#ifdef SYS_timer_settime
-#ifdef __NR_timer_settime
-        {"timer_settime", __NR_timer_settime},
-#endif
-#endif
-#ifdef SYS_timerfd_create
-#ifdef __NR_timerfd_create
-        {"timerfd_create", __NR_timerfd_create},
-#endif
-#endif
-#ifdef SYS_timerfd_gettime
-#ifdef __NR_timerfd_gettime
-        {"timerfd_gettime", __NR_timerfd_gettime},
-#endif
-#endif
-#ifdef SYS_timerfd_settime
-#ifdef __NR_timerfd_settime
-        {"timerfd_settime", __NR_timerfd_settime},
-#endif
-#endif
-#ifdef SYS_times
-#ifdef __NR_times
-        {"times", __NR_times},
-#endif
-#endif
-#ifdef SYS_tkill
-#ifdef __NR_tkill
-        {"tkill", __NR_tkill},
-#endif
-#endif
-#ifdef SYS_truncate
-#ifdef __NR_truncate
-        {"truncate", __NR_truncate},
-#endif
-#endif
-#ifdef SYS_truncate64
-#ifdef __NR_truncate64
-        {"truncate64", __NR_truncate64},
-#endif
-#endif
-#ifdef SYS_ugetrlimit
-#ifdef __NR_ugetrlimit
-        {"ugetrlimit", __NR_ugetrlimit},
-#endif
-#endif
-#ifdef SYS_ulimit
-#ifdef __NR_ulimit
-        {"ulimit", __NR_ulimit},
-#endif
-#endif
-#ifdef SYS_umask
-#ifdef __NR_umask
-        {"umask", __NR_umask},
-#endif
-#endif
-#ifdef SYS_umount
-#ifdef __NR_umount
-        {"umount", __NR_umount},
-#endif
-#endif
-#ifdef SYS_umount2
-#ifdef __NR_umount2
-        {"umount2", __NR_umount2},
-#endif
-#endif
-#ifdef SYS_uname
-#ifdef __NR_uname
-        {"uname", __NR_uname},
-#endif
-#endif
-#ifdef SYS_unlink
-#ifdef __NR_unlink
-        {"unlink", __NR_unlink},
-#endif
-#endif
-#ifdef SYS_unlinkat
-#ifdef __NR_unlinkat
-        {"unlinkat", __NR_unlinkat},
-#endif
-#endif
-#ifdef SYS_unshare
-#ifdef __NR_unshare
-        {"unshare", __NR_unshare},
-#endif
-#endif
-#ifdef SYS_uselib
-#ifdef __NR_uselib
-        {"uselib", __NR_uselib},
-#endif
-#endif
-#ifdef SYS_userfaultfd
-#ifdef __NR_userfaultfd
-        {"userfaultfd", __NR_userfaultfd},
-#endif
-#endif
-#ifdef SYS_ustat
-#ifdef __NR_ustat
-        {"ustat", __NR_ustat},
-#endif
-#endif
-#ifdef SYS_utime
-#ifdef __NR_utime
-        {"utime", __NR_utime},
-#endif
-#endif
-#ifdef SYS_utimensat
-#ifdef __NR_utimensat
-        {"utimensat", __NR_utimensat},
-#endif
-#endif
-#ifdef SYS_utimes
-#ifdef __NR_utimes
-        {"utimes", __NR_utimes},
-#endif
-#endif
-#ifdef SYS_vfork
-#ifdef __NR_vfork
-        {"vfork", __NR_vfork},
-#endif
-#endif
-#ifdef SYS_vhangup
-#ifdef __NR_vhangup
-        {"vhangup", __NR_vhangup},
-#endif
-#endif
-#ifdef SYS_vm86
-#ifdef __NR_vm86
-        {"vm86", __NR_vm86},
-#endif
-#endif
-#ifdef SYS_vm86old
-#ifdef __NR_vm86old
-        {"vm86old", __NR_vm86old},
-#endif
-#endif
-#ifdef SYS_vmsplice
-#ifdef __NR_vmsplice
-        {"vmsplice", __NR_vmsplice},
-#endif
-#endif
-#ifdef SYS_vserver
-#ifdef __NR_vserver
-        {"vserver", __NR_vserver},
-#endif
-#endif
-#ifdef SYS_wait4
-#ifdef __NR_wait4
-        {"wait4", __NR_wait4},
-#endif
-#endif
-#ifdef SYS_waitid
-#ifdef __NR_waitid
-        {"waitid", __NR_waitid},
-#endif
-#endif
-#ifdef SYS_waitpid
-#ifdef __NR_waitpid
-        {"waitpid", __NR_waitpid},
-#endif
-#endif
-#ifdef SYS_write
-#ifdef __NR_write
-        {"write", __NR_write},
-#endif
-#endif
-#ifdef SYS_writev
-#ifdef __NR_writev
-        {"writev", __NR_writev},
-#endif
-#endif
-#endif
-//#endif
-#if defined __x86_64__ && defined __LP64__
-#ifdef SYS__sysctl
-#ifdef __NR__sysctl
-        {"_sysctl", __NR__sysctl},
-#endif
-#endif
-#ifdef SYS_accept
-#ifdef __NR_accept
-        {"accept", __NR_accept},
-#endif
-#endif
-#ifdef SYS_accept4
-#ifdef __NR_accept4
-        {"accept4", __NR_accept4},
-#endif
-#endif
-#ifdef SYS_access
-#ifdef __NR_access
-        {"access", __NR_access},
-#endif
-#endif
-#ifdef SYS_acct
-#ifdef __NR_acct
-        {"acct", __NR_acct},
-#endif
-#endif
-#ifdef SYS_add_key
-#ifdef __NR_add_key
-        {"add_key", __NR_add_key},
-#endif
-#endif
-#ifdef SYS_adjtimex
-#ifdef __NR_adjtimex
-        {"adjtimex", __NR_adjtimex},
-#endif
-#endif
-#ifdef SYS_afs_syscall
-#ifdef __NR_afs_syscall
-        {"afs_syscall", __NR_afs_syscall},
-#endif
-#endif
-#ifdef SYS_alarm
-#ifdef __NR_alarm
-        {"alarm", __NR_alarm},
-#endif
-#endif
-#ifdef SYS_arch_prctl
-#ifdef __NR_arch_prctl
-        {"arch_prctl", __NR_arch_prctl},
-#endif
-#endif
-#ifdef SYS_bind
-#ifdef __NR_bind
-        {"bind", __NR_bind},
-#endif
-#endif
-#ifdef SYS_bpf
-#ifdef __NR_bpf
-        {"bpf", __NR_bpf},
-#endif
-#endif
-#ifdef SYS_brk
-#ifdef __NR_brk
-        {"brk", __NR_brk},
-#endif
-#endif
-#ifdef SYS_capget
-#ifdef __NR_capget
-        {"capget", __NR_capget},
-#endif
-#endif
-#ifdef SYS_capset
-#ifdef __NR_capset
-        {"capset", __NR_capset},
-#endif
-#endif
-#ifdef SYS_chdir
-#ifdef __NR_chdir
-        {"chdir", __NR_chdir},
-#endif
-#endif
-#ifdef SYS_chmod
-#ifdef __NR_chmod
-        {"chmod", __NR_chmod},
-#endif
-#endif
-#ifdef SYS_chown
-#ifdef __NR_chown
-        {"chown", __NR_chown},
-#endif
-#endif
-#ifdef SYS_chroot
-#ifdef __NR_chroot
-        {"chroot", __NR_chroot},
-#endif
-#endif
-#ifdef SYS_clock_adjtime
-#ifdef __NR_clock_adjtime
-        {"clock_adjtime", __NR_clock_adjtime},
-#endif
-#endif
-#ifdef SYS_clock_getres
-#ifdef __NR_clock_getres
-        {"clock_getres", __NR_clock_getres},
-#endif
-#endif
-#ifdef SYS_clock_gettime
-#ifdef __NR_clock_gettime
-        {"clock_gettime", __NR_clock_gettime},
-#endif
-#endif
-#ifdef SYS_clock_nanosleep
-#ifdef __NR_clock_nanosleep
-        {"clock_nanosleep", __NR_clock_nanosleep},
-#endif
-#endif
-#ifdef SYS_clock_settime
-#ifdef __NR_clock_settime
-        {"clock_settime", __NR_clock_settime},
-#endif
-#endif
-#ifdef SYS_clone
-#ifdef __NR_clone
-        {"clone", __NR_clone},
-#endif
-#endif
-#ifdef SYS_close
-#ifdef __NR_close
-        {"close", __NR_close},
-#endif
-#endif
-#ifdef SYS_connect
-#ifdef __NR_connect
-        {"connect", __NR_connect},
-#endif
-#endif
-#ifdef SYS_copy_file_range
-#ifdef __NR_copy_file_range
-        {"copy_file_range", __NR_copy_file_range},
-#endif
-#endif
-#ifdef SYS_creat
-#ifdef __NR_creat
-        {"creat", __NR_creat},
-#endif
-#endif
-#ifdef SYS_create_module
-#ifdef __NR_create_module
-        {"create_module", __NR_create_module},
-#endif
-#endif
-#ifdef SYS_delete_module
-#ifdef __NR_delete_module
-        {"delete_module", __NR_delete_module},
-#endif
-#endif
-#ifdef SYS_dup
-#ifdef __NR_dup
-        {"dup", __NR_dup},
-#endif
-#endif
-#ifdef SYS_dup2
-#ifdef __NR_dup2
-        {"dup2", __NR_dup2},
-#endif
-#endif
-#ifdef SYS_dup3
-#ifdef __NR_dup3
-        {"dup3", __NR_dup3},
-#endif
-#endif
-#ifdef SYS_epoll_create
-#ifdef __NR_epoll_create
-        {"epoll_create", __NR_epoll_create},
-#endif
-#endif
-#ifdef SYS_epoll_create1
-#ifdef __NR_epoll_create1
-        {"epoll_create1", __NR_epoll_create1},
-#endif
-#endif
-#ifdef SYS_epoll_ctl
-#ifdef __NR_epoll_ctl
-        {"epoll_ctl", __NR_epoll_ctl},
-#endif
-#endif
-#ifdef SYS_epoll_ctl_old
-#ifdef __NR_epoll_ctl_old
-        {"epoll_ctl_old", __NR_epoll_ctl_old},
-#endif
-#endif
-#ifdef SYS_epoll_pwait
-#ifdef __NR_epoll_pwait
-        {"epoll_pwait", __NR_epoll_pwait},
-#endif
-#endif
-#ifdef SYS_epoll_wait
-#ifdef __NR_epoll_wait
-        {"epoll_wait", __NR_epoll_wait},
-#endif
-#endif
-#ifdef SYS_epoll_wait_old
-#ifdef __NR_epoll_wait_old
-        {"epoll_wait_old", __NR_epoll_wait_old},
-#endif
-#endif
-#ifdef SYS_eventfd
-#ifdef __NR_eventfd
-        {"eventfd", __NR_eventfd},
-#endif
-#endif
-#ifdef SYS_eventfd2
-#ifdef __NR_eventfd2
-        {"eventfd2", __NR_eventfd2},
-#endif
-#endif
-#ifdef SYS_execve
-#ifdef __NR_execve
-        {"execve", __NR_execve},
-#endif
-#endif
-#ifdef SYS_execveat
-#ifdef __NR_execveat
-        {"execveat", __NR_execveat},
-#endif
-#endif
-#ifdef SYS_exit
-#ifdef __NR_exit
-        {"exit", __NR_exit},
-#endif
-#endif
-#ifdef SYS_exit_group
-#ifdef __NR_exit_group
-        {"exit_group", __NR_exit_group},
-#endif
-#endif
-#ifdef SYS_faccessat
-#ifdef __NR_faccessat
-        {"faccessat", __NR_faccessat},
-#endif
-#endif
-#ifdef SYS_fadvise64
-#ifdef __NR_fadvise64
-        {"fadvise64", __NR_fadvise64},
-#endif
-#endif
-#ifdef SYS_fallocate
-#ifdef __NR_fallocate
-        {"fallocate", __NR_fallocate},
-#endif
-#endif
-#ifdef SYS_fanotify_init
-#ifdef __NR_fanotify_init
-        {"fanotify_init", __NR_fanotify_init},
-#endif
-#endif
-#ifdef SYS_fanotify_mark
-#ifdef __NR_fanotify_mark
-        {"fanotify_mark", __NR_fanotify_mark},
-#endif
-#endif
-#ifdef SYS_fchdir
-#ifdef __NR_fchdir
-        {"fchdir", __NR_fchdir},
-#endif
-#endif
-#ifdef SYS_fchmod
-#ifdef __NR_fchmod
-        {"fchmod", __NR_fchmod},
-#endif
-#endif
-#ifdef SYS_fchmodat
-#ifdef __NR_fchmodat
-        {"fchmodat", __NR_fchmodat},
-#endif
-#endif
-#ifdef SYS_fchown
-#ifdef __NR_fchown
-        {"fchown", __NR_fchown},
-#endif
-#endif
-#ifdef SYS_fchownat
-#ifdef __NR_fchownat
-        {"fchownat", __NR_fchownat},
-#endif
-#endif
-#ifdef SYS_fcntl
-#ifdef __NR_fcntl
-        {"fcntl", __NR_fcntl},
-#endif
-#endif
-#ifdef SYS_fdatasync
-#ifdef __NR_fdatasync
-        {"fdatasync", __NR_fdatasync},
-#endif
-#endif
-#ifdef SYS_fgetxattr
-#ifdef __NR_fgetxattr
-        {"fgetxattr", __NR_fgetxattr},
-#endif
-#endif
-#ifdef SYS_finit_module
-#ifdef __NR_finit_module
-        {"finit_module", __NR_finit_module},
-#endif
-#endif
-#ifdef SYS_flistxattr
-#ifdef __NR_flistxattr
-        {"flistxattr", __NR_flistxattr},
-#endif
-#endif
-#ifdef SYS_flock
-#ifdef __NR_flock
-        {"flock", __NR_flock},
-#endif
-#endif
-#ifdef SYS_fork
-#ifdef __NR_fork
-        {"fork", __NR_fork},
-#endif
-#endif
-#ifdef SYS_fremovexattr
-#ifdef __NR_fremovexattr
-        {"fremovexattr", __NR_fremovexattr},
-#endif
-#endif
-#ifdef SYS_fsetxattr
-#ifdef __NR_fsetxattr
-        {"fsetxattr", __NR_fsetxattr},
-#endif
-#endif
-#ifdef SYS_fstat
-#ifdef __NR_fstat
-        {"fstat", __NR_fstat},
-#endif
-#endif
-#ifdef SYS_fstatfs
-#ifdef __NR_fstatfs
-        {"fstatfs", __NR_fstatfs},
-#endif
-#endif
-#ifdef SYS_fsync
-#ifdef __NR_fsync
-        {"fsync", __NR_fsync},
-#endif
-#endif
-#ifdef SYS_ftruncate
-#ifdef __NR_ftruncate
-        {"ftruncate", __NR_ftruncate},
-#endif
-#endif
-#ifdef SYS_futex
-#ifdef __NR_futex
-        {"futex", __NR_futex},
-#endif
-#endif
-#ifdef SYS_futimesat
-#ifdef __NR_futimesat
-        {"futimesat", __NR_futimesat},
-#endif
-#endif
-#ifdef SYS_get_kernel_syms
-#ifdef __NR_get_kernel_syms
-        {"get_kernel_syms", __NR_get_kernel_syms},
-#endif
-#endif
-#ifdef SYS_get_mempolicy
-#ifdef __NR_get_mempolicy
-        {"get_mempolicy", __NR_get_mempolicy},
-#endif
-#endif
-#ifdef SYS_get_robust_list
-#ifdef __NR_get_robust_list
-        {"get_robust_list", __NR_get_robust_list},
-#endif
-#endif
-#ifdef SYS_get_thread_area
-#ifdef __NR_get_thread_area
-        {"get_thread_area", __NR_get_thread_area},
-#endif
-#endif
-#ifdef SYS_getcpu
-#ifdef __NR_getcpu
-        {"getcpu", __NR_getcpu},
-#endif
-#endif
-#ifdef SYS_getcwd
-#ifdef __NR_getcwd
-        {"getcwd", __NR_getcwd},
-#endif
-#endif
-#ifdef SYS_getdents
-#ifdef __NR_getdents
-        {"getdents", __NR_getdents},
-#endif
-#endif
-#ifdef SYS_getdents64
-#ifdef __NR_getdents64
-        {"getdents64", __NR_getdents64},
-#endif
-#endif
-#ifdef SYS_getegid
-#ifdef __NR_getegid
-        {"getegid", __NR_getegid},
-#endif
-#endif
-#ifdef SYS_geteuid
-#ifdef __NR_geteuid
-        {"geteuid", __NR_geteuid},
-#endif
-#endif
-#ifdef SYS_getgid
-#ifdef __NR_getgid
-        {"getgid", __NR_getgid},
-#endif
-#endif
-#ifdef SYS_getgroups
-#ifdef __NR_getgroups
-        {"getgroups", __NR_getgroups},
-#endif
-#endif
-#ifdef SYS_getitimer
-#ifdef __NR_getitimer
-        {"getitimer", __NR_getitimer},
-#endif
-#endif
-#ifdef SYS_getpeername
-#ifdef __NR_getpeername
-        {"getpeername", __NR_getpeername},
-#endif
-#endif
-#ifdef SYS_getpgid
-#ifdef __NR_getpgid
-        {"getpgid", __NR_getpgid},
-#endif
-#endif
-#ifdef SYS_getpgrp
-#ifdef __NR_getpgrp
-        {"getpgrp", __NR_getpgrp},
-#endif
-#endif
-#ifdef SYS_getpid
-#ifdef __NR_getpid
-        {"getpid", __NR_getpid},
-#endif
-#endif
-#ifdef SYS_getpmsg
-#ifdef __NR_getpmsg
-        {"getpmsg", __NR_getpmsg},
-#endif
-#endif
-#ifdef SYS_getppid
-#ifdef __NR_getppid
-        {"getppid", __NR_getppid},
-#endif
-#endif
-#ifdef SYS_getpriority
-#ifdef __NR_getpriority
-        {"getpriority", __NR_getpriority},
-#endif
-#endif
-#ifdef SYS_getrandom
-#ifdef __NR_getrandom
-        {"getrandom", __NR_getrandom},
-#endif
-#endif
-#ifdef SYS_getresgid
-#ifdef __NR_getresgid
-        {"getresgid", __NR_getresgid},
-#endif
-#endif
-#ifdef SYS_getresuid
-#ifdef __NR_getresuid
-        {"getresuid", __NR_getresuid},
-#endif
-#endif
-#ifdef SYS_getrlimit
-#ifdef __NR_getrlimit
-        {"getrlimit", __NR_getrlimit},
-#endif
-#endif
-#ifdef SYS_getrusage
-#ifdef __NR_getrusage
-        {"getrusage", __NR_getrusage},
-#endif
-#endif
-#ifdef SYS_getsid
-#ifdef __NR_getsid
-        {"getsid", __NR_getsid},
-#endif
-#endif
-#ifdef SYS_getsockname
-#ifdef __NR_getsockname
-        {"getsockname", __NR_getsockname},
-#endif
-#endif
-#ifdef SYS_getsockopt
-#ifdef __NR_getsockopt
-        {"getsockopt", __NR_getsockopt},
-#endif
-#endif
-#ifdef SYS_gettid
-#ifdef __NR_gettid
-        {"gettid", __NR_gettid},
-#endif
-#endif
-#ifdef SYS_gettimeofday
-#ifdef __NR_gettimeofday
-        {"gettimeofday", __NR_gettimeofday},
-#endif
-#endif
-#ifdef SYS_getuid
-#ifdef __NR_getuid
-        {"getuid", __NR_getuid},
-#endif
-#endif
-#ifdef SYS_getxattr
-#ifdef __NR_getxattr
-        {"getxattr", __NR_getxattr},
-#endif
-#endif
-#ifdef SYS_init_module
-#ifdef __NR_init_module
-        {"init_module", __NR_init_module},
-#endif
-#endif
-#ifdef SYS_inotify_add_watch
-#ifdef __NR_inotify_add_watch
-        {"inotify_add_watch", __NR_inotify_add_watch},
-#endif
-#endif
-#ifdef SYS_inotify_init
-#ifdef __NR_inotify_init
-        {"inotify_init", __NR_inotify_init},
-#endif
-#endif
-#ifdef SYS_inotify_init1
-#ifdef __NR_inotify_init1
-        {"inotify_init1", __NR_inotify_init1},
-#endif
-#endif
-#ifdef SYS_inotify_rm_watch
-#ifdef __NR_inotify_rm_watch
-        {"inotify_rm_watch", __NR_inotify_rm_watch},
-#endif
-#endif
-#ifdef SYS_io_cancel
-#ifdef __NR_io_cancel
-        {"io_cancel", __NR_io_cancel},
-#endif
-#endif
-#ifdef SYS_io_destroy
-#ifdef __NR_io_destroy
-        {"io_destroy", __NR_io_destroy},
-#endif
-#endif
-#ifdef SYS_io_getevents
-#ifdef __NR_io_getevents
-        {"io_getevents", __NR_io_getevents},
-#endif
-#endif
-#ifdef SYS_io_setup
-#ifdef __NR_io_setup
-        {"io_setup", __NR_io_setup},
-#endif
-#endif
-#ifdef SYS_io_submit
-#ifdef __NR_io_submit
-        {"io_submit", __NR_io_submit},
-#endif
-#endif
-#ifdef SYS_ioctl
-#ifdef __NR_ioctl
-        {"ioctl", __NR_ioctl},
-#endif
-#endif
-#ifdef SYS_ioperm
-#ifdef __NR_ioperm
-        {"ioperm", __NR_ioperm},
-#endif
-#endif
-#ifdef SYS_iopl
-#ifdef __NR_iopl
-        {"iopl", __NR_iopl},
-#endif
-#endif
-#ifdef SYS_ioprio_get
-#ifdef __NR_ioprio_get
-        {"ioprio_get", __NR_ioprio_get},
-#endif
-#endif
-#ifdef SYS_ioprio_set
-#ifdef __NR_ioprio_set
-        {"ioprio_set", __NR_ioprio_set},
-#endif
-#endif
-#ifdef SYS_kcmp
-#ifdef __NR_kcmp
-        {"kcmp", __NR_kcmp},
-#endif
-#endif
-#ifdef SYS_kexec_file_load
-#ifdef __NR_kexec_file_load
-        {"kexec_file_load", __NR_kexec_file_load},
-#endif
-#endif
-#ifdef SYS_kexec_load
-#ifdef __NR_kexec_load
-        {"kexec_load", __NR_kexec_load},
-#endif
-#endif
-#ifdef SYS_keyctl
-#ifdef __NR_keyctl
-        {"keyctl", __NR_keyctl},
-#endif
-#endif
-#ifdef SYS_kill
-#ifdef __NR_kill
-        {"kill", __NR_kill},
-#endif
-#endif
-#ifdef SYS_lchown
-#ifdef __NR_lchown
-        {"lchown", __NR_lchown},
-#endif
-#endif
-#ifdef SYS_lgetxattr
-#ifdef __NR_lgetxattr
-        {"lgetxattr", __NR_lgetxattr},
-#endif
-#endif
-#ifdef SYS_link
-#ifdef __NR_link
-        {"link", __NR_link},
-#endif
-#endif
-#ifdef SYS_linkat
-#ifdef __NR_linkat
-        {"linkat", __NR_linkat},
-#endif
-#endif
-#ifdef SYS_listen
-#ifdef __NR_listen
-        {"listen", __NR_listen},
-#endif
-#endif
-#ifdef SYS_listxattr
-#ifdef __NR_listxattr
-        {"listxattr", __NR_listxattr},
-#endif
-#endif
-#ifdef SYS_llistxattr
-#ifdef __NR_llistxattr
-        {"llistxattr", __NR_llistxattr},
-#endif
-#endif
-#ifdef SYS_lookup_dcookie
-#ifdef __NR_lookup_dcookie
-        {"lookup_dcookie", __NR_lookup_dcookie},
-#endif
-#endif
-#ifdef SYS_lremovexattr
-#ifdef __NR_lremovexattr
-        {"lremovexattr", __NR_lremovexattr},
-#endif
-#endif
-#ifdef SYS_lseek
-#ifdef __NR_lseek
-        {"lseek", __NR_lseek},
-#endif
-#endif
-#ifdef SYS_lsetxattr
-#ifdef __NR_lsetxattr
-        {"lsetxattr", __NR_lsetxattr},
-#endif
-#endif
-#ifdef SYS_lstat
-#ifdef __NR_lstat
-        {"lstat", __NR_lstat},
-#endif
-#endif
-#ifdef SYS_madvise
-#ifdef __NR_madvise
-        {"madvise", __NR_madvise},
-#endif
-#endif
-#ifdef SYS_mbind
-#ifdef __NR_mbind
-        {"mbind", __NR_mbind},
-#endif
-#endif
-#ifdef SYS_membarrier
-#ifdef __NR_membarrier
-        {"membarrier", __NR_membarrier},
-#endif
-#endif
-#ifdef SYS_memfd_create
-#ifdef __NR_memfd_create
-        {"memfd_create", __NR_memfd_create},
-#endif
-#endif
-#ifdef SYS_migrate_pages
-#ifdef __NR_migrate_pages
-        {"migrate_pages", __NR_migrate_pages},
-#endif
-#endif
-#ifdef SYS_mincore
-#ifdef __NR_mincore
-        {"mincore", __NR_mincore},
-#endif
-#endif
-#ifdef SYS_mkdir
-#ifdef __NR_mkdir
-        {"mkdir", __NR_mkdir},
-#endif
-#endif
-#ifdef SYS_mkdirat
-#ifdef __NR_mkdirat
-        {"mkdirat", __NR_mkdirat},
-#endif
-#endif
-#ifdef SYS_mknod
-#ifdef __NR_mknod
-        {"mknod", __NR_mknod},
-#endif
-#endif
-#ifdef SYS_mknodat
-#ifdef __NR_mknodat
-        {"mknodat", __NR_mknodat},
-#endif
-#endif
-#ifdef SYS_mlock
-#ifdef __NR_mlock
-        {"mlock", __NR_mlock},
-#endif
-#endif
-#ifdef SYS_mlock2
-#ifdef __NR_mlock2
-        {"mlock2", __NR_mlock2},
-#endif
-#endif
-#ifdef SYS_mlockall
-#ifdef __NR_mlockall
-        {"mlockall", __NR_mlockall},
-#endif
-#endif
-#ifdef SYS_mmap
-#ifdef __NR_mmap
-        {"mmap", __NR_mmap},
-#endif
-#endif
-#ifdef SYS_modify_ldt
-#ifdef __NR_modify_ldt
-        {"modify_ldt", __NR_modify_ldt},
-#endif
-#endif
-#ifdef SYS_mount
-#ifdef __NR_mount
-        {"mount", __NR_mount},
-#endif
-#endif
-#ifdef SYS_move_pages
-#ifdef __NR_move_pages
-        {"move_pages", __NR_move_pages},
-#endif
-#endif
-#ifdef SYS_mprotect
-#ifdef __NR_mprotect
-        {"mprotect", __NR_mprotect},
-#endif
-#endif
-#ifdef SYS_mq_getsetattr
-#ifdef __NR_mq_getsetattr
-        {"mq_getsetattr", __NR_mq_getsetattr},
-#endif
-#endif
-#ifdef SYS_mq_notify
-#ifdef __NR_mq_notify
-        {"mq_notify", __NR_mq_notify},
-#endif
-#endif
-#ifdef SYS_mq_open
-#ifdef __NR_mq_open
-        {"mq_open", __NR_mq_open},
-#endif
-#endif
-#ifdef SYS_mq_timedreceive
-#ifdef __NR_mq_timedreceive
-        {"mq_timedreceive", __NR_mq_timedreceive},
-#endif
-#endif
-#ifdef SYS_mq_timedsend
-#ifdef __NR_mq_timedsend
-        {"mq_timedsend", __NR_mq_timedsend},
-#endif
-#endif
-#ifdef SYS_mq_unlink
-#ifdef __NR_mq_unlink
-        {"mq_unlink", __NR_mq_unlink},
-#endif
-#endif
-#ifdef SYS_mremap
-#ifdef __NR_mremap
-        {"mremap", __NR_mremap},
-#endif
-#endif
-#ifdef SYS_msgctl
-#ifdef __NR_msgctl
-        {"msgctl", __NR_msgctl},
-#endif
-#endif
-#ifdef SYS_msgget
-#ifdef __NR_msgget
-        {"msgget", __NR_msgget},
-#endif
-#endif
-#ifdef SYS_msgrcv
-#ifdef __NR_msgrcv
-        {"msgrcv", __NR_msgrcv},
-#endif
-#endif
-#ifdef SYS_msgsnd
-#ifdef __NR_msgsnd
-        {"msgsnd", __NR_msgsnd},
-#endif
-#endif
-#ifdef SYS_msync
-#ifdef __NR_msync
-        {"msync", __NR_msync},
-#endif
-#endif
-#ifdef SYS_munlock
-#ifdef __NR_munlock
-        {"munlock", __NR_munlock},
-#endif
-#endif
-#ifdef SYS_munlockall
-#ifdef __NR_munlockall
-        {"munlockall", __NR_munlockall},
-#endif
-#endif
-#ifdef SYS_munmap
-#ifdef __NR_munmap
-        {"munmap", __NR_munmap},
-#endif
-#endif
-#ifdef SYS_name_to_handle_at
-#ifdef __NR_name_to_handle_at
-        {"name_to_handle_at", __NR_name_to_handle_at},
-#endif
-#endif
-#ifdef SYS_nanosleep
-#ifdef __NR_nanosleep
-        {"nanosleep", __NR_nanosleep},
-#endif
-#endif
-#ifdef SYS_newfstatat
-#ifdef __NR_newfstatat
-        {"newfstatat", __NR_newfstatat},
-#endif
-#endif
-#ifdef SYS_nfsservctl
-#ifdef __NR_nfsservctl
-        {"nfsservctl", __NR_nfsservctl},
-#endif
-#endif
-#ifdef SYS_open
-#ifdef __NR_open
-        {"open", __NR_open},
-#endif
-#endif
-#ifdef SYS_open_by_handle_at
-#ifdef __NR_open_by_handle_at
-        {"open_by_handle_at", __NR_open_by_handle_at},
-#endif
-#endif
-#ifdef SYS_openat
-#ifdef __NR_openat
-        {"openat", __NR_openat},
-#endif
-#endif
-#ifdef SYS_pause
-#ifdef __NR_pause
-        {"pause", __NR_pause},
-#endif
-#endif
-#ifdef SYS_perf_event_open
-#ifdef __NR_perf_event_open
-        {"perf_event_open", __NR_perf_event_open},
-#endif
-#endif
-#ifdef SYS_personality
-#ifdef __NR_personality
-        {"personality", __NR_personality},
-#endif
-#endif
-#ifdef SYS_pipe
-#ifdef __NR_pipe
-        {"pipe", __NR_pipe},
-#endif
-#endif
-#ifdef SYS_pipe2
-#ifdef __NR_pipe2
-        {"pipe2", __NR_pipe2},
-#endif
-#endif
-#ifdef SYS_pivot_root
-#ifdef __NR_pivot_root
-        {"pivot_root", __NR_pivot_root},
-#endif
-#endif
-#ifdef SYS_poll
-#ifdef __NR_poll
-        {"poll", __NR_poll},
-#endif
-#endif
-#ifdef SYS_ppoll
-#ifdef __NR_ppoll
-        {"ppoll", __NR_ppoll},
-#endif
-#endif
-#ifdef SYS_prctl
-#ifdef __NR_prctl
-        {"prctl", __NR_prctl},
-#endif
-#endif
-#ifdef SYS_pread64
-#ifdef __NR_pread64
-        {"pread64", __NR_pread64},
-#endif
-#endif
-#ifdef SYS_preadv
-#ifdef __NR_preadv
-        {"preadv", __NR_preadv},
-#endif
-#endif
-#ifdef SYS_preadv2
-#ifdef __NR_preadv2
-        {"preadv2", __NR_preadv2},
-#endif
-#endif
-#ifdef SYS_prlimit64
-#ifdef __NR_prlimit64
-        {"prlimit64", __NR_prlimit64},
-#endif
-#endif
-#ifdef SYS_process_vm_readv
-#ifdef __NR_process_vm_readv
-        {"process_vm_readv", __NR_process_vm_readv},
-#endif
-#endif
-#ifdef SYS_process_vm_writev
-#ifdef __NR_process_vm_writev
-        {"process_vm_writev", __NR_process_vm_writev},
-#endif
-#endif
-#ifdef SYS_pselect6
-#ifdef __NR_pselect6
-        {"pselect6", __NR_pselect6},
-#endif
-#endif
-#ifdef SYS_ptrace
-#ifdef __NR_ptrace
-        {"ptrace", __NR_ptrace},
-#endif
-#endif
-#ifdef SYS_putpmsg
-#ifdef __NR_putpmsg
-        {"putpmsg", __NR_putpmsg},
-#endif
-#endif
-#ifdef SYS_pwrite64
-#ifdef __NR_pwrite64
-        {"pwrite64", __NR_pwrite64},
-#endif
-#endif
-#ifdef SYS_pwritev
-#ifdef __NR_pwritev
-        {"pwritev", __NR_pwritev},
-#endif
-#endif
-#ifdef SYS_pwritev2
-#ifdef __NR_pwritev2
-        {"pwritev2", __NR_pwritev2},
-#endif
-#endif
-#ifdef SYS_query_module
-#ifdef __NR_query_module
-        {"query_module", __NR_query_module},
-#endif
-#endif
-#ifdef SYS_quotactl
-#ifdef __NR_quotactl
-        {"quotactl", __NR_quotactl},
-#endif
-#endif
-#ifdef SYS_read
-#ifdef __NR_read
-        {"read", __NR_read},
-#endif
-#endif
-#ifdef SYS_readahead
-#ifdef __NR_readahead
-        {"readahead", __NR_readahead},
-#endif
-#endif
-#ifdef SYS_readlink
-#ifdef __NR_readlink
-        {"readlink", __NR_readlink},
-#endif
-#endif
-#ifdef SYS_readlinkat
-#ifdef __NR_readlinkat
-        {"readlinkat", __NR_readlinkat},
-#endif
-#endif
-#ifdef SYS_readv
-#ifdef __NR_readv
-        {"readv", __NR_readv},
-#endif
-#endif
-#ifdef SYS_reboot
-#ifdef __NR_reboot
-        {"reboot", __NR_reboot},
-#endif
-#endif
-#ifdef SYS_recvfrom
-#ifdef __NR_recvfrom
-        {"recvfrom", __NR_recvfrom},
-#endif
-#endif
-#ifdef SYS_recvmmsg
-#ifdef __NR_recvmmsg
-        {"recvmmsg", __NR_recvmmsg},
-#endif
-#endif
-#ifdef SYS_recvmsg
-#ifdef __NR_recvmsg
-        {"recvmsg", __NR_recvmsg},
-#endif
-#endif
-#ifdef SYS_remap_file_pages
-#ifdef __NR_remap_file_pages
-        {"remap_file_pages", __NR_remap_file_pages},
-#endif
-#endif
-#ifdef SYS_removexattr
-#ifdef __NR_removexattr
-        {"removexattr", __NR_removexattr},
-#endif
-#endif
-#ifdef SYS_rename
-#ifdef __NR_rename
-        {"rename", __NR_rename},
-#endif
-#endif
-#ifdef SYS_renameat
-#ifdef __NR_renameat
-        {"renameat", __NR_renameat},
-#endif
-#endif
-#ifdef SYS_renameat2
-#ifdef __NR_renameat2
-        {"renameat2", __NR_renameat2},
-#endif
-#endif
-#ifdef SYS_request_key
-#ifdef __NR_request_key
-        {"request_key", __NR_request_key},
-#endif
-#endif
-#ifdef SYS_restart_syscall
-#ifdef __NR_restart_syscall
-        {"restart_syscall", __NR_restart_syscall},
-#endif
-#endif
-#ifdef SYS_rmdir
-#ifdef __NR_rmdir
-        {"rmdir", __NR_rmdir},
-#endif
-#endif
-#ifdef SYS_rt_sigaction
-#ifdef __NR_rt_sigaction
-        {"rt_sigaction", __NR_rt_sigaction},
-#endif
-#endif
-#ifdef SYS_rt_sigpending
-#ifdef __NR_rt_sigpending
-        {"rt_sigpending", __NR_rt_sigpending},
-#endif
-#endif
-#ifdef SYS_rt_sigprocmask
-#ifdef __NR_rt_sigprocmask
-        {"rt_sigprocmask", __NR_rt_sigprocmask},
-#endif
-#endif
-#ifdef SYS_rt_sigqueueinfo
-#ifdef __NR_rt_sigqueueinfo
-        {"rt_sigqueueinfo", __NR_rt_sigqueueinfo},
-#endif
-#endif
-#ifdef SYS_rt_sigreturn
-#ifdef __NR_rt_sigreturn
-        {"rt_sigreturn", __NR_rt_sigreturn},
-#endif
-#endif
-#ifdef SYS_rt_sigsuspend
-#ifdef __NR_rt_sigsuspend
-        {"rt_sigsuspend", __NR_rt_sigsuspend},
-#endif
-#endif
-#ifdef SYS_rt_sigtimedwait
-#ifdef __NR_rt_sigtimedwait
-        {"rt_sigtimedwait", __NR_rt_sigtimedwait},
-#endif
-#endif
-#ifdef SYS_rt_tgsigqueueinfo
-#ifdef __NR_rt_tgsigqueueinfo
-        {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_max
-#ifdef __NR_sched_get_priority_max
-        {"sched_get_priority_max", __NR_sched_get_priority_max},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_min
-#ifdef __NR_sched_get_priority_min
-        {"sched_get_priority_min", __NR_sched_get_priority_min},
-#endif
-#endif
-#ifdef SYS_sched_getaffinity
-#ifdef __NR_sched_getaffinity
-        {"sched_getaffinity", __NR_sched_getaffinity},
-#endif
-#endif
-#ifdef SYS_sched_getattr
-#ifdef __NR_sched_getattr
-        {"sched_getattr", __NR_sched_getattr},
-#endif
-#endif
-#ifdef SYS_sched_getparam
-#ifdef __NR_sched_getparam
-        {"sched_getparam", __NR_sched_getparam},
-#endif
-#endif
-#ifdef SYS_sched_getscheduler
-#ifdef __NR_sched_getscheduler
-        {"sched_getscheduler", __NR_sched_getscheduler},
-#endif
-#endif
-#ifdef SYS_sched_rr_get_interval
-#ifdef __NR_sched_rr_get_interval
-        {"sched_rr_get_interval", __NR_sched_rr_get_interval},
-#endif
-#endif
-#ifdef SYS_sched_setaffinity
-#ifdef __NR_sched_setaffinity
-        {"sched_setaffinity", __NR_sched_setaffinity},
-#endif
-#endif
-#ifdef SYS_sched_setattr
-#ifdef __NR_sched_setattr
-        {"sched_setattr", __NR_sched_setattr},
-#endif
-#endif
-#ifdef SYS_sched_setparam
-#ifdef __NR_sched_setparam
-        {"sched_setparam", __NR_sched_setparam},
-#endif
-#endif
-#ifdef SYS_sched_setscheduler
-#ifdef __NR_sched_setscheduler
-        {"sched_setscheduler", __NR_sched_setscheduler},
-#endif
-#endif
-#ifdef SYS_sched_yield
-#ifdef __NR_sched_yield
-        {"sched_yield", __NR_sched_yield},
-#endif
-#endif
-#ifdef SYS_seccomp
-#ifdef __NR_seccomp
-        {"seccomp", __NR_seccomp},
-#endif
-#endif
-#ifdef SYS_security
-#ifdef __NR_security
-        {"security", __NR_security},
-#endif
-#endif
-#ifdef SYS_select
-#ifdef __NR_select
-        {"select", __NR_select},
-#endif
-#endif
-#ifdef SYS_semctl
-#ifdef __NR_semctl
-        {"semctl", __NR_semctl},
-#endif
-#endif
-#ifdef SYS_semget
-#ifdef __NR_semget
-        {"semget", __NR_semget},
-#endif
-#endif
-#ifdef SYS_semop
-#ifdef __NR_semop
-        {"semop", __NR_semop},
-#endif
-#endif
-#ifdef SYS_semtimedop
-#ifdef __NR_semtimedop
-        {"semtimedop", __NR_semtimedop},
-#endif
-#endif
-#ifdef SYS_sendfile
-#ifdef __NR_sendfile
-        {"sendfile", __NR_sendfile},
-#endif
-#endif
-#ifdef SYS_sendmmsg
-#ifdef __NR_sendmmsg
-        {"sendmmsg", __NR_sendmmsg},
-#endif
-#endif
-#ifdef SYS_sendmsg
-#ifdef __NR_sendmsg
-        {"sendmsg", __NR_sendmsg},
-#endif
-#endif
-#ifdef SYS_sendto
-#ifdef __NR_sendto
-        {"sendto", __NR_sendto},
-#endif
-#endif
-#ifdef SYS_set_mempolicy
-#ifdef __NR_set_mempolicy
-        {"set_mempolicy", __NR_set_mempolicy},
-#endif
-#endif
-#ifdef SYS_set_robust_list
-#ifdef __NR_set_robust_list
-        {"set_robust_list", __NR_set_robust_list},
-#endif
-#endif
-#ifdef SYS_set_thread_area
-#ifdef __NR_set_thread_area
-        {"set_thread_area", __NR_set_thread_area},
-#endif
-#endif
-#ifdef SYS_set_tid_address
-#ifdef __NR_set_tid_address
-        {"set_tid_address", __NR_set_tid_address},
-#endif
-#endif
-#ifdef SYS_setdomainname
-#ifdef __NR_setdomainname
-        {"setdomainname", __NR_setdomainname},
-#endif
-#endif
-#ifdef SYS_setfsgid
-#ifdef __NR_setfsgid
-        {"setfsgid", __NR_setfsgid},
-#endif
-#endif
-#ifdef SYS_setfsuid
-#ifdef __NR_setfsuid
-        {"setfsuid", __NR_setfsuid},
-#endif
-#endif
-#ifdef SYS_setgid
-#ifdef __NR_setgid
-        {"setgid", __NR_setgid},
-#endif
-#endif
-#ifdef SYS_setgroups
-#ifdef __NR_setgroups
-        {"setgroups", __NR_setgroups},
-#endif
-#endif
-#ifdef SYS_sethostname
-#ifdef __NR_sethostname
-        {"sethostname", __NR_sethostname},
-#endif
-#endif
-#ifdef SYS_setitimer
-#ifdef __NR_setitimer
-        {"setitimer", __NR_setitimer},
-#endif
-#endif
-#ifdef SYS_setns
-#ifdef __NR_setns
-        {"setns", __NR_setns},
-#endif
-#endif
-#ifdef SYS_setpgid
-#ifdef __NR_setpgid
-        {"setpgid", __NR_setpgid},
-#endif
-#endif
-#ifdef SYS_setpriority
-#ifdef __NR_setpriority
-        {"setpriority", __NR_setpriority},
-#endif
-#endif
-#ifdef SYS_setregid
-#ifdef __NR_setregid
-        {"setregid", __NR_setregid},
-#endif
-#endif
-#ifdef SYS_setresgid
-#ifdef __NR_setresgid
-        {"setresgid", __NR_setresgid},
-#endif
-#endif
-#ifdef SYS_setresuid
-#ifdef __NR_setresuid
-        {"setresuid", __NR_setresuid},
-#endif
-#endif
-#ifdef SYS_setreuid
-#ifdef __NR_setreuid
-        {"setreuid", __NR_setreuid},
-#endif
-#endif
-#ifdef SYS_setrlimit
-#ifdef __NR_setrlimit
-        {"setrlimit", __NR_setrlimit},
-#endif
-#endif
-#ifdef SYS_setsid
-#ifdef __NR_setsid
-        {"setsid", __NR_setsid},
-#endif
-#endif
-#ifdef SYS_setsockopt
-#ifdef __NR_setsockopt
-        {"setsockopt", __NR_setsockopt},
-#endif
-#endif
-#ifdef SYS_settimeofday
-#ifdef __NR_settimeofday
-        {"settimeofday", __NR_settimeofday},
-#endif
-#endif
-#ifdef SYS_setuid
-#ifdef __NR_setuid
-        {"setuid", __NR_setuid},
-#endif
-#endif
-#ifdef SYS_setxattr
-#ifdef __NR_setxattr
-        {"setxattr", __NR_setxattr},
-#endif
-#endif
-#ifdef SYS_shmat
-#ifdef __NR_shmat
-        {"shmat", __NR_shmat},
-#endif
-#endif
-#ifdef SYS_shmctl
-#ifdef __NR_shmctl
-        {"shmctl", __NR_shmctl},
-#endif
-#endif
-#ifdef SYS_shmdt
-#ifdef __NR_shmdt
-        {"shmdt", __NR_shmdt},
-#endif
-#endif
-#ifdef SYS_shmget
-#ifdef __NR_shmget
-        {"shmget", __NR_shmget},
-#endif
-#endif
-#ifdef SYS_shutdown
-#ifdef __NR_shutdown
-        {"shutdown", __NR_shutdown},
-#endif
-#endif
-#ifdef SYS_sigaltstack
-#ifdef __NR_sigaltstack
-        {"sigaltstack", __NR_sigaltstack},
-#endif
-#endif
-#ifdef SYS_signalfd
-#ifdef __NR_signalfd
-        {"signalfd", __NR_signalfd},
-#endif
-#endif
-#ifdef SYS_signalfd4
-#ifdef __NR_signalfd4
-        {"signalfd4", __NR_signalfd4},
-#endif
-#endif
-#ifdef SYS_socket
-#ifdef __NR_socket
-        {"socket", __NR_socket},
-#endif
-#endif
-#ifdef SYS_socketpair
-#ifdef __NR_socketpair
-        {"socketpair", __NR_socketpair},
-#endif
-#endif
-#ifdef SYS_splice
-#ifdef __NR_splice
-        {"splice", __NR_splice},
-#endif
-#endif
-#ifdef SYS_stat
-#ifdef __NR_stat
-        {"stat", __NR_stat},
-#endif
-#endif
-#ifdef SYS_statfs
-#ifdef __NR_statfs
-        {"statfs", __NR_statfs},
-#endif
-#endif
-#ifdef SYS_swapoff
-#ifdef __NR_swapoff
-        {"swapoff", __NR_swapoff},
-#endif
-#endif
-#ifdef SYS_swapon
-#ifdef __NR_swapon
-        {"swapon", __NR_swapon},
-#endif
-#endif
-#ifdef SYS_symlink
-#ifdef __NR_symlink
-        {"symlink", __NR_symlink},
-#endif
-#endif
-#ifdef SYS_symlinkat
-#ifdef __NR_symlinkat
-        {"symlinkat", __NR_symlinkat},
-#endif
-#endif
-#ifdef SYS_sync
-#ifdef __NR_sync
-        {"sync", __NR_sync},
-#endif
-#endif
-#ifdef SYS_sync_file_range
-#ifdef __NR_sync_file_range
-        {"sync_file_range", __NR_sync_file_range},
-#endif
-#endif
-#ifdef SYS_syncfs
-#ifdef __NR_syncfs
-        {"syncfs", __NR_syncfs},
-#endif
-#endif
-#ifdef SYS_sysfs
-#ifdef __NR_sysfs
-        {"sysfs", __NR_sysfs},
-#endif
-#endif
-#ifdef SYS_sysinfo
-#ifdef __NR_sysinfo
-        {"sysinfo", __NR_sysinfo},
-#endif
-#endif
-#ifdef SYS_syslog
-#ifdef __NR_syslog
-        {"syslog", __NR_syslog},
-#endif
-#endif
-#ifdef SYS_tee
-#ifdef __NR_tee
-        {"tee", __NR_tee},
-#endif
-#endif
-#ifdef SYS_tgkill
-#ifdef __NR_tgkill
-        {"tgkill", __NR_tgkill},
-#endif
-#endif
-#ifdef SYS_time
-#ifdef __NR_time
-        {"time", __NR_time},
-#endif
-#endif
-#ifdef SYS_timer_create
-#ifdef __NR_timer_create
-        {"timer_create", __NR_timer_create},
-#endif
-#endif
-#ifdef SYS_timer_delete
-#ifdef __NR_timer_delete
-        {"timer_delete", __NR_timer_delete},
-#endif
-#endif
-#ifdef SYS_timer_getoverrun
-#ifdef __NR_timer_getoverrun
-        {"timer_getoverrun", __NR_timer_getoverrun},
-#endif
-#endif
-#ifdef SYS_timer_gettime
-#ifdef __NR_timer_gettime
-        {"timer_gettime", __NR_timer_gettime},
-#endif
-#endif
-#ifdef SYS_timer_settime
-#ifdef __NR_timer_settime
-        {"timer_settime", __NR_timer_settime},
-#endif
-#endif
-#ifdef SYS_timerfd_create
-#ifdef __NR_timerfd_create
-        {"timerfd_create", __NR_timerfd_create},
-#endif
-#endif
-#ifdef SYS_timerfd_gettime
-#ifdef __NR_timerfd_gettime
-        {"timerfd_gettime", __NR_timerfd_gettime},
-#endif
-#endif
-#ifdef SYS_timerfd_settime
-#ifdef __NR_timerfd_settime
-        {"timerfd_settime", __NR_timerfd_settime},
-#endif
-#endif
-#ifdef SYS_times
-#ifdef __NR_times
-        {"times", __NR_times},
-#endif
-#endif
-#ifdef SYS_tkill
-#ifdef __NR_tkill
-        {"tkill", __NR_tkill},
-#endif
-#endif
-#ifdef SYS_truncate
-#ifdef __NR_truncate
-        {"truncate", __NR_truncate},
-#endif
-#endif
-#ifdef SYS_tuxcall
-#ifdef __NR_tuxcall
-        {"tuxcall", __NR_tuxcall},
-#endif
-#endif
-#ifdef SYS_umask
-#ifdef __NR_umask
-        {"umask", __NR_umask},
-#endif
-#endif
-#ifdef SYS_umount2
-#ifdef __NR_umount2
-        {"umount2", __NR_umount2},
-#endif
-#endif
-#ifdef SYS_uname
-#ifdef __NR_uname
-        {"uname", __NR_uname},
-#endif
-#endif
-#ifdef SYS_unlink
-#ifdef __NR_unlink
-        {"unlink", __NR_unlink},
-#endif
-#endif
-#ifdef SYS_unlinkat
-#ifdef __NR_unlinkat
-        {"unlinkat", __NR_unlinkat},
-#endif
-#endif
-#ifdef SYS_unshare
-#ifdef __NR_unshare
-        {"unshare", __NR_unshare},
-#endif
-#endif
-#ifdef SYS_uselib
-#ifdef __NR_uselib
-        {"uselib", __NR_uselib},
-#endif
-#endif
-#ifdef SYS_userfaultfd
-#ifdef __NR_userfaultfd
-        {"userfaultfd", __NR_userfaultfd},
-#endif
-#endif
-#ifdef SYS_ustat
-#ifdef __NR_ustat
-        {"ustat", __NR_ustat},
-#endif
-#endif
-#ifdef SYS_utime
-#ifdef __NR_utime
-        {"utime", __NR_utime},
-#endif
-#endif
-#ifdef SYS_utimensat
-#ifdef __NR_utimensat
-        {"utimensat", __NR_utimensat},
-#endif
-#endif
-#ifdef SYS_utimes
-#ifdef __NR_utimes
-        {"utimes", __NR_utimes},
-#endif
-#endif
-#ifdef SYS_vfork
-#ifdef __NR_vfork
-        {"vfork", __NR_vfork},
-#endif
-#endif
-#ifdef SYS_vhangup
-#ifdef __NR_vhangup
-        {"vhangup", __NR_vhangup},
-#endif
-#endif
-#ifdef SYS_vmsplice
-#ifdef __NR_vmsplice
-        {"vmsplice", __NR_vmsplice},
-#endif
-#endif
-#ifdef SYS_vserver
-#ifdef __NR_vserver
-        {"vserver", __NR_vserver},
-#endif
-#endif
-#ifdef SYS_wait4
-#ifdef __NR_wait4
-        {"wait4", __NR_wait4},
-#endif
-#endif
-#ifdef SYS_waitid
-#ifdef __NR_waitid
-        {"waitid", __NR_waitid},
-#endif
-#endif
-#ifdef SYS_write
-#ifdef __NR_write
-        {"write", __NR_write},
-#endif
-#endif
-#ifdef SYS_writev
-#ifdef __NR_writev
-        {"writev", __NR_writev},
-#endif
-#endif
-#endif
-//#endif
-#if defined __x86_64__ && defined __ILP32__
-#ifdef SYS_accept
-#ifdef __NR_accept
-        {"accept", __NR_accept},
-#endif
-#endif
-#ifdef SYS_accept4
-#ifdef __NR_accept4
-        {"accept4", __NR_accept4},
-#endif
-#endif
-#ifdef SYS_access
-#ifdef __NR_access
-        {"access", __NR_access},
-#endif
-#endif
-#ifdef SYS_acct
-#ifdef __NR_acct
-        {"acct", __NR_acct},
-#endif
-#endif
-#ifdef SYS_add_key
-#ifdef __NR_add_key
-        {"add_key", __NR_add_key},
-#endif
-#endif
-#ifdef SYS_adjtimex
-#ifdef __NR_adjtimex
-        {"adjtimex", __NR_adjtimex},
-#endif
-#endif
-#ifdef SYS_afs_syscall
-#ifdef __NR_afs_syscall
-        {"afs_syscall", __NR_afs_syscall},
-#endif
-#endif
-#ifdef SYS_alarm
-#ifdef __NR_alarm
-        {"alarm", __NR_alarm},
-#endif
-#endif
-#ifdef SYS_arch_prctl
-#ifdef __NR_arch_prctl
-        {"arch_prctl", __NR_arch_prctl},
-#endif
-#endif
-#ifdef SYS_bind
-#ifdef __NR_bind
-        {"bind", __NR_bind},
-#endif
-#endif
-#ifdef SYS_bpf
-#ifdef __NR_bpf
-        {"bpf", __NR_bpf},
-#endif
-#endif
-#ifdef SYS_brk
-#ifdef __NR_brk
-        {"brk", __NR_brk},
-#endif
-#endif
-#ifdef SYS_capget
-#ifdef __NR_capget
-        {"capget", __NR_capget},
-#endif
-#endif
-#ifdef SYS_capset
-#ifdef __NR_capset
-        {"capset", __NR_capset},
-#endif
-#endif
-#ifdef SYS_chdir
-#ifdef __NR_chdir
-        {"chdir", __NR_chdir},
-#endif
-#endif
-#ifdef SYS_chmod
-#ifdef __NR_chmod
-        {"chmod", __NR_chmod},
-#endif
-#endif
-#ifdef SYS_chown
-#ifdef __NR_chown
-        {"chown", __NR_chown},
-#endif
-#endif
-#ifdef SYS_chroot
-#ifdef __NR_chroot
-        {"chroot", __NR_chroot},
-#endif
-#endif
-#ifdef SYS_clock_adjtime
-#ifdef __NR_clock_adjtime
-        {"clock_adjtime", __NR_clock_adjtime},
-#endif
-#endif
-#ifdef SYS_clock_getres
-#ifdef __NR_clock_getres
-        {"clock_getres", __NR_clock_getres},
-#endif
-#endif
-#ifdef SYS_clock_gettime
-#ifdef __NR_clock_gettime
-        {"clock_gettime", __NR_clock_gettime},
-#endif
-#endif
-#ifdef SYS_clock_nanosleep
-#ifdef __NR_clock_nanosleep
-        {"clock_nanosleep", __NR_clock_nanosleep},
-#endif
-#endif
-#ifdef SYS_clock_settime
-#ifdef __NR_clock_settime
-        {"clock_settime", __NR_clock_settime},
-#endif
-#endif
-#ifdef SYS_clone
-#ifdef __NR_clone
-        {"clone", __NR_clone},
-#endif
-#endif
-#ifdef SYS_close
-#ifdef __NR_close
-        {"close", __NR_close},
-#endif
-#endif
-#ifdef SYS_connect
-#ifdef __NR_connect
-        {"connect", __NR_connect},
-#endif
-#endif
-#ifdef SYS_copy_file_range
-#ifdef __NR_copy_file_range
-        {"copy_file_range", __NR_copy_file_range},
-#endif
-#endif
-#ifdef SYS_creat
-#ifdef __NR_creat
-        {"creat", __NR_creat},
-#endif
-#endif
-#ifdef SYS_delete_module
-#ifdef __NR_delete_module
-        {"delete_module", __NR_delete_module},
-#endif
-#endif
-#ifdef SYS_dup
-#ifdef __NR_dup
-        {"dup", __NR_dup},
-#endif
-#endif
-#ifdef SYS_dup2
-#ifdef __NR_dup2
-        {"dup2", __NR_dup2},
-#endif
-#endif
-#ifdef SYS_dup3
-#ifdef __NR_dup3
-        {"dup3", __NR_dup3},
-#endif
-#endif
-#ifdef SYS_epoll_create
-#ifdef __NR_epoll_create
-        {"epoll_create", __NR_epoll_create},
-#endif
-#endif
-#ifdef SYS_epoll_create1
-#ifdef __NR_epoll_create1
-        {"epoll_create1", __NR_epoll_create1},
-#endif
-#endif
-#ifdef SYS_epoll_ctl
-#ifdef __NR_epoll_ctl
-        {"epoll_ctl", __NR_epoll_ctl},
-#endif
-#endif
-#ifdef SYS_epoll_pwait
-#ifdef __NR_epoll_pwait
-        {"epoll_pwait", __NR_epoll_pwait},
-#endif
-#endif
-#ifdef SYS_epoll_wait
-#ifdef __NR_epoll_wait
-        {"epoll_wait", __NR_epoll_wait},
-#endif
-#endif
-#ifdef SYS_eventfd
-#ifdef __NR_eventfd
-        {"eventfd", __NR_eventfd},
-#endif
-#endif
-#ifdef SYS_eventfd2
-#ifdef __NR_eventfd2
-        {"eventfd2", __NR_eventfd2},
-#endif
-#endif
-#ifdef SYS_execve
-#ifdef __NR_execve
-        {"execve", __NR_execve},
-#endif
-#endif
-#ifdef SYS_execveat
-#ifdef __NR_execveat
-        {"execveat", __NR_execveat},
-#endif
-#endif
-#ifdef SYS_exit
-#ifdef __NR_exit
-        {"exit", __NR_exit},
-#endif
-#endif
-#ifdef SYS_exit_group
-#ifdef __NR_exit_group
-        {"exit_group", __NR_exit_group},
-#endif
-#endif
-#ifdef SYS_faccessat
-#ifdef __NR_faccessat
-        {"faccessat", __NR_faccessat},
-#endif
-#endif
-#ifdef SYS_fadvise64
-#ifdef __NR_fadvise64
-        {"fadvise64", __NR_fadvise64},
-#endif
-#endif
-#ifdef SYS_fallocate
-#ifdef __NR_fallocate
-        {"fallocate", __NR_fallocate},
-#endif
-#endif
-#ifdef SYS_fanotify_init
-#ifdef __NR_fanotify_init
-        {"fanotify_init", __NR_fanotify_init},
-#endif
-#endif
-#ifdef SYS_fanotify_mark
-#ifdef __NR_fanotify_mark
-        {"fanotify_mark", __NR_fanotify_mark},
-#endif
-#endif
-#ifdef SYS_fchdir
-#ifdef __NR_fchdir
-        {"fchdir", __NR_fchdir},
-#endif
-#endif
-#ifdef SYS_fchmod
-#ifdef __NR_fchmod
-        {"fchmod", __NR_fchmod},
-#endif
-#endif
-#ifdef SYS_fchmodat
-#ifdef __NR_fchmodat
-        {"fchmodat", __NR_fchmodat},
-#endif
-#endif
-#ifdef SYS_fchown
-#ifdef __NR_fchown
-        {"fchown", __NR_fchown},
-#endif
-#endif
-#ifdef SYS_fchownat
-#ifdef __NR_fchownat
-        {"fchownat", __NR_fchownat},
-#endif
-#endif
-#ifdef SYS_fcntl
-#ifdef __NR_fcntl
-        {"fcntl", __NR_fcntl},
-#endif
-#endif
-#ifdef SYS_fdatasync
-#ifdef __NR_fdatasync
-        {"fdatasync", __NR_fdatasync},
-#endif
-#endif
-#ifdef SYS_fgetxattr
-#ifdef __NR_fgetxattr
-        {"fgetxattr", __NR_fgetxattr},
-#endif
-#endif
-#ifdef SYS_finit_module
-#ifdef __NR_finit_module
-        {"finit_module", __NR_finit_module},
-#endif
-#endif
-#ifdef SYS_flistxattr
-#ifdef __NR_flistxattr
-        {"flistxattr", __NR_flistxattr},
-#endif
-#endif
-#ifdef SYS_flock
-#ifdef __NR_flock
-        {"flock", __NR_flock},
-#endif
-#endif
-#ifdef SYS_fork
-#ifdef __NR_fork
-        {"fork", __NR_fork},
-#endif
-#endif
-#ifdef SYS_fremovexattr
-#ifdef __NR_fremovexattr
-        {"fremovexattr", __NR_fremovexattr},
-#endif
-#endif
-#ifdef SYS_fsetxattr
-#ifdef __NR_fsetxattr
-        {"fsetxattr", __NR_fsetxattr},
-#endif
-#endif
-#ifdef SYS_fstat
-#ifdef __NR_fstat
-        {"fstat", __NR_fstat},
-#endif
-#endif
-#ifdef SYS_fstatfs
-#ifdef __NR_fstatfs
-        {"fstatfs", __NR_fstatfs},
-#endif
-#endif
-#ifdef SYS_fsync
-#ifdef __NR_fsync
-        {"fsync", __NR_fsync},
-#endif
-#endif
-#ifdef SYS_ftruncate
-#ifdef __NR_ftruncate
-        {"ftruncate", __NR_ftruncate},
-#endif
-#endif
-#ifdef SYS_futex
-#ifdef __NR_futex
-        {"futex", __NR_futex},
-#endif
-#endif
-#ifdef SYS_futimesat
-#ifdef __NR_futimesat
-        {"futimesat", __NR_futimesat},
-#endif
-#endif
-#ifdef SYS_get_mempolicy
-#ifdef __NR_get_mempolicy
-        {"get_mempolicy", __NR_get_mempolicy},
-#endif
-#endif
-#ifdef SYS_get_robust_list
-#ifdef __NR_get_robust_list
-        {"get_robust_list", __NR_get_robust_list},
-#endif
-#endif
-#ifdef SYS_getcpu
-#ifdef __NR_getcpu
-        {"getcpu", __NR_getcpu},
-#endif
-#endif
-#ifdef SYS_getcwd
-#ifdef __NR_getcwd
-        {"getcwd", __NR_getcwd},
-#endif
-#endif
-#ifdef SYS_getdents
-#ifdef __NR_getdents
-        {"getdents", __NR_getdents},
-#endif
-#endif
-#ifdef SYS_getdents64
-#ifdef __NR_getdents64
-        {"getdents64", __NR_getdents64},
-#endif
-#endif
-#ifdef SYS_getegid
-#ifdef __NR_getegid
-        {"getegid", __NR_getegid},
-#endif
-#endif
-#ifdef SYS_geteuid
-#ifdef __NR_geteuid
-        {"geteuid", __NR_geteuid},
-#endif
-#endif
-#ifdef SYS_getgid
-#ifdef __NR_getgid
-        {"getgid", __NR_getgid},
-#endif
-#endif
-#ifdef SYS_getgroups
-#ifdef __NR_getgroups
-        {"getgroups", __NR_getgroups},
-#endif
-#endif
-#ifdef SYS_getitimer
-#ifdef __NR_getitimer
-        {"getitimer", __NR_getitimer},
-#endif
-#endif
-#ifdef SYS_getpeername
-#ifdef __NR_getpeername
-        {"getpeername", __NR_getpeername},
-#endif
-#endif
-#ifdef SYS_getpgid
-#ifdef __NR_getpgid
-        {"getpgid", __NR_getpgid},
-#endif
-#endif
-#ifdef SYS_getpgrp
-#ifdef __NR_getpgrp
-        {"getpgrp", __NR_getpgrp},
-#endif
-#endif
-#ifdef SYS_getpid
-#ifdef __NR_getpid
-        {"getpid", __NR_getpid},
-#endif
-#endif
-#ifdef SYS_getpmsg
-#ifdef __NR_getpmsg
-        {"getpmsg", __NR_getpmsg},
-#endif
-#endif
-#ifdef SYS_getppid
-#ifdef __NR_getppid
-        {"getppid", __NR_getppid},
-#endif
-#endif
-#ifdef SYS_getpriority
-#ifdef __NR_getpriority
-        {"getpriority", __NR_getpriority},
-#endif
-#endif
-#ifdef SYS_getrandom
-#ifdef __NR_getrandom
-        {"getrandom", __NR_getrandom},
-#endif
-#endif
-#ifdef SYS_getresgid
-#ifdef __NR_getresgid
-        {"getresgid", __NR_getresgid},
-#endif
-#endif
-#ifdef SYS_getresuid
-#ifdef __NR_getresuid
-        {"getresuid", __NR_getresuid},
-#endif
-#endif
-#ifdef SYS_getrlimit
-#ifdef __NR_getrlimit
-        {"getrlimit", __NR_getrlimit},
-#endif
-#endif
-#ifdef SYS_getrusage
-#ifdef __NR_getrusage
-        {"getrusage", __NR_getrusage},
-#endif
-#endif
-#ifdef SYS_getsid
-#ifdef __NR_getsid
-        {"getsid", __NR_getsid},
-#endif
-#endif
-#ifdef SYS_getsockname
-#ifdef __NR_getsockname
-        {"getsockname", __NR_getsockname},
-#endif
-#endif
-#ifdef SYS_getsockopt
-#ifdef __NR_getsockopt
-        {"getsockopt", __NR_getsockopt},
-#endif
-#endif
-#ifdef SYS_gettid
-#ifdef __NR_gettid
-        {"gettid", __NR_gettid},
-#endif
-#endif
-#ifdef SYS_gettimeofday
-#ifdef __NR_gettimeofday
-        {"gettimeofday", __NR_gettimeofday},
-#endif
-#endif
-#ifdef SYS_getuid
-#ifdef __NR_getuid
-        {"getuid", __NR_getuid},
-#endif
-#endif
-#ifdef SYS_getxattr
-#ifdef __NR_getxattr
-        {"getxattr", __NR_getxattr},
-#endif
-#endif
-#ifdef SYS_init_module
-#ifdef __NR_init_module
-        {"init_module", __NR_init_module},
-#endif
-#endif
-#ifdef SYS_inotify_add_watch
-#ifdef __NR_inotify_add_watch
-        {"inotify_add_watch", __NR_inotify_add_watch},
-#endif
-#endif
-#ifdef SYS_inotify_init
-#ifdef __NR_inotify_init
-        {"inotify_init", __NR_inotify_init},
-#endif
-#endif
-#ifdef SYS_inotify_init1
-#ifdef __NR_inotify_init1
-        {"inotify_init1", __NR_inotify_init1},
-#endif
-#endif
-#ifdef SYS_inotify_rm_watch
-#ifdef __NR_inotify_rm_watch
-        {"inotify_rm_watch", __NR_inotify_rm_watch},
-#endif
-#endif
-#ifdef SYS_io_cancel
-#ifdef __NR_io_cancel
-        {"io_cancel", __NR_io_cancel},
-#endif
-#endif
-#ifdef SYS_io_destroy
-#ifdef __NR_io_destroy
-        {"io_destroy", __NR_io_destroy},
-#endif
-#endif
-#ifdef SYS_io_getevents
-#ifdef __NR_io_getevents
-        {"io_getevents", __NR_io_getevents},
-#endif
-#endif
-#ifdef SYS_io_setup
-#ifdef __NR_io_setup
-        {"io_setup", __NR_io_setup},
-#endif
-#endif
-#ifdef SYS_io_submit
-#ifdef __NR_io_submit
-        {"io_submit", __NR_io_submit},
-#endif
-#endif
-#ifdef SYS_ioctl
-#ifdef __NR_ioctl
-        {"ioctl", __NR_ioctl},
-#endif
-#endif
-#ifdef SYS_ioperm
-#ifdef __NR_ioperm
-        {"ioperm", __NR_ioperm},
-#endif
-#endif
-#ifdef SYS_iopl
-#ifdef __NR_iopl
-        {"iopl", __NR_iopl},
-#endif
-#endif
-#ifdef SYS_ioprio_get
-#ifdef __NR_ioprio_get
-        {"ioprio_get", __NR_ioprio_get},
-#endif
-#endif
-#ifdef SYS_ioprio_set
-#ifdef __NR_ioprio_set
-        {"ioprio_set", __NR_ioprio_set},
-#endif
-#endif
-#ifdef SYS_kcmp
-#ifdef __NR_kcmp
-        {"kcmp", __NR_kcmp},
-#endif
-#endif
-#ifdef SYS_kexec_file_load
-#ifdef __NR_kexec_file_load
-        {"kexec_file_load", __NR_kexec_file_load},
-#endif
-#endif
-#ifdef SYS_kexec_load
-#ifdef __NR_kexec_load
-        {"kexec_load", __NR_kexec_load},
-#endif
-#endif
-#ifdef SYS_keyctl
-#ifdef __NR_keyctl
-        {"keyctl", __NR_keyctl},
-#endif
-#endif
-#ifdef SYS_kill
-#ifdef __NR_kill
-        {"kill", __NR_kill},
-#endif
-#endif
-#ifdef SYS_lchown
-#ifdef __NR_lchown
-        {"lchown", __NR_lchown},
-#endif
-#endif
-#ifdef SYS_lgetxattr
-#ifdef __NR_lgetxattr
-        {"lgetxattr", __NR_lgetxattr},
-#endif
-#endif
-#ifdef SYS_link
-#ifdef __NR_link
-        {"link", __NR_link},
-#endif
-#endif
-#ifdef SYS_linkat
-#ifdef __NR_linkat
-        {"linkat", __NR_linkat},
-#endif
-#endif
-#ifdef SYS_listen
-#ifdef __NR_listen
-        {"listen", __NR_listen},
-#endif
-#endif
-#ifdef SYS_listxattr
-#ifdef __NR_listxattr
-        {"listxattr", __NR_listxattr},
-#endif
-#endif
-#ifdef SYS_llistxattr
-#ifdef __NR_llistxattr
-        {"llistxattr", __NR_llistxattr},
-#endif
-#endif
-#ifdef SYS_lookup_dcookie
-#ifdef __NR_lookup_dcookie
-        {"lookup_dcookie", __NR_lookup_dcookie},
-#endif
-#endif
-#ifdef SYS_lremovexattr
-#ifdef __NR_lremovexattr
-        {"lremovexattr", __NR_lremovexattr},
-#endif
-#endif
-#ifdef SYS_lseek
-#ifdef __NR_lseek
-        {"lseek", __NR_lseek},
-#endif
-#endif
-#ifdef SYS_lsetxattr
-#ifdef __NR_lsetxattr
-        {"lsetxattr", __NR_lsetxattr},
-#endif
-#endif
-#ifdef SYS_lstat
-#ifdef __NR_lstat
-        {"lstat", __NR_lstat},
-#endif
-#endif
-#ifdef SYS_madvise
-#ifdef __NR_madvise
-        {"madvise", __NR_madvise},
-#endif
-#endif
-#ifdef SYS_mbind
-#ifdef __NR_mbind
-        {"mbind", __NR_mbind},
-#endif
-#endif
-#ifdef SYS_membarrier
-#ifdef __NR_membarrier
-        {"membarrier", __NR_membarrier},
-#endif
-#endif
-#ifdef SYS_memfd_create
-#ifdef __NR_memfd_create
-        {"memfd_create", __NR_memfd_create},
-#endif
-#endif
-#ifdef SYS_migrate_pages
-#ifdef __NR_migrate_pages
-        {"migrate_pages", __NR_migrate_pages},
-#endif
-#endif
-#ifdef SYS_mincore
-#ifdef __NR_mincore
-        {"mincore", __NR_mincore},
-#endif
-#endif
-#ifdef SYS_mkdir
-#ifdef __NR_mkdir
-        {"mkdir", __NR_mkdir},
-#endif
-#endif
-#ifdef SYS_mkdirat
-#ifdef __NR_mkdirat
-        {"mkdirat", __NR_mkdirat},
-#endif
-#endif
-#ifdef SYS_mknod
-#ifdef __NR_mknod
-        {"mknod", __NR_mknod},
-#endif
-#endif
-#ifdef SYS_mknodat
-#ifdef __NR_mknodat
-        {"mknodat", __NR_mknodat},
-#endif
-#endif
-#ifdef SYS_mlock
-#ifdef __NR_mlock
-        {"mlock", __NR_mlock},
-#endif
-#endif
-#ifdef SYS_mlock2
-#ifdef __NR_mlock2
-        {"mlock2", __NR_mlock2},
-#endif
-#endif
-#ifdef SYS_mlockall
-#ifdef __NR_mlockall
-        {"mlockall", __NR_mlockall},
-#endif
-#endif
-#ifdef SYS_mmap
-#ifdef __NR_mmap
-        {"mmap", __NR_mmap},
-#endif
-#endif
-#ifdef SYS_modify_ldt
-#ifdef __NR_modify_ldt
-        {"modify_ldt", __NR_modify_ldt},
-#endif
-#endif
-#ifdef SYS_mount
-#ifdef __NR_mount
-        {"mount", __NR_mount},
-#endif
-#endif
-#ifdef SYS_move_pages
-#ifdef __NR_move_pages
-        {"move_pages", __NR_move_pages},
-#endif
-#endif
-#ifdef SYS_mprotect
-#ifdef __NR_mprotect
-        {"mprotect", __NR_mprotect},
-#endif
-#endif
-#ifdef SYS_mq_getsetattr
-#ifdef __NR_mq_getsetattr
-        {"mq_getsetattr", __NR_mq_getsetattr},
-#endif
-#endif
-#ifdef SYS_mq_notify
-#ifdef __NR_mq_notify
-        {"mq_notify", __NR_mq_notify},
-#endif
-#endif
-#ifdef SYS_mq_open
-#ifdef __NR_mq_open
-        {"mq_open", __NR_mq_open},
-#endif
-#endif
-#ifdef SYS_mq_timedreceive
-#ifdef __NR_mq_timedreceive
-        {"mq_timedreceive", __NR_mq_timedreceive},
-#endif
-#endif
-#ifdef SYS_mq_timedsend
-#ifdef __NR_mq_timedsend
-        {"mq_timedsend", __NR_mq_timedsend},
-#endif
-#endif
-#ifdef SYS_mq_unlink
-#ifdef __NR_mq_unlink
-        {"mq_unlink", __NR_mq_unlink},
-#endif
-#endif
-#ifdef SYS_mremap
-#ifdef __NR_mremap
-        {"mremap", __NR_mremap},
-#endif
-#endif
-#ifdef SYS_msgctl
-#ifdef __NR_msgctl
-        {"msgctl", __NR_msgctl},
-#endif
-#endif
-#ifdef SYS_msgget
-#ifdef __NR_msgget
-        {"msgget", __NR_msgget},
-#endif
-#endif
-#ifdef SYS_msgrcv
-#ifdef __NR_msgrcv
-        {"msgrcv", __NR_msgrcv},
-#endif
-#endif
-#ifdef SYS_msgsnd
-#ifdef __NR_msgsnd
-        {"msgsnd", __NR_msgsnd},
-#endif
-#endif
-#ifdef SYS_msync
-#ifdef __NR_msync
-        {"msync", __NR_msync},
-#endif
-#endif
-#ifdef SYS_munlock
-#ifdef __NR_munlock
-        {"munlock", __NR_munlock},
-#endif
-#endif
-#ifdef SYS_munlockall
-#ifdef __NR_munlockall
-        {"munlockall", __NR_munlockall},
-#endif
-#endif
-#ifdef SYS_munmap
-#ifdef __NR_munmap
-        {"munmap", __NR_munmap},
-#endif
-#endif
-#ifdef SYS_name_to_handle_at
-#ifdef __NR_name_to_handle_at
-        {"name_to_handle_at", __NR_name_to_handle_at},
-#endif
-#endif
-#ifdef SYS_nanosleep
-#ifdef __NR_nanosleep
-        {"nanosleep", __NR_nanosleep},
-#endif
-#endif
-#ifdef SYS_newfstatat
-#ifdef __NR_newfstatat
-        {"newfstatat", __NR_newfstatat},
-#endif
-#endif
-#ifdef SYS_open
-#ifdef __NR_open
-        {"open", __NR_open},
-#endif
-#endif
-#ifdef SYS_open_by_handle_at
-#ifdef __NR_open_by_handle_at
-        {"open_by_handle_at", __NR_open_by_handle_at},
-#endif
-#endif
-#ifdef SYS_openat
-#ifdef __NR_openat
-        {"openat", __NR_openat},
-#endif
-#endif
-#ifdef SYS_pause
-#ifdef __NR_pause
-        {"pause", __NR_pause},
-#endif
-#endif
-#ifdef SYS_perf_event_open
-#ifdef __NR_perf_event_open
-        {"perf_event_open", __NR_perf_event_open},
-#endif
-#endif
-#ifdef SYS_personality
-#ifdef __NR_personality
-        {"personality", __NR_personality},
-#endif
-#endif
-#ifdef SYS_pipe
-#ifdef __NR_pipe
-        {"pipe", __NR_pipe},
-#endif
-#endif
-#ifdef SYS_pipe2
-#ifdef __NR_pipe2
-        {"pipe2", __NR_pipe2},
-#endif
-#endif
-#ifdef SYS_pivot_root
-#ifdef __NR_pivot_root
-        {"pivot_root", __NR_pivot_root},
-#endif
-#endif
-#ifdef SYS_poll
-#ifdef __NR_poll
-        {"poll", __NR_poll},
-#endif
-#endif
-#ifdef SYS_ppoll
-#ifdef __NR_ppoll
-        {"ppoll", __NR_ppoll},
-#endif
-#endif
-#ifdef SYS_prctl
-#ifdef __NR_prctl
-        {"prctl", __NR_prctl},
-#endif
-#endif
-#ifdef SYS_pread64
-#ifdef __NR_pread64
-        {"pread64", __NR_pread64},
-#endif
-#endif
-#ifdef SYS_preadv
-#ifdef __NR_preadv
-        {"preadv", __NR_preadv},
-#endif
-#endif
-#ifdef SYS_preadv2
-#ifdef __NR_preadv2
-        {"preadv2", __NR_preadv2},
-#endif
-#endif
-#ifdef SYS_prlimit64
-#ifdef __NR_prlimit64
-        {"prlimit64", __NR_prlimit64},
-#endif
-#endif
-#ifdef SYS_process_vm_readv
-#ifdef __NR_process_vm_readv
-        {"process_vm_readv", __NR_process_vm_readv},
-#endif
-#endif
-#ifdef SYS_process_vm_writev
-#ifdef __NR_process_vm_writev
-        {"process_vm_writev", __NR_process_vm_writev},
-#endif
-#endif
-#ifdef SYS_pselect6
-#ifdef __NR_pselect6
-        {"pselect6", __NR_pselect6},
-#endif
-#endif
-#ifdef SYS_ptrace
-#ifdef __NR_ptrace
-        {"ptrace", __NR_ptrace},
-#endif
-#endif
-#ifdef SYS_putpmsg
-#ifdef __NR_putpmsg
-        {"putpmsg", __NR_putpmsg},
-#endif
-#endif
-#ifdef SYS_pwrite64
-#ifdef __NR_pwrite64
-        {"pwrite64", __NR_pwrite64},
-#endif
-#endif
-#ifdef SYS_pwritev
-#ifdef __NR_pwritev
-        {"pwritev", __NR_pwritev},
-#endif
-#endif
-#ifdef SYS_pwritev2
-#ifdef __NR_pwritev2
-        {"pwritev2", __NR_pwritev2},
-#endif
-#endif
-#ifdef SYS_quotactl
-#ifdef __NR_quotactl
-        {"quotactl", __NR_quotactl},
-#endif
-#endif
-#ifdef SYS_read
-#ifdef __NR_read
-        {"read", __NR_read},
-#endif
-#endif
-#ifdef SYS_readahead
-#ifdef __NR_readahead
-        {"readahead", __NR_readahead},
-#endif
-#endif
-#ifdef SYS_readlink
-#ifdef __NR_readlink
-        {"readlink", __NR_readlink},
-#endif
-#endif
-#ifdef SYS_readlinkat
-#ifdef __NR_readlinkat
-        {"readlinkat", __NR_readlinkat},
-#endif
-#endif
-#ifdef SYS_readv
-#ifdef __NR_readv
-        {"readv", __NR_readv},
-#endif
-#endif
-#ifdef SYS_reboot
-#ifdef __NR_reboot
-        {"reboot", __NR_reboot},
-#endif
-#endif
-#ifdef SYS_recvfrom
-#ifdef __NR_recvfrom
-        {"recvfrom", __NR_recvfrom},
-#endif
-#endif
-#ifdef SYS_recvmmsg
-#ifdef __NR_recvmmsg
-        {"recvmmsg", __NR_recvmmsg},
-#endif
-#endif
-#ifdef SYS_recvmsg
-#ifdef __NR_recvmsg
-        {"recvmsg", __NR_recvmsg},
-#endif
-#endif
-#ifdef SYS_remap_file_pages
-#ifdef __NR_remap_file_pages
-        {"remap_file_pages", __NR_remap_file_pages},
-#endif
-#endif
-#ifdef SYS_removexattr
-#ifdef __NR_removexattr
-        {"removexattr", __NR_removexattr},
-#endif
-#endif
-#ifdef SYS_rename
-#ifdef __NR_rename
-        {"rename", __NR_rename},
-#endif
-#endif
-#ifdef SYS_renameat
-#ifdef __NR_renameat
-        {"renameat", __NR_renameat},
-#endif
-#endif
-#ifdef SYS_renameat2
-#ifdef __NR_renameat2
-        {"renameat2", __NR_renameat2},
-#endif
-#endif
-#ifdef SYS_request_key
-#ifdef __NR_request_key
-        {"request_key", __NR_request_key},
-#endif
-#endif
-#ifdef SYS_restart_syscall
-#ifdef __NR_restart_syscall
-        {"restart_syscall", __NR_restart_syscall},
-#endif
-#endif
-#ifdef SYS_rmdir
-#ifdef __NR_rmdir
-        {"rmdir", __NR_rmdir},
-#endif
-#endif
-#ifdef SYS_rt_sigaction
-#ifdef __NR_rt_sigaction
-        {"rt_sigaction", __NR_rt_sigaction},
-#endif
-#endif
-#ifdef SYS_rt_sigpending
-#ifdef __NR_rt_sigpending
-        {"rt_sigpending", __NR_rt_sigpending},
-#endif
-#endif
-#ifdef SYS_rt_sigprocmask
-#ifdef __NR_rt_sigprocmask
-        {"rt_sigprocmask", __NR_rt_sigprocmask},
-#endif
-#endif
-#ifdef SYS_rt_sigqueueinfo
-#ifdef __NR_rt_sigqueueinfo
-        {"rt_sigqueueinfo", __NR_rt_sigqueueinfo},
-#endif
-#endif
-#ifdef SYS_rt_sigreturn
-#ifdef __NR_rt_sigreturn
-        {"rt_sigreturn", __NR_rt_sigreturn},
-#endif
-#endif
-#ifdef SYS_rt_sigsuspend
-#ifdef __NR_rt_sigsuspend
-        {"rt_sigsuspend", __NR_rt_sigsuspend},
-#endif
-#endif
-#ifdef SYS_rt_sigtimedwait
-#ifdef __NR_rt_sigtimedwait
-        {"rt_sigtimedwait", __NR_rt_sigtimedwait},
-#endif
-#endif
-#ifdef SYS_rt_tgsigqueueinfo
-#ifdef __NR_rt_tgsigqueueinfo
-        {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_max
-#ifdef __NR_sched_get_priority_max
-        {"sched_get_priority_max", __NR_sched_get_priority_max},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_min
-#ifdef __NR_sched_get_priority_min
-        {"sched_get_priority_min", __NR_sched_get_priority_min},
-#endif
-#endif
-#ifdef SYS_sched_getaffinity
-#ifdef __NR_sched_getaffinity
-        {"sched_getaffinity", __NR_sched_getaffinity},
-#endif
-#endif
-#ifdef SYS_sched_getattr
-#ifdef __NR_sched_getattr
-        {"sched_getattr", __NR_sched_getattr},
-#endif
-#endif
-#ifdef SYS_sched_getparam
-#ifdef __NR_sched_getparam
-        {"sched_getparam", __NR_sched_getparam},
-#endif
-#endif
-#ifdef SYS_sched_getscheduler
-#ifdef __NR_sched_getscheduler
-        {"sched_getscheduler", __NR_sched_getscheduler},
-#endif
-#endif
-#ifdef SYS_sched_rr_get_interval
-#ifdef __NR_sched_rr_get_interval
-        {"sched_rr_get_interval", __NR_sched_rr_get_interval},
-#endif
-#endif
-#ifdef SYS_sched_setaffinity
-#ifdef __NR_sched_setaffinity
-        {"sched_setaffinity", __NR_sched_setaffinity},
-#endif
-#endif
-#ifdef SYS_sched_setattr
-#ifdef __NR_sched_setattr
-        {"sched_setattr", __NR_sched_setattr},
-#endif
-#endif
-#ifdef SYS_sched_setparam
-#ifdef __NR_sched_setparam
-        {"sched_setparam", __NR_sched_setparam},
-#endif
-#endif
-#ifdef SYS_sched_setscheduler
-#ifdef __NR_sched_setscheduler
-        {"sched_setscheduler", __NR_sched_setscheduler},
-#endif
-#endif
-#ifdef SYS_sched_yield
-#ifdef __NR_sched_yield
-        {"sched_yield", __NR_sched_yield},
-#endif
-#endif
-#ifdef SYS_seccomp
-#ifdef __NR_seccomp
-        {"seccomp", __NR_seccomp},
-#endif
-#endif
-#ifdef SYS_security
-#ifdef __NR_security
-        {"security", __NR_security},
-#endif
-#endif
-#ifdef SYS_select
-#ifdef __NR_select
-        {"select", __NR_select},
-#endif
-#endif
-#ifdef SYS_semctl
-#ifdef __NR_semctl
-        {"semctl", __NR_semctl},
-#endif
-#endif
-#ifdef SYS_semget
-#ifdef __NR_semget
-        {"semget", __NR_semget},
-#endif
-#endif
-#ifdef SYS_semop
-#ifdef __NR_semop
-        {"semop", __NR_semop},
-#endif
-#endif
-#ifdef SYS_semtimedop
-#ifdef __NR_semtimedop
-        {"semtimedop", __NR_semtimedop},
-#endif
-#endif
-#ifdef SYS_sendfile
-#ifdef __NR_sendfile
-        {"sendfile", __NR_sendfile},
-#endif
-#endif
-#ifdef SYS_sendmmsg
-#ifdef __NR_sendmmsg
-        {"sendmmsg", __NR_sendmmsg},
-#endif
-#endif
-#ifdef SYS_sendmsg
-#ifdef __NR_sendmsg
-        {"sendmsg", __NR_sendmsg},
-#endif
-#endif
-#ifdef SYS_sendto
-#ifdef __NR_sendto
-        {"sendto", __NR_sendto},
-#endif
-#endif
-#ifdef SYS_set_mempolicy
-#ifdef __NR_set_mempolicy
-        {"set_mempolicy", __NR_set_mempolicy},
-#endif
-#endif
-#ifdef SYS_set_robust_list
-#ifdef __NR_set_robust_list
-        {"set_robust_list", __NR_set_robust_list},
-#endif
-#endif
-#ifdef SYS_set_tid_address
-#ifdef __NR_set_tid_address
-        {"set_tid_address", __NR_set_tid_address},
-#endif
-#endif
-#ifdef SYS_setdomainname
-#ifdef __NR_setdomainname
-        {"setdomainname", __NR_setdomainname},
-#endif
-#endif
-#ifdef SYS_setfsgid
-#ifdef __NR_setfsgid
-        {"setfsgid", __NR_setfsgid},
-#endif
-#endif
-#ifdef SYS_setfsuid
-#ifdef __NR_setfsuid
-        {"setfsuid", __NR_setfsuid},
-#endif
-#endif
-#ifdef SYS_setgid
-#ifdef __NR_setgid
-        {"setgid", __NR_setgid},
-#endif
-#endif
-#ifdef SYS_setgroups
-#ifdef __NR_setgroups
-        {"setgroups", __NR_setgroups},
-#endif
-#endif
-#ifdef SYS_sethostname
-#ifdef __NR_sethostname
-        {"sethostname", __NR_sethostname},
-#endif
-#endif
-#ifdef SYS_setitimer
-#ifdef __NR_setitimer
-        {"setitimer", __NR_setitimer},
-#endif
-#endif
-#ifdef SYS_setns
-#ifdef __NR_setns
-        {"setns", __NR_setns},
-#endif
-#endif
-#ifdef SYS_setpgid
-#ifdef __NR_setpgid
-        {"setpgid", __NR_setpgid},
-#endif
-#endif
-#ifdef SYS_setpriority
-#ifdef __NR_setpriority
-        {"setpriority", __NR_setpriority},
-#endif
-#endif
-#ifdef SYS_setregid
-#ifdef __NR_setregid
-        {"setregid", __NR_setregid},
-#endif
-#endif
-#ifdef SYS_setresgid
-#ifdef __NR_setresgid
-        {"setresgid", __NR_setresgid},
-#endif
-#endif
-#ifdef SYS_setresuid
-#ifdef __NR_setresuid
-        {"setresuid", __NR_setresuid},
-#endif
-#endif
-#ifdef SYS_setreuid
-#ifdef __NR_setreuid
-        {"setreuid", __NR_setreuid},
-#endif
-#endif
-#ifdef SYS_setrlimit
-#ifdef __NR_setrlimit
-        {"setrlimit", __NR_setrlimit},
-#endif
-#endif
-#ifdef SYS_setsid
-#ifdef __NR_setsid
-        {"setsid", __NR_setsid},
-#endif
-#endif
-#ifdef SYS_setsockopt
-#ifdef __NR_setsockopt
-        {"setsockopt", __NR_setsockopt},
-#endif
-#endif
-#ifdef SYS_settimeofday
-#ifdef __NR_settimeofday
-        {"settimeofday", __NR_settimeofday},
-#endif
-#endif
-#ifdef SYS_setuid
-#ifdef __NR_setuid
-        {"setuid", __NR_setuid},
-#endif
-#endif
-#ifdef SYS_setxattr
-#ifdef __NR_setxattr
-        {"setxattr", __NR_setxattr},
-#endif
-#endif
-#ifdef SYS_shmat
-#ifdef __NR_shmat
-        {"shmat", __NR_shmat},
-#endif
-#endif
-#ifdef SYS_shmctl
-#ifdef __NR_shmctl
-        {"shmctl", __NR_shmctl},
-#endif
-#endif
-#ifdef SYS_shmdt
-#ifdef __NR_shmdt
-        {"shmdt", __NR_shmdt},
-#endif
-#endif
-#ifdef SYS_shmget
-#ifdef __NR_shmget
-        {"shmget", __NR_shmget},
-#endif
-#endif
-#ifdef SYS_shutdown
-#ifdef __NR_shutdown
-        {"shutdown", __NR_shutdown},
-#endif
-#endif
-#ifdef SYS_sigaltstack
-#ifdef __NR_sigaltstack
-        {"sigaltstack", __NR_sigaltstack},
-#endif
-#endif
-#ifdef SYS_signalfd
-#ifdef __NR_signalfd
-        {"signalfd", __NR_signalfd},
-#endif
-#endif
-#ifdef SYS_signalfd4
-#ifdef __NR_signalfd4
-        {"signalfd4", __NR_signalfd4},
-#endif
-#endif
-#ifdef SYS_socket
-#ifdef __NR_socket
-        {"socket", __NR_socket},
-#endif
-#endif
-#ifdef SYS_socketpair
-#ifdef __NR_socketpair
-        {"socketpair", __NR_socketpair},
-#endif
-#endif
-#ifdef SYS_splice
-#ifdef __NR_splice
-        {"splice", __NR_splice},
-#endif
-#endif
-#ifdef SYS_stat
-#ifdef __NR_stat
-        {"stat", __NR_stat},
-#endif
-#endif
-#ifdef SYS_statfs
-#ifdef __NR_statfs
-        {"statfs", __NR_statfs},
-#endif
-#endif
-#ifdef SYS_swapoff
-#ifdef __NR_swapoff
-        {"swapoff", __NR_swapoff},
-#endif
-#endif
-#ifdef SYS_swapon
-#ifdef __NR_swapon
-        {"swapon", __NR_swapon},
-#endif
-#endif
-#ifdef SYS_symlink
-#ifdef __NR_symlink
-        {"symlink", __NR_symlink},
-#endif
-#endif
-#ifdef SYS_symlinkat
-#ifdef __NR_symlinkat
-        {"symlinkat", __NR_symlinkat},
-#endif
-#endif
-#ifdef SYS_sync
-#ifdef __NR_sync
-        {"sync", __NR_sync},
-#endif
-#endif
-#ifdef SYS_sync_file_range
-#ifdef __NR_sync_file_range
-        {"sync_file_range", __NR_sync_file_range},
-#endif
-#endif
-#ifdef SYS_syncfs
-#ifdef __NR_syncfs
-        {"syncfs", __NR_syncfs},
-#endif
-#endif
-#ifdef SYS_sysfs
-#ifdef __NR_sysfs
-        {"sysfs", __NR_sysfs},
-#endif
-#endif
-#ifdef SYS_sysinfo
-#ifdef __NR_sysinfo
-        {"sysinfo", __NR_sysinfo},
-#endif
-#endif
-#ifdef SYS_syslog
-#ifdef __NR_syslog
-        {"syslog", __NR_syslog},
-#endif
-#endif
-#ifdef SYS_tee
-#ifdef __NR_tee
-        {"tee", __NR_tee},
-#endif
-#endif
-#ifdef SYS_tgkill
-#ifdef __NR_tgkill
-        {"tgkill", __NR_tgkill},
-#endif
-#endif
-#ifdef SYS_time
-#ifdef __NR_time
-        {"time", __NR_time},
-#endif
-#endif
-#ifdef SYS_timer_create
-#ifdef __NR_timer_create
-        {"timer_create", __NR_timer_create},
-#endif
-#endif
-#ifdef SYS_timer_delete
-#ifdef __NR_timer_delete
-        {"timer_delete", __NR_timer_delete},
-#endif
-#endif
-#ifdef SYS_timer_getoverrun
-#ifdef __NR_timer_getoverrun
-        {"timer_getoverrun", __NR_timer_getoverrun},
-#endif
-#endif
-#ifdef SYS_timer_gettime
-#ifdef __NR_timer_gettime
-        {"timer_gettime", __NR_timer_gettime},
-#endif
-#endif
-#ifdef SYS_timer_settime
-#ifdef __NR_timer_settime
-        {"timer_settime", __NR_timer_settime},
-#endif
-#endif
-#ifdef SYS_timerfd_create
-#ifdef __NR_timerfd_create
-        {"timerfd_create", __NR_timerfd_create},
-#endif
-#endif
-#ifdef SYS_timerfd_gettime
-#ifdef __NR_timerfd_gettime
-        {"timerfd_gettime", __NR_timerfd_gettime},
-#endif
-#endif
-#ifdef SYS_timerfd_settime
-#ifdef __NR_timerfd_settime
-        {"timerfd_settime", __NR_timerfd_settime},
-#endif
-#endif
-#ifdef SYS_times
-#ifdef __NR_times
-        {"times", __NR_times},
-#endif
-#endif
-#ifdef SYS_tkill
-#ifdef __NR_tkill
-        {"tkill", __NR_tkill},
-#endif
-#endif
-#ifdef SYS_truncate
-#ifdef __NR_truncate
-        {"truncate", __NR_truncate},
-#endif
-#endif
-#ifdef SYS_tuxcall
-#ifdef __NR_tuxcall
-        {"tuxcall", __NR_tuxcall},
-#endif
-#endif
-#ifdef SYS_umask
-#ifdef __NR_umask
-        {"umask", __NR_umask},
-#endif
-#endif
-#ifdef SYS_umount2
-#ifdef __NR_umount2
-        {"umount2", __NR_umount2},
-#endif
-#endif
-#ifdef SYS_uname
-#ifdef __NR_uname
-        {"uname", __NR_uname},
-#endif
-#endif
-#ifdef SYS_unlink
-#ifdef __NR_unlink
-        {"unlink", __NR_unlink},
-#endif
-#endif
-#ifdef SYS_unlinkat
-#ifdef __NR_unlinkat
-        {"unlinkat", __NR_unlinkat},
-#endif
-#endif
-#ifdef SYS_unshare
-#ifdef __NR_unshare
-        {"unshare", __NR_unshare},
-#endif
-#endif
-#ifdef SYS_userfaultfd
-#ifdef __NR_userfaultfd
-        {"userfaultfd", __NR_userfaultfd},
-#endif
-#endif
-#ifdef SYS_ustat
-#ifdef __NR_ustat
-        {"ustat", __NR_ustat},
-#endif
-#endif
-#ifdef SYS_utime
-#ifdef __NR_utime
-        {"utime", __NR_utime},
-#endif
-#endif
-#ifdef SYS_utimensat
-#ifdef __NR_utimensat
-        {"utimensat", __NR_utimensat},
-#endif
-#endif
-#ifdef SYS_utimes
-#ifdef __NR_utimes
-        {"utimes", __NR_utimes},
-#endif
-#endif
-#ifdef SYS_vfork
-#ifdef __NR_vfork
-        {"vfork", __NR_vfork},
-#endif
-#endif
-#ifdef SYS_vhangup
-#ifdef __NR_vhangup
-        {"vhangup", __NR_vhangup},
-#endif
-#endif
-#ifdef SYS_vmsplice
-#ifdef __NR_vmsplice
-        {"vmsplice", __NR_vmsplice},
-#endif
-#endif
-#ifdef SYS_wait4
-#ifdef __NR_wait4
-        {"wait4", __NR_wait4},
-#endif
-#endif
-#ifdef SYS_waitid
-#ifdef __NR_waitid
-        {"waitid", __NR_waitid},
-#endif
-#endif
-#ifdef SYS_write
-#ifdef __NR_write
-        {"write", __NR_write},
-#endif
-#endif
-#ifdef SYS_writev
-#ifdef __NR_writev
-        {"writev", __NR_writev},
-#endif
-#endif
 #endif
-//#endif
diff --git a/src/include/syscall_armeabi.h b/src/include/syscall_armeabi.h
new file mode 100644
index 000000000..3b574f875
--- /dev/null
+++ b/src/include/syscall_armeabi.h
@@ -0,0 +1,355 @@
+{ "accept", 285 },
+{ "accept4", 366 },
+{ "access", 33 },
+{ "acct", 51 },
+{ "add_key", 309 },
+{ "adjtimex", 124 },
+{ "alarm", 27 },
+{ "arm_fadvise64_64", 270 },
+{ "arm_sync_file_range", 341 },
+{ "bdflush", 134 },
+{ "bind", 282 },
+{ "bpf", 386 },
+{ "brk", 45 },
+{ "capget", 184 },
+{ "capset", 185 },
+{ "chdir", 12 },
+{ "chmod", 15 },
+{ "chown", 182 },
+{ "chown32", 212 },
+{ "chroot", 61 },
+{ "clock_adjtime", 372 },
+{ "clock_getres", 264 },
+{ "clock_gettime", 263 },
+{ "clock_nanosleep", 265 },
+{ "clock_settime", 262 },
+{ "clone", 120 },
+{ "close", 6 },
+{ "connect", 283 },
+{ "creat", 8 },
+{ "delete_module", 129 },
+{ "dup2", 63 },
+{ "dup3", 358 },
+{ "dup", 41 },
+{ "epoll_create1", 357 },
+{ "epoll_create", 250 },
+{ "epoll_ctl", 251 },
+{ "epoll_pwait", 346 },
+{ "epoll_wait", 252 },
+{ "eventfd2", 356 },
+{ "eventfd", 351 },
+{ "execve", 11 },
+{ "exit", 1 },
+{ "exit_group", 248 },
+{ "faccessat", 334 },
+{ "faccessat2", 439 },
+{ "fallocate", 352 },
+{ "fanotify_init", 367 },
+{ "fanotify_mark", 368 },
+{ "fchdir", 133 },
+{ "fchmod", 94 },
+{ "fchmodat", 333 },
+{ "fchown32", 207 },
+{ "fchown", 95 },
+{ "fchownat", 325 },
+{ "fcntl", 55 },
+{ "fcntl64", 221 },
+{ "fdatasync", 148 },
+{ "fgetxattr", 231 },
+{ "finit_module", 379 },
+{ "flistxattr", 234 },
+{ "flock", 143 },
+{ "fork", 2 },
+{ "fremovexattr", 237 },
+{ "fsetxattr", 228 },
+{ "fstat", 108 },
+{ "fstat64", 197 },
+{ "fstatat64", 327 },
+{ "fstatfs", 100 },
+{ "fstatfs64", 267 },
+{ "fsync", 118 },
+{ "ftruncate64", 194 },
+{ "ftruncate", 93 },
+{ "futex", 240 },
+{ "futimesat", 326 },
+{ "getcpu", 345 },
+{ "getcwd", 183 },
+{ "getdents", 141 },
+{ "getdents64", 217 },
+{ "getegid32", 202 },
+{ "getegid", 50 },
+{ "geteuid32", 201 },
+{ "geteuid", 49 },
+{ "getgid32", 200 },
+{ "getgid", 47 },
+{ "getgroups32", 205 },
+{ "getgroups", 80 },
+{ "getitimer", 105 },
+{ "get_mempolicy", 320 },
+{ "getpeername", 287 },
+{ "getpgid", 132 },
+{ "getpgrp", 65 },
+{ "getpid", 20 },
+{ "getppid", 64 },
+{ "getpriority", 96 },
+{ "getrandom", 384 },
+{ "getresgid", 171 },
+{ "getresgid32", 211 },
+{ "getresuid", 165 },
+{ "getresuid32", 209 },
+{ "getrlimit", 76 },
+{ "get_robust_list", 339 },
+{ "getrusage", 77 },
+{ "getsid", 147 },
+{ "getsockname", 286 },
+{ "getsockopt", 295 },
+{ "gettid", 224 },
+{ "gettimeofday", 78 },
+{ "getuid", 24 },
+{ "getuid32", 199 },
+{ "getxattr", 229 },
+{ "init_module", 128 },
+{ "inotify_add_watch", 317 },
+{ "inotify_init1", 360 },
+{ "inotify_init", 316 },
+{ "inotify_rm_watch", 318 },
+{ "io_cancel", 247 },
+{ "ioctl", 54 },
+{ "io_destroy", 244 },
+{ "io_getevents", 245 },
+{ "ioprio_get", 315 },
+{ "ioprio_set", 314 },
+{ "io_setup", 243 },
+{ "io_submit", 246 },
+{ "ipc", 117 },
+{ "kcmp", 378 },
+{ "kexec_load", 347 },
+{ "keyctl", 311 },
+{ "kill", 37 },
+{ "lchown", 16 },
+{ "lchown32", 198 },
+{ "lgetxattr", 230 },
+{ "link", 9 },
+{ "linkat", 330 },
+{ "listen", 284 },
+{ "listxattr", 232 },
+{ "llistxattr", 233 },
+{ "_llseek", 140 },
+{ "lookup_dcookie", 249 },
+{ "lremovexattr", 236 },
+{ "lseek", 19 },
+{ "lsetxattr", 227 },
+{ "lstat", 107 },
+{ "lstat64", 196 },
+{ "madvise", 220 },
+{ "mbind", 319 },
+{ "memfd_create", 385 },
+{ "mincore", 219 },
+{ "mkdir", 39 },
+{ "mkdirat", 323 },
+{ "mknod", 14 },
+{ "mknodat", 324 },
+{ "mlock", 150 },
+{ "mlockall", 152 },
+{ "mmap2", 192 },
+{ "mmap", 90 },
+{ "mount", 21 },
+{ "move_pages", 344 },
+{ "mprotect", 125 },
+{ "mq_getsetattr", 279 },
+{ "mq_notify", 278 },
+{ "mq_open", 274 },
+{ "mq_timedreceive", 277 },
+{ "mq_timedsend", 276 },
+{ "mq_unlink", 275 },
+{ "mremap", 163 },
+{ "msgctl", 304 },
+{ "msgget", 303 },
+{ "msgrcv", 302 },
+{ "msgsnd", 301 },
+{ "msync", 144 },
+{ "munlock", 151 },
+{ "munlockall", 153 },
+{ "munmap", 91 },
+{ "name_to_handle_at", 370 },
+{ "nanosleep", 162 },
+{ "_newselect", 142 },
+{ "nfsservctl", 169 },
+{ "nice", 34 },
+{ "open", 5 },
+{ "openat", 322 },
+{ "open_by_handle_at", 371 },
+{ "pause", 29 },
+{ "pciconfig_iobase", 271 },
+{ "pciconfig_read", 272 },
+{ "pciconfig_write", 273 },
+{ "perf_event_open", 364 },
+{ "personality", 136 },
+{ "pipe2", 359 },
+{ "pipe", 42 },
+{ "pivot_root", 218 },
+{ "poll", 168 },
+{ "ppoll", 336 },
+{ "prctl", 172 },
+{ "pread64", 180 },
+{ "preadv", 361 },
+{ "prlimit64", 369 },
+{ "process_vm_readv", 376 },
+{ "process_vm_writev", 377 },
+{ "pselect6", 335 },
+{ "ptrace", 26 },
+{ "pwrite64", 181 },
+{ "pwritev", 362 },
+{ "quotactl", 131 },
+{ "read", 3 },
+{ "readahead", 225 },
+{ "readdir", 89 },
+{ "readlink", 85 },
+{ "readlinkat", 332 },
+{ "readv", 145 },
+{ "reboot", 88 },
+{ "recv", 291 },
+{ "recvfrom", 292 },
+{ "recvmmsg", 365 },
+{ "recvmsg", 297 },
+{ "remap_file_pages", 253 },
+{ "removexattr", 235 },
+{ "rename", 38 },
+{ "renameat2", 382 },
+{ "renameat", 329 },
+{ "request_key", 310 },
+{ "rmdir", 40 },
+{ "rt_sigaction", 174 },
+{ "rt_sigpending", 176 },
+{ "rt_sigprocmask", 175 },
+{ "rt_sigqueueinfo", 178 },
+{ "rt_sigreturn", 173 },
+{ "rt_sigsuspend", 179 },
+{ "rt_sigtimedwait", 177 },
+{ "rt_tgsigqueueinfo", 363 },
+{ "sched_getaffinity", 242 },
+{ "sched_getattr", 381 },
+{ "sched_getparam", 155 },
+{ "sched_get_priority_max", 159 },
+{ "sched_get_priority_min", 160 },
+{ "sched_getscheduler", 157 },
+{ "sched_rr_get_interval", 161 },
+{ "sched_setaffinity", 241 },
+{ "sched_setattr", 380 },
+{ "sched_setparam", 154 },
+{ "sched_setscheduler", 156 },
+{ "sched_yield", 158 },
+{ "seccomp", 383 },
+{ "select", 82 },
+{ "semctl", 300 },
+{ "semget", 299 },
+{ "semop", 298 },
+{ "semtimedop", 312 },
+{ "send", 289 },
+{ "sendfile", 187 },
+{ "sendfile64", 239 },
+{ "sendmmsg", 374 },
+{ "sendmsg", 296 },
+{ "sendto", 290 },
+{ "setdomainname", 121 },
+{ "setfsgid", 139 },
+{ "setfsgid32", 216 },
+{ "setfsuid", 138 },
+{ "setfsuid32", 215 },
+{ "setgid32", 214 },
+{ "setgid", 46 },
+{ "setgroups32", 206 },
+{ "setgroups", 81 },
+{ "sethostname", 74 },
+{ "setitimer", 104 },
+{ "set_mempolicy", 321 },
+{ "setns", 375 },
+{ "setpgid", 57 },
+{ "setpriority", 97 },
+{ "setregid32", 204 },
+{ "setregid", 71 },
+{ "setresgid", 170 },
+{ "setresgid32", 210 },
+{ "setresuid", 164 },
+{ "setresuid32", 208 },
+{ "setreuid32", 203 },
+{ "setreuid", 70 },
+{ "setrlimit", 75 },
+{ "set_robust_list", 338 },
+{ "setsid", 66 },
+{ "setsockopt", 294 },
+{ "set_tid_address", 256 },
+{ "settimeofday", 79 },
+{ "setuid", 23 },
+{ "setuid32", 213 },
+{ "setxattr", 226 },
+{ "shmat", 305 },
+{ "shmctl", 308 },
+{ "shmdt", 306 },
+{ "shmget", 307 },
+{ "shutdown", 293 },
+{ "sigaction", 67 },
+{ "sigaltstack", 186 },
+{ "signalfd", 349 },
+{ "signalfd4", 355 },
+{ "sigpending", 73 },
+{ "sigprocmask", 126 },
+{ "sigreturn", 119 },
+{ "sigsuspend", 72 },
+{ "socket", 281 },
+{ "socketcall", 102 },
+{ "socketpair", 288 },
+{ "splice", 340 },
+{ "stat", 106 },
+{ "stat64", 195 },
+{ "statfs64", 266 },
+{ "statfs", 99 },
+{ "stime", 25 },
+{ "swapoff", 115 },
+{ "swapon", 87 },
+{ "symlink", 83 },
+{ "symlinkat", 331 },
+{ "sync", 36 },
+{ "sync_file_range2", 341 },
+{ "syncfs", 373 },
+{ "syscall", 113 },
+{ "_sysctl", 149 },
+{ "sysfs", 135 },
+{ "sysinfo", 116 },
+{ "syslog", 103 },
+{ "tee", 342 },
+{ "tgkill", 268 },
+{ "time", 13 },
+{ "timer_create", 257 },
+{ "timer_delete", 261 },
+{ "timerfd_create", 350 },
+{ "timerfd_gettime", 354 },
+{ "timerfd_settime", 353 },
+{ "timer_getoverrun", 260 },
+{ "timer_gettime", 259 },
+{ "timer_settime", 258 },
+{ "times", 43 },
+{ "tkill", 238 },
+{ "truncate64", 193 },
+{ "truncate", 92 },
+{ "ugetrlimit", 191 },
+{ "umask", 60 },
+{ "umount", 22 },
+{ "umount2", 52 },
+{ "uname", 122 },
+{ "unlink", 10 },
+{ "unlinkat", 328 },
+{ "unshare", 337 },
+{ "uselib", 86 },
+{ "ustat", 62 },
+{ "utime", 30 },
+{ "utimensat", 348 },
+{ "utimes", 269 },
+{ "vfork", 190 },
+{ "vhangup", 111 },
+{ "vmsplice", 343 },
+{ "vserver", 313 },
+{ "wait4", 114 },
+{ "waitid", 280 },
+{ "write", 4 },
+{ "writev", 146 },
diff --git a/src/include/syscall_i386.h b/src/include/syscall_i386.h
new file mode 100644
index 000000000..752e11f24
--- /dev/null
+++ b/src/include/syscall_i386.h
@@ -0,0 +1,426 @@
+{ "_llseek", 140 },
+{ "_newselect", 142 },
+{ "_sysctl", 149 },
+{ "accept4", 364 },
+{ "access", 33 },
+{ "acct", 51 },
+{ "add_key", 286 },
+{ "adjtimex", 124 },
+{ "afs_syscall", 137 },
+{ "alarm", 27 },
+{ "arch_prctl", 384 },
+{ "bdflush", 134 },
+{ "bind", 361 },
+{ "bpf", 357 },
+{ "break", 17 },
+{ "brk", 45 },
+{ "capget", 184 },
+{ "capset", 185 },
+{ "chdir", 12 },
+{ "chmod", 15 },
+{ "chown", 182 },
+{ "chown32", 212 },
+{ "chroot", 61 },
+{ "clock_adjtime", 343 },
+{ "clock_adjtime64", 405 },
+{ "clock_getres", 266 },
+{ "clock_getres_time64", 406 },
+{ "clock_gettime", 265 },
+{ "clock_gettime64", 403 },
+{ "clock_nanosleep", 267 },
+{ "clock_nanosleep_time64", 407 },
+{ "clock_settime", 264 },
+{ "clock_settime64", 404 },
+{ "clone", 120 },
+{ "clone3", 435 },
+{ "close", 6 },
+{ "connect", 362 },
+{ "copy_file_range", 377 },
+{ "creat", 8 },
+{ "create_module", 127 },
+{ "delete_module", 129 },
+{ "dup", 41 },
+{ "dup2", 63 },
+{ "dup3", 330 },
+{ "epoll_create", 254 },
+{ "epoll_create1", 329 },
+{ "epoll_ctl", 255 },
+{ "epoll_pwait", 319 },
+{ "epoll_wait", 256 },
+{ "eventfd", 323 },
+{ "eventfd2", 328 },
+{ "execve", 11 },
+{ "execveat", 358 },
+{ "exit", 1 },
+{ "exit_group", 252 },
+{ "faccessat", 307 },
+{ "faccessat2", 439 },
+{ "fadvise64", 250 },
+{ "fadvise64_64", 272 },
+{ "fallocate", 324 },
+{ "fanotify_init", 338 },
+{ "fanotify_mark", 339 },
+{ "fchdir", 133 },
+{ "fchmod", 94 },
+{ "fchmodat", 306 },
+{ "fchown", 95 },
+{ "fchown32", 207 },
+{ "fchownat", 298 },
+{ "fcntl", 55 },
+{ "fcntl64", 221 },
+{ "fdatasync", 148 },
+{ "fgetxattr", 231 },
+{ "finit_module", 350 },
+{ "flistxattr", 234 },
+{ "flock", 143 },
+{ "fork", 2 },
+{ "fremovexattr", 237 },
+{ "fsconfig", 431 },
+{ "fsetxattr", 228 },
+{ "fsmount", 432 },
+{ "fsopen", 430 },
+{ "fspick", 433 },
+{ "fstat", 108 },
+{ "fstat64", 197 },
+{ "fstatat64", 300 },
+{ "fstatfs", 100 },
+{ "fstatfs64", 269 },
+{ "fsync", 118 },
+{ "ftime", 35 },
+{ "ftruncate", 93 },
+{ "ftruncate64", 194 },
+{ "futex", 240 },
+{ "futex_time64", 422 },
+{ "futimesat", 299 },
+{ "get_kernel_syms", 130 },
+{ "get_mempolicy", 275 },
+{ "get_robust_list", 312 },
+{ "get_thread_area", 244 },
+{ "getcpu", 318 },
+{ "getcwd", 183 },
+{ "getdents", 141 },
+{ "getdents64", 220 },
+{ "getegid", 50 },
+{ "getegid32", 202 },
+{ "geteuid", 49 },
+{ "geteuid32", 201 },
+{ "getgid", 47 },
+{ "getgid32", 200 },
+{ "getgroups", 80 },
+{ "getgroups32", 205 },
+{ "getitimer", 105 },
+{ "getpeername", 368 },
+{ "getpgid", 132 },
+{ "getpgrp", 65 },
+{ "getpid", 20 },
+{ "getpmsg", 188 },
+{ "getppid", 64 },
+{ "getpriority", 96 },
+{ "getrandom", 355 },
+{ "getresgid", 171 },
+{ "getresgid32", 211 },
+{ "getresuid", 165 },
+{ "getresuid32", 209 },
+{ "getrlimit", 76 },
+{ "getrusage", 77 },
+{ "getsid", 147 },
+{ "getsockname", 367 },
+{ "getsockopt", 365 },
+{ "gettid", 224 },
+{ "gettimeofday", 78 },
+{ "getuid", 24 },
+{ "getuid32", 199 },
+{ "getxattr", 229 },
+{ "gtty", 32 },
+{ "idle", 112 },
+{ "init_module", 128 },
+{ "inotify_add_watch", 292 },
+{ "inotify_init", 291 },
+{ "inotify_init1", 332 },
+{ "inotify_rm_watch", 293 },
+{ "io_cancel", 249 },
+{ "io_destroy", 246 },
+{ "io_getevents", 247 },
+{ "io_pgetevents", 385 },
+{ "io_pgetevents_time64", 416 },
+{ "io_setup", 245 },
+{ "io_submit", 248 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "io_uring_setup", 425 },
+{ "ioctl", 54 },
+{ "ioperm", 101 },
+{ "iopl", 110 },
+{ "ioprio_get", 290 },
+{ "ioprio_set", 289 },
+{ "ipc", 117 },
+{ "kcmp", 349 },
+{ "kexec_load", 283 },
+{ "keyctl", 288 },
+{ "kill", 37 },
+{ "lchown", 16 },
+{ "lchown32", 198 },
+{ "lgetxattr", 230 },
+{ "link", 9 },
+{ "linkat", 303 },
+{ "listen", 363 },
+{ "listxattr", 232 },
+{ "llistxattr", 233 },
+{ "lock", 53 },
+{ "lookup_dcookie", 253 },
+{ "lremovexattr", 236 },
+{ "lseek", 19 },
+{ "lsetxattr", 227 },
+{ "lstat", 107 },
+{ "lstat64", 196 },
+{ "madvise", 219 },
+{ "mbind", 274 },
+{ "membarrier", 375 },
+{ "memfd_create", 356 },
+{ "migrate_pages", 294 },
+{ "mincore", 218 },
+{ "mkdir", 39 },
+{ "mkdirat", 296 },
+{ "mknod", 14 },
+{ "mknodat", 297 },
+{ "mlock", 150 },
+{ "mlock2", 376 },
+{ "mlockall", 152 },
+{ "mmap", 90 },
+{ "mmap2", 192 },
+{ "modify_ldt", 123 },
+{ "mount", 21 },
+{ "move_mount", 429 },
+{ "move_pages", 317 },
+{ "mprotect", 125 },
+{ "mpx", 56 },
+{ "mq_getsetattr", 282 },
+{ "mq_notify", 281 },
+{ "mq_open", 277 },
+{ "mq_timedreceive", 280 },
+{ "mq_timedreceive_time64", 419 },
+{ "mq_timedsend", 279 },
+{ "mq_timedsend_time64", 418 },
+{ "mq_unlink", 278 },
+{ "mremap", 163 },
+{ "msgctl", 402 },
+{ "msgget", 399 },
+{ "msgrcv", 401 },
+{ "msgsnd", 400 },
+{ "msync", 144 },
+{ "munlock", 151 },
+{ "munlockall", 153 },
+{ "munmap", 91 },
+{ "name_to_handle_at", 341 },
+{ "nanosleep", 162 },
+{ "nfsservctl", 169 },
+{ "nice", 34 },
+{ "oldfstat", 28 },
+{ "oldlstat", 84 },
+{ "oldolduname", 59 },
+{ "oldstat", 18 },
+{ "olduname", 109 },
+{ "open", 5 },
+{ "open_by_handle_at", 342 },
+{ "open_tree", 428 },
+{ "openat", 295 },
+{ "pause", 29 },
+{ "perf_event_open", 336 },
+{ "personality", 136 },
+{ "pidfd_open", 434 },
+{ "pidfd_send_signal", 424 },
+{ "pipe", 42 },
+{ "pipe2", 331 },
+{ "pivot_root", 217 },
+{ "pkey_alloc", 381 },
+{ "pkey_free", 382 },
+{ "pkey_mprotect", 380 },
+{ "poll", 168 },
+{ "ppoll", 309 },
+{ "ppoll_time64", 414 },
+{ "prctl", 172 },
+{ "pread64", 180 },
+{ "preadv", 333 },
+{ "preadv2", 378 },
+{ "prlimit64", 340 },
+{ "process_vm_readv", 347 },
+{ "process_vm_writev", 348 },
+{ "prof", 44 },
+{ "profil", 98 },
+{ "pselect6", 308 },
+{ "pselect6_time64", 413 },
+{ "ptrace", 26 },
+{ "putpmsg", 189 },
+{ "pwrite64", 181 },
+{ "pwritev", 334 },
+{ "pwritev2", 379 },
+{ "query_module", 167 },
+{ "quotactl", 131 },
+{ "read", 3 },
+{ "readahead", 225 },
+{ "readdir", 89 },
+{ "readlink", 85 },
+{ "readlinkat", 305 },
+{ "readv", 145 },
+{ "reboot", 88 },
+{ "recvfrom", 371 },
+{ "recvmmsg", 337 },
+{ "recvmmsg_time64", 417 },
+{ "recvmsg", 372 },
+{ "remap_file_pages", 257 },
+{ "removexattr", 235 },
+{ "rename", 38 },
+{ "renameat", 302 },
+{ "renameat2", 353 },
+{ "request_key", 287 },
+{ "restart_syscall", 0 },
+{ "rmdir", 40 },
+{ "rseq", 386 },
+{ "rt_sigaction", 174 },
+{ "rt_sigpending", 176 },
+{ "rt_sigprocmask", 175 },
+{ "rt_sigqueueinfo", 178 },
+{ "rt_sigreturn", 173 },
+{ "rt_sigsuspend", 179 },
+{ "rt_sigtimedwait", 177 },
+{ "rt_sigtimedwait_time64", 421 },
+{ "rt_tgsigqueueinfo", 335 },
+{ "sched_get_priority_max", 159 },
+{ "sched_get_priority_min", 160 },
+{ "sched_getaffinity", 242 },
+{ "sched_getattr", 352 },
+{ "sched_getparam", 155 },
+{ "sched_getscheduler", 157 },
+{ "sched_rr_get_interval", 161 },
+{ "sched_rr_get_interval_time64", 423 },
+{ "sched_setaffinity", 241 },
+{ "sched_setattr", 351 },
+{ "sched_setparam", 154 },
+{ "sched_setscheduler", 156 },
+{ "sched_yield", 158 },
+{ "seccomp", 354 },
+{ "select", 82 },
+{ "semctl", 394 },
+{ "semget", 393 },
+{ "semtimedop_time64", 420 },
+{ "sendfile", 187 },
+{ "sendfile64", 239 },
+{ "sendmmsg", 345 },
+{ "sendmsg", 370 },
+{ "sendto", 369 },
+{ "set_mempolicy", 276 },
+{ "set_robust_list", 311 },
+{ "set_thread_area", 243 },
+{ "set_tid_address", 258 },
+{ "setdomainname", 121 },
+{ "setfsgid", 139 },
+{ "setfsgid32", 216 },
+{ "setfsuid", 138 },
+{ "setfsuid32", 215 },
+{ "setgid", 46 },
+{ "setgid32", 214 },
+{ "setgroups", 81 },
+{ "setgroups32", 206 },
+{ "sethostname", 74 },
+{ "setitimer", 104 },
+{ "setns", 346 },
+{ "setpgid", 57 },
+{ "setpriority", 97 },
+{ "setregid", 71 },
+{ "setregid32", 204 },
+{ "setresgid", 170 },
+{ "setresgid32", 210 },
+{ "setresuid", 164 },
+{ "setresuid32", 208 },
+{ "setreuid", 70 },
+{ "setreuid32", 203 },
+{ "setrlimit", 75 },
+{ "setsid", 66 },
+{ "setsockopt", 366 },
+{ "settimeofday", 79 },
+{ "setuid", 23 },
+{ "setuid32", 213 },
+{ "setxattr", 226 },
+{ "sgetmask", 68 },
+{ "shmat", 397 },
+{ "shmctl", 396 },
+{ "shmdt", 398 },
+{ "shmget", 395 },
+{ "shutdown", 373 },
+{ "sigaction", 67 },
+{ "sigaltstack", 186 },
+{ "signal", 48 },
+{ "signalfd", 321 },
+{ "signalfd4", 327 },
+{ "sigpending", 73 },
+{ "sigprocmask", 126 },
+{ "sigreturn", 119 },
+{ "sigsuspend", 72 },
+{ "socket", 359 },
+{ "socketcall", 102 },
+{ "socketpair", 360 },
+{ "splice", 313 },
+{ "ssetmask", 69 },
+{ "stat", 106 },
+{ "stat64", 195 },
+{ "statfs", 99 },
+{ "statfs64", 268 },
+{ "statx", 383 },
+{ "stime", 25 },
+{ "stty", 31 },
+{ "swapoff", 115 },
+{ "swapon", 87 },
+{ "symlink", 83 },
+{ "symlinkat", 304 },
+{ "sync", 36 },
+{ "sync_file_range", 314 },
+{ "syncfs", 344 },
+{ "sysfs", 135 },
+{ "sysinfo", 116 },
+{ "syslog", 103 },
+{ "tee", 315 },
+{ "tgkill", 270 },
+{ "time", 13 },
+{ "timer_create", 259 },
+{ "timer_delete", 263 },
+{ "timer_getoverrun", 262 },
+{ "timer_gettime", 261 },
+{ "timer_gettime64", 408 },
+{ "timer_settime", 260 },
+{ "timer_settime64", 409 },
+{ "timerfd_create", 322 },
+{ "timerfd_gettime", 326 },
+{ "timerfd_gettime64", 410 },
+{ "timerfd_settime", 325 },
+{ "timerfd_settime64", 411 },
+{ "times", 43 },
+{ "tkill", 238 },
+{ "truncate", 92 },
+{ "truncate64", 193 },
+{ "ugetrlimit", 191 },
+{ "ulimit", 58 },
+{ "umask", 60 },
+{ "umount", 22 },
+{ "umount2", 52 },
+{ "uname", 122 },
+{ "unlink", 10 },
+{ "unlinkat", 301 },
+{ "unshare", 310 },
+{ "uselib", 86 },
+{ "userfaultfd", 374 },
+{ "ustat", 62 },
+{ "utime", 30 },
+{ "utimensat", 320 },
+{ "utimensat_time64", 412 },
+{ "utimes", 271 },
+{ "vfork", 190 },
+{ "vhangup", 111 },
+{ "vm86", 166 },
+{ "vm86old", 113 },
+{ "vmsplice", 316 },
+{ "vserver", 273 },
+{ "wait4", 114 },
+{ "waitid", 284 },
+{ "waitpid", 7 },
+{ "write", 4 },
+{ "writev", 146 },
diff --git a/src/include/syscall_x86_64.h b/src/include/syscall_x86_64.h
new file mode 100644
index 000000000..97f2762b1
--- /dev/null
+++ b/src/include/syscall_x86_64.h
@@ -0,0 +1,348 @@
+{ "_sysctl", 156 },
+{ "accept", 43 },
+{ "accept4", 288 },
+{ "access", 21 },
+{ "acct", 163 },
+{ "add_key", 248 },
+{ "adjtimex", 159 },
+{ "afs_syscall", 183 },
+{ "alarm", 37 },
+{ "arch_prctl", 158 },
+{ "bind", 49 },
+{ "bpf", 321 },
+{ "brk", 12 },
+{ "capget", 125 },
+{ "capset", 126 },
+{ "chdir", 80 },
+{ "chmod", 90 },
+{ "chown", 92 },
+{ "chroot", 161 },
+{ "clock_adjtime", 305 },
+{ "clock_getres", 229 },
+{ "clock_gettime", 228 },
+{ "clock_nanosleep", 230 },
+{ "clock_settime", 227 },
+{ "clone", 56 },
+{ "clone3", 435 },
+{ "close", 3 },
+{ "connect", 42 },
+{ "copy_file_range", 326 },
+{ "creat", 85 },
+{ "create_module", 174 },
+{ "delete_module", 176 },
+{ "dup", 32 },
+{ "dup2", 33 },
+{ "dup3", 292 },
+{ "epoll_create", 213 },
+{ "epoll_create1", 291 },
+{ "epoll_ctl", 233 },
+{ "epoll_ctl_old", 214 },
+{ "epoll_pwait", 281 },
+{ "epoll_wait", 232 },
+{ "epoll_wait_old", 215 },
+{ "eventfd", 284 },
+{ "eventfd2", 290 },
+{ "execve", 59 },
+{ "execveat", 322 },
+{ "exit", 60 },
+{ "exit_group", 231 },
+{ "faccessat", 269 },
+{ "faccessat2", 439 },
+{ "fadvise64", 221 },
+{ "fallocate", 285 },
+{ "fanotify_init", 300 },
+{ "fanotify_mark", 301 },
+{ "fchdir", 81 },
+{ "fchmod", 91 },
+{ "fchmodat", 268 },
+{ "fchown", 93 },
+{ "fchownat", 260 },
+{ "fcntl", 72 },
+{ "fdatasync", 75 },
+{ "fgetxattr", 193 },
+{ "finit_module", 313 },
+{ "flistxattr", 196 },
+{ "flock", 73 },
+{ "fork", 57 },
+{ "fremovexattr", 199 },
+{ "fsconfig", 431 },
+{ "fsetxattr", 190 },
+{ "fsmount", 432 },
+{ "fsopen", 430 },
+{ "fspick", 433 },
+{ "fstat", 5 },
+{ "fstatfs", 138 },
+{ "fsync", 74 },
+{ "ftruncate", 77 },
+{ "futex", 202 },
+{ "futimesat", 261 },
+{ "get_kernel_syms", 177 },
+{ "get_mempolicy", 239 },
+{ "get_robust_list", 274 },
+{ "get_thread_area", 211 },
+{ "getcpu", 309 },
+{ "getcwd", 79 },
+{ "getdents", 78 },
+{ "getdents64", 217 },
+{ "getegid", 108 },
+{ "geteuid", 107 },
+{ "getgid", 104 },
+{ "getgroups", 115 },
+{ "getitimer", 36 },
+{ "getpeername", 52 },
+{ "getpgid", 121 },
+{ "getpgrp", 111 },
+{ "getpid", 39 },
+{ "getpmsg", 181 },
+{ "getppid", 110 },
+{ "getpriority", 140 },
+{ "getrandom", 318 },
+{ "getresgid", 120 },
+{ "getresuid", 118 },
+{ "getrlimit", 97 },
+{ "getrusage", 98 },
+{ "getsid", 124 },
+{ "getsockname", 51 },
+{ "getsockopt", 55 },
+{ "gettid", 186 },
+{ "gettimeofday", 96 },
+{ "getuid", 102 },
+{ "getxattr", 191 },
+{ "init_module", 175 },
+{ "inotify_add_watch", 254 },
+{ "inotify_init", 253 },
+{ "inotify_init1", 294 },
+{ "inotify_rm_watch", 255 },
+{ "io_cancel", 210 },
+{ "io_destroy", 207 },
+{ "io_getevents", 208 },
+{ "io_pgetevents", 333 },
+{ "io_setup", 206 },
+{ "io_submit", 209 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "io_uring_setup", 425 },
+{ "ioctl", 16 },
+{ "ioperm", 173 },
+{ "iopl", 172 },
+{ "ioprio_get", 252 },
+{ "ioprio_set", 251 },
+{ "kcmp", 312 },
+{ "kexec_file_load", 320 },
+{ "kexec_load", 246 },
+{ "keyctl", 250 },
+{ "kill", 62 },
+{ "lchown", 94 },
+{ "lgetxattr", 192 },
+{ "link", 86 },
+{ "linkat", 265 },
+{ "listen", 50 },
+{ "listxattr", 194 },
+{ "llistxattr", 195 },
+{ "lookup_dcookie", 212 },
+{ "lremovexattr", 198 },
+{ "lseek", 8 },
+{ "lsetxattr", 189 },
+{ "lstat", 6 },
+{ "madvise", 28 },
+{ "mbind", 237 },
+{ "membarrier", 324 },
+{ "memfd_create", 319 },
+{ "migrate_pages", 256 },
+{ "mincore", 27 },
+{ "mkdir", 83 },
+{ "mkdirat", 258 },
+{ "mknod", 133 },
+{ "mknodat", 259 },
+{ "mlock", 149 },
+{ "mlock2", 325 },
+{ "mlockall", 151 },
+{ "mmap", 9 },
+{ "modify_ldt", 154 },
+{ "mount", 165 },
+{ "move_mount", 429 },
+{ "move_pages", 279 },
+{ "mprotect", 10 },
+{ "mq_getsetattr", 245 },
+{ "mq_notify", 244 },
+{ "mq_open", 240 },
+{ "mq_timedreceive", 243 },
+{ "mq_timedsend", 242 },
+{ "mq_unlink", 241 },
+{ "mremap", 25 },
+{ "msgctl", 71 },
+{ "msgget", 68 },
+{ "msgrcv", 70 },
+{ "msgsnd", 69 },
+{ "msync", 26 },
+{ "munlock", 150 },
+{ "munlockall", 152 },
+{ "munmap", 11 },
+{ "name_to_handle_at", 303 },
+{ "nanosleep", 35 },
+{ "newfstatat", 262 },
+{ "nfsservctl", 180 },
+{ "open", 2 },
+{ "open_by_handle_at", 304 },
+{ "open_tree", 428 },
+{ "openat", 257 },
+{ "pause", 34 },
+{ "perf_event_open", 298 },
+{ "personality", 135 },
+{ "pidfd_open", 434 },
+{ "pidfd_send_signal", 424 },
+{ "pipe", 22 },
+{ "pipe2", 293 },
+{ "pivot_root", 155 },
+{ "pkey_alloc", 330 },
+{ "pkey_free", 331 },
+{ "pkey_mprotect", 329 },
+{ "poll", 7 },
+{ "ppoll", 271 },
+{ "prctl", 157 },
+{ "pread64", 17 },
+{ "preadv", 295 },
+{ "preadv2", 327 },
+{ "prlimit64", 302 },
+{ "process_vm_readv", 310 },
+{ "process_vm_writev", 311 },
+{ "pselect6", 270 },
+{ "ptrace", 101 },
+{ "putpmsg", 182 },
+{ "pwrite64", 18 },
+{ "pwritev", 296 },
+{ "pwritev2", 328 },
+{ "query_module", 178 },
+{ "quotactl", 179 },
+{ "read", 0 },
+{ "readahead", 187 },
+{ "readlink", 89 },
+{ "readlinkat", 267 },
+{ "readv", 19 },
+{ "reboot", 169 },
+{ "recvfrom", 45 },
+{ "recvmmsg", 299 },
+{ "recvmsg", 47 },
+{ "remap_file_pages", 216 },
+{ "removexattr", 197 },
+{ "rename", 82 },
+{ "renameat", 264 },
+{ "renameat2", 316 },
+{ "request_key", 249 },
+{ "restart_syscall", 219 },
+{ "rmdir", 84 },
+{ "rseq", 334 },
+{ "rt_sigaction", 13 },
+{ "rt_sigpending", 127 },
+{ "rt_sigprocmask", 14 },
+{ "rt_sigqueueinfo", 129 },
+{ "rt_sigreturn", 15 },
+{ "rt_sigsuspend", 130 },
+{ "rt_sigtimedwait", 128 },
+{ "rt_tgsigqueueinfo", 297 },
+{ "sched_get_priority_max", 146 },
+{ "sched_get_priority_min", 147 },
+{ "sched_getaffinity", 204 },
+{ "sched_getattr", 315 },
+{ "sched_getparam", 143 },
+{ "sched_getscheduler", 145 },
+{ "sched_rr_get_interval", 148 },
+{ "sched_setaffinity", 203 },
+{ "sched_setattr", 314 },
+{ "sched_setparam", 142 },
+{ "sched_setscheduler", 144 },
+{ "sched_yield", 24 },
+{ "seccomp", 317 },
+{ "security", 185 },
+{ "select", 23 },
+{ "semctl", 66 },
+{ "semget", 64 },
+{ "semop", 65 },
+{ "semtimedop", 220 },
+{ "sendfile", 40 },
+{ "sendmmsg", 307 },
+{ "sendmsg", 46 },
+{ "sendto", 44 },
+{ "set_mempolicy", 238 },
+{ "set_robust_list", 273 },
+{ "set_thread_area", 205 },
+{ "set_tid_address", 218 },
+{ "setdomainname", 171 },
+{ "setfsgid", 123 },
+{ "setfsuid", 122 },
+{ "setgid", 106 },
+{ "setgroups", 116 },
+{ "sethostname", 170 },
+{ "setitimer", 38 },
+{ "setns", 308 },
+{ "setpgid", 109 },
+{ "setpriority", 141 },
+{ "setregid", 114 },
+{ "setresgid", 119 },
+{ "setresuid", 117 },
+{ "setreuid", 113 },
+{ "setrlimit", 160 },
+{ "setsid", 112 },
+{ "setsockopt", 54 },
+{ "settimeofday", 164 },
+{ "setuid", 105 },
+{ "setxattr", 188 },
+{ "shmat", 30 },
+{ "shmctl", 31 },
+{ "shmdt", 67 },
+{ "shmget", 29 },
+{ "shutdown", 48 },
+{ "sigaltstack", 131 },
+{ "signalfd", 282 },
+{ "signalfd4", 289 },
+{ "socket", 41 },
+{ "socketpair", 53 },
+{ "splice", 275 },
+{ "stat", 4 },
+{ "statfs", 137 },
+{ "statx", 332 },
+{ "swapoff", 168 },
+{ "swapon", 167 },
+{ "symlink", 88 },
+{ "symlinkat", 266 },
+{ "sync", 162 },
+{ "sync_file_range", 277 },
+{ "syncfs", 306 },
+{ "sysfs", 139 },
+{ "sysinfo", 99 },
+{ "syslog", 103 },
+{ "tee", 276 },
+{ "tgkill", 234 },
+{ "time", 201 },
+{ "timer_create", 222 },
+{ "timer_delete", 226 },
+{ "timer_getoverrun", 225 },
+{ "timer_gettime", 224 },
+{ "timer_settime", 223 },
+{ "timerfd_create", 283 },
+{ "timerfd_gettime", 287 },
+{ "timerfd_settime", 286 },
+{ "times", 100 },
+{ "tkill", 200 },
+{ "truncate", 76 },
+{ "tuxcall", 184 },
+{ "umask", 95 },
+{ "umount2", 166 },
+{ "uname", 63 },
+{ "unlink", 87 },
+{ "unlinkat", 263 },
+{ "unshare", 272 },
+{ "uselib", 134 },
+{ "userfaultfd", 323 },
+{ "ustat", 136 },
+{ "utime", 132 },
+{ "utimensat", 280 },
+{ "utimes", 235 },
+{ "vfork", 58 },
+{ "vhangup", 153 },
+{ "vmsplice", 278 },
+{ "vserver", 236 },
+{ "wait4", 61 },
+{ "waitid", 247 },
+{ "write", 1 },
+{ "writev", 20 },
diff --git a/src/jailcheck/Makefile.in b/src/jailcheck/Makefile.in
new file mode 100644
index 000000000..d218c1f90
--- /dev/null
+++ b/src/jailcheck/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: jailcheck
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+jailcheck: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
new file mode 100644
index 000000000..3c2f46495
--- /dev/null
+++ b/src/jailcheck/access.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+        char *tfile;
+        char *tdir;
+} TestDir;
+
+#define MAX_TEST_FILES 16
+TestDir td[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void access_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(user_home_dir);
+
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of test directories exceeded\n");
+                exit(1);
+        }
+
+        char *fname = strdup(directory);
+        if (!fname)
+                errExit("strdup");
+        if (strncmp(fname, "~/", 2) == 0) {
+                free(fname);
+                if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1)
+                        errExit("asprintf");
+        }
+
+        char *path = realpath(fname, NULL);
+        free(fname);
+        if (path == NULL) {
+                fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory);
+                return;
+        }
+
+        // file in home directory
+        if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
+                fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory);
+                free(path);
+                return;
+        }
+
+        // try to open the dir as root
+        DIR *dir = opendir(path);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                free(path);
+                return;
+        }
+        closedir(dir);
+
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailcheck-access-%d", path, getpid()) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        int rv = chown(test_file, user_uid, user_gid);
+        if (rv)
+                errExit("chown");
+
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        td[files_cnt].tdir = dname;
+        td[files_cnt].tfile = test_file;
+        files_cnt++;
+}
+
+void access_destroy(void) {
+        // remove test files
+        int i;
+
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(td[i].tfile);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+
+void access_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+
+                for (i = 0; i < files_cnt; i++) {
+                        assert(td[i].tfile);
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(td[i].tfile, "r");
+                        if (fp) {
+
+                                printf("   Warning: I can read %s\n", td[i].tdir);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/jailcheck/apparmor.c b/src/jailcheck/apparmor.c
new file mode 100644
index 000000000..64f278046
--- /dev/null
+++ b/src/jailcheck/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+
+
+#else
+void apparmor_test(pid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
+
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
new file mode 100644
index 000000000..be3104da3
--- /dev/null
+++ b/src/jailcheck/jailcheck.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef JAILCHECK_H
+#define JAILCHECK_H
+
+#include "../include/common.h"
+
+// main.c
+extern uid_t user_uid;
+extern gid_t user_gid;
+extern char *user_name;
+extern char *user_home_dir;
+extern char *user_run_dir;
+
+// access.c
+void access_setup(const char *directory);
+void access_test(void);
+void access_destroy(void);
+
+// noexec.c
+void noexec_setup(void);
+void noexec_test(const char *msg);
+
+// sysfiles.c
+void sysfiles_setup(const char *file);
+void sysfiles_test(void);
+
+// virtual.c
+void virtual_setup(const char *directory);
+void virtual_destroy(void);
+void virtual_test(void);
+
+// apparmor.c
+void apparmor_test(pid_t pid);
+
+// seccomp.c
+void seccomp_test(pid_t pid);
+
+// network.c
+void network_test(void);
+// utils.c
+char *get_sudo_user(void);
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
+int find_child(pid_t pid);
+pid_t switch_to_child(pid_t pid);
+
+#endif
\ No newline at end of file
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
new file mode 100644
index 000000000..812ac5808
--- /dev/null
+++ b/src/jailcheck/main.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include "../include/firejail_user.h"
+#include "../include/pid.h"
+#include <sys/wait.h>
+
+uid_t user_uid = 0;
+gid_t user_gid = 0;
+char *user_name = NULL;
+char *user_home_dir = NULL;
+char *user_run_dir = NULL;
+int arg_debug = 0;
+
+static char *usage_str =
+        "Usage: jailcheck [options] directory [directory]\n\n"
+        "Options:\n"
+        "   --debug - print debug messages.\n"
+        "   --help, -? - this help screen.\n"
+        "   --version - print program version and exit.\n";
+
+
+static void usage(void) {
+        printf("firetest - version %s\n\n", VERSION);
+        puts(usage_str);
+}
+
+static void cleanup(void) {
+        // running only as root
+        if (getuid() == 0) {
+                if (arg_debug)
+                        printf("cleaning up!\n");
+                access_destroy();
+                virtual_destroy();
+        }
+}
+
+int main(int argc, char **argv) {
+        int i;
+        int findex = 0;
+
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--version") == 0) {
+                        printf("firetest version %s\n\n", VERSION);
+                        return 0;
+                }
+                else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test
+                        printf("   Warning: I can run programs in %s\n", argv[i] + 8);
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error: invalid option\n");
+                        return 1;
+                }
+                else {
+                        findex = i;
+                        break;
+                }
+        }
+
+        // user setup
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n");
+                exit(1);
+        }
+        user_name = get_sudo_user();
+        assert(user_name);
+        user_home_dir = get_homedir(user_name, &user_uid, &user_gid);
+        if (user_uid == 0) {
+                fprintf(stderr, "Error: root user not supported\n");
+                exit(1);
+        }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
+
+        // test setup
+        atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
+        if (findex > 0) {
+                for (i = findex; i < argc; i++)
+                        access_setup(argv[i]);
+        }
+
+        noexec_setup();
+        virtual_setup(user_home_dir);
+        virtual_setup("/tmp");
+        virtual_setup("/var/tmp");
+        virtual_setup("/dev");
+        virtual_setup("/etc");
+        virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
+        // basic sysfiles
+        sysfiles_setup("/etc/shadow");
+        sysfiles_setup("/etc/gshadow");
+        sysfiles_setup("/usr/bin/mount");
+        sysfiles_setup("/usr/bin/su");
+        sysfiles_setup("/usr/bin/ksu");
+        sysfiles_setup("/usr/bin/sudo");
+        sysfiles_setup("/usr/bin/strace");
+        // X11
+        sysfiles_setup("/usr/bin/xev");
+        sysfiles_setup("/usr/bin/xinput");
+        // compilers
+        sysfiles_setup("/usr/bin/gcc");
+        sysfiles_setup("/usr/bin/clang");
+        // networking
+        sysfiles_setup("/usr/bin/dig");
+        sysfiles_setup("/usr/bin/nslookup");
+        sysfiles_setup("/usr/bin/resolvectl");
+        sysfiles_setup("/usr/bin/nc");
+        sysfiles_setup("/usr/bin/ncat");
+        sysfiles_setup("/usr/bin/nmap");
+        sysfiles_setup("/usr/sbin/tcpdump");
+        // terminals
+        sysfiles_setup("/usr/bin/gnome-terminal");
+        sysfiles_setup("/usr/bin/xfce4-terminal");
+        sysfiles_setup("/usr/bin/lxterminal");
+
+        // print processes
+        pid_read(0);
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        uid_t uid = pid_get_uid(i);
+                        if (uid != user_uid) // not interested in other user sandboxes
+                                continue;
+
+                        // in case the pid is that of a firejail process, use the pid of the first child process
+                        uid_t pid = find_child(i);
+                        printf("\n");
+                        pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
+
+                        // filesystem tests
+                        pid_t child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "mnt");
+                                if (rv == 0) {
+                                        virtual_test();
+                                        noexec_test(user_home_dir);
+                                        noexec_test("/tmp");
+                                        noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
+                                        access_test();
+                                        sysfiles_test();
+                                }
+                                else {
+                                        printf("   Error: I cannot join the process mount space\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        int status;
+                        wait(&status);
+
+                        // network test
+                        child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "net");
+                                if (rv == 0)
+                                        network_test();
+                                else {
+                                        printf("   Error: I cannot join the process network stack\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        wait(&status);
+                }
+        }
+
+        return 0;
+}
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c
new file mode 100644
index 000000000..636344e77
--- /dev/null
+++ b/src/jailcheck/network.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <linux/if_link.h>
+#include <linux/sockios.h>
+#include <sys/ioctl.h>
+
+
+void network_test(void) {
+        // I am root running in a network namespace
+        struct ifaddrs *ifaddr, *ifa;
+        int found = 0;
+
+        // walk through the linked list
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (strcmp(ifa->ifa_name, "lo") == 0)
+                        continue;
+                found = 1;
+                break;
+        }
+
+        freeifaddrs(ifaddr);
+
+        if (found)
+                printf("   Networking: enabled\n");
+        else
+                printf("   Networking: disabled\n");
+}
+
+
+
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
new file mode 100644
index 000000000..7f994d6a1
--- /dev/null
+++ b/src/jailcheck/noexec.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+static unsigned char *execfile = NULL;
+static int execfile_len = 0;
+
+void noexec_setup(void) {
+        // grab a copy of myself
+        char *self = realpath("/proc/self/exe", NULL);
+        if (self) {
+                struct stat s;
+                if (access(self, X_OK) == 0 && stat(self, &s) == 0) {
+                        assert(s.st_size);
+                        execfile = malloc(s.st_size);
+
+                        int fd = open(self, O_RDONLY);
+                        if (fd == -1)
+                                errExit("open");
+                        int len = 0;
+                        do {
+                                int rv = read(fd, execfile + len, s.st_size - len);
+                                if (rv == -1)
+                                        errExit("read");
+                                if (rv == 0) {
+                                        // something went wrong!
+                                        free(execfile);
+                                        execfile = NULL;
+                                        printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n");
+                                        break;
+                                }
+                                len += rv;
+                        }
+                        while (len < s.st_size);
+                        execfile_len = s.st_size;
+                        close(fd);
+                }
+        }
+}
+
+
+void noexec_test(const char *path) {
+        assert(user_uid);
+
+        // I am root in sandbox mount namespace
+        if (!execfile)
+                return;
+
+        char *fname;
+        if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1)
+                errExit("asprintf");
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700);
+                if (fd == -1) {
+                        printf("   I cannot create files in %s, skipping noexec...\n", path);
+                        exit(1);
+                }
+
+                int len = 0;
+                while (len < execfile_len) {
+                        int rv = write(fd, execfile + len, execfile_len - len);
+                        if (rv == -1 || rv == 0) {
+                                printf("   I cannot create files in %s, skipping noexec....\n", path);
+                                exit(1);
+                        }
+                        len += rv;
+                }
+                fchmod(fd, 0700);
+                close(fd);
+
+                char *arg;
+                if (asprintf(&arg, "--hello=%s", path) == -1)
+                        errExit("asprintf");
+                int rv = execl(fname, fname, arg, NULL);
+                (void) rv; // if we get here execl failed
+                exit(0);
+        }
+
+        int status;
+        wait(&status);
+        int rv = unlink(fname);
+        (void) rv;
+}
\ No newline at end of file
diff --git a/src/faudit/dev.c b/src/jailcheck/seccomp.c
index 6bafaf93e..9345eb970 100644
--- a/src/faudit/dev.c
+++ b/src/jailcheck/seccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,31 +17,31 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "faudit.h"
-#include <dirent.h>
+#include "jailcheck.h"
+#define MAXBUF 4096
 
-void dev_test(void) {
-        DIR *dir;
-        if (!(dir = opendir("/dev"))) {
-                fprintf(stderr, "Error: cannot open /dev directory\n");
+void seccomp_test(pid_t pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
                 return;
         }
 
-        struct dirent *entry;
-        printf("INFO: files visible in /dev directory: ");
-        int cnt = 0;
-        while ((entry = readdir(dir)) != NULL) {
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
-                        continue;
-
-                printf("%s, ", entry->d_name);
-                cnt++;
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
+                        int val = -1;
+                        int rv = sscanf(buf + 8, "\t%d", &val);
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
+                        break;
+                }
         }
-        printf("\n");
-
-        if (cnt > 20)
-                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
-        else
-                printf("GOOD: Access to /dev directory is restricted.\n");
-        closedir(dir);
+        fclose(fp);
+        free(file);
 }
diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c
new file mode 100644
index 000000000..9a0d6350e
--- /dev/null
+++ b/src/jailcheck/sysfiles.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+        char *tfile;
+} TestFile;
+
+#define MAX_TEST_FILES 32
+TestFile tf[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void sysfiles_setup(const char *file) {
+        // I am root!
+        assert(file);
+
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of system test files exceeded\n");
+                exit(1);
+        }
+
+        if (access(file, F_OK)) {
+                // no such file
+                return;
+        }
+
+
+        char *fname = strdup(file);
+        if (!fname)
+                errExit("strdup");
+
+        tf[files_cnt].tfile = fname;
+        files_cnt++;
+}
+
+void sysfiles_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+
+                for (i = 0; i < files_cnt; i++) {
+                        assert(tf[i].tfile);
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(tf[i].tfile, "r");
+                        if (fp) {
+
+                                printf("   Warning: I can access %s\n", tf[i].tfile);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c
new file mode 100644
index 000000000..c3aaae298
--- /dev/null
+++ b/src/jailcheck/utils.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include "../include/pid.h"
+#include <errno.h>
+#include <pwd.h>
+#include <dirent.h>
+
+#define BUFLEN 4096
+
+char *get_sudo_user(void) {
+        char *user = getenv("SUDO_USER");
+        if (!user) {
+                user = getpwuid(getuid())->pw_name;
+                if (!user) {
+                        fprintf(stderr, "Error: cannot detect login user\n");
+                        exit(1);
+                }
+        }
+
+        return user;
+}
+
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
+        // find home directory
+        struct passwd *pw = getpwnam(user);
+        if (!pw)
+                goto errexit;
+
+        char *home = pw->pw_dir;
+        if (!home)
+                goto errexit;
+
+        *uid = pw->pw_uid;
+        *gid = pw->pw_gid;
+
+        return home;
+
+errexit:
+        fprintf(stderr, "Error: cannot find home directory for user %s\n", user);
+        exit(1);
+}
+
+// find the second child process for the specified pid
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
+
+        // find the first child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
+                        }
+                        free(cmdline);
+                        first_child = i;
+                        break;
+                }
+        }
+
+        if (first_child == -1)
+                return -1;
+
+        // find the second-level child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 3 && pids[i].parent == first_child)
+                        return i;
+        }
+
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
+}
+
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
new file mode 100644
index 000000000..09092f9ce
--- /dev/null
+++ b/src/jailcheck/virtual.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+
+#define MAX_TEST_FILES 16
+static char *dirs[MAX_TEST_FILES];
+static char *files[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void virtual_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(*directory == '/');
+        assert(files_cnt < MAX_TEST_FILES);
+
+        // try to open the dir as root
+        DIR *dir = opendir(directory);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                return;
+        }
+        closedir(dir);
+
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailcheck-private-%d", directory, getpid()) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        if (strcmp(directory, user_home_dir) == 0) {
+                int rv = chown(test_file, user_uid, user_gid);
+                if (rv)
+                        errExit("chown");
+        }
+
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        dirs[files_cnt] = dname;
+        files[files_cnt] = test_file;
+        files_cnt++;
+}
+
+void virtual_destroy(void) {
+        // remove test files
+        int i;
+
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(files[i]);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+
+void virtual_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
+
+        for (i = 0; i < files_cnt; i++) {
+                assert(files[i]);
+
+                // I am root!
+                pid_t child = fork();
+                if (child == -1)
+                        errExit("fork");
+
+                if (child == 0) { // child
+                        // drop privileges
+                        if (setgid(user_gid) != 0)
+                                errExit("setgid");
+                        if (setuid(user_uid) != 0)
+                                errExit("setuid");
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(files[i], "r");
+                        if (fp)
+                                fclose(fp);
+                        else {
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
+                        fflush(0);
+                        exit(cnt);
+                }
+
+                // wait for the child to finish
+                int status;
+                wait(&status);
+                cnt = WEXITSTATUS(status);
+        }
+        printf("\n");
+}
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 63b0ad56d..49c8057b3 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -1,24 +1,14 @@
-CC=@CC@
-PREFIX=@prefix@
-VERSION=@PACKAGE_VERSION@
-NAME=@PACKAGE_NAME@
-HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
-HAVE_GCOV=@HAVE_GCOV@
-EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
-
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
-C_FILE_LIST       = $(sort $(wildcard *.c))
-OBJS = $(C_FILE_LIST:.c=.o)
-BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
+include ../common.mk
 
+.PHONY: all
 all: $(OBJS)
 
 %.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno
+.PHONY: clean
+clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist
 
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/lib/common.c b/src/lib/common.c
index b44563733..f1bd7a6fe 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -30,6 +30,7 @@
 #include <signal.h>
 #include <dirent.h>
 #include <string.h>
+#include <time.h>
 #include "../include/common.h"
 #define BUFLEN 4096
 
@@ -53,7 +54,7 @@ int join_namespace(pid_t pid, char *type) {
 
 errout:
         free(path);
-        fprintf(stderr, "Error: cannot join namespace %s\\n", type);
+        fprintf(stderr, "Error: cannot join namespace %s\n", type);
         return -1;
 
 }
@@ -129,7 +130,7 @@ char *pid_proc_comm(const pid_t pid) {
         // open /proc/pid/cmdline file
         char *fname;
         int fd;
-        if (asprintf(&fname, "/proc/%d//comm", pid) == -1)
+        if (asprintf(&fname, "/proc/%d/comm", pid) == -1)
                 return NULL;
         if ((fd = open(fname, O_RDONLY)) < 0) {
                 free(fname);
@@ -154,6 +155,8 @@ char *pid_proc_comm(const pid_t pid) {
 
         // return a malloc copy of the command line
         char *rv = strdup(buffer);
+        if (!rv)
+                return NULL;
         if (strlen(rv) == 0) {
                 free(rv);
                 return NULL;
@@ -192,6 +195,8 @@ char *pid_proc_cmdline(const pid_t pid) {
 
         // return a malloc copy of the command line
         char *rv = strdup((char *) buffer);
+        if (!rv)
+                return NULL;
         if (strlen(rv) == 0) {
                 free(rv);
                 return NULL;
@@ -250,7 +255,7 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
                 if (strncmp(arg, "--", 2) != 0)
                         break;
 
-                if (strcmp(arg, "--x11=xorg") == 0)
+                if (strcmp(arg, "--x11=xorg") == 0 || strcmp(arg, "--x11=none") == 0)
                         return 0;
 
                 // check x11 xpra or xephyr
@@ -262,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
 }
 
 // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
-#define BUFLEN 4096
 int pid_hidepid(void) {
         FILE *fp = fopen("/proc/mounts", "r");
         if (!fp)
@@ -273,7 +277,7 @@ int pid_hidepid(void) {
                 if (strstr(buf, "proc /proc proc")) {
                         fclose(fp);
                         // check hidepid
-                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                        if (strstr(buf, "hidepid="))
                                 return 1;
                         return 0;
                 }
@@ -282,3 +286,79 @@ int pid_hidepid(void) {
         fclose(fp);
         return 0;
 }
+
+// print error if unprivileged users can trace the process
+void warn_dumpable(void) {
+        if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
+                fprintf(stderr, "Error: dumpable process\n");
+
+                // best effort to provide detailed debug information
+                // cannot use process name, it is just a file descriptor number
+                char path[BUFLEN];
+                ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
+                if (len < 0)
+                        return;
+                path[len] = '\0';
+                // path can refer to a sandbox mount namespace, use basename only
+                const char *base = gnu_basename(path);
+
+                struct stat s;
+                if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
+                        fprintf(stderr, "Change owner of %s executable to root\n", base);
+                else if (access("/proc/self/exe", R_OK) == 0)
+                        fprintf(stderr, "Remove read permission on %s executable\n", base);
+        }
+}
+
+// Equivalent to the GNU version of basename, which is incompatible with
+// the POSIX basename. A few lines of code saves any portability pain.
+// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
+const char *gnu_basename(const char *path) {
+        const char *last_slash = strrchr(path, '/');
+        if (!last_slash)
+                return path;
+        return last_slash+1;
+}
+
+//**************************
+// time trace based on getticks function
+//**************************
+typedef struct list_entry_t {
+        struct list_entry_t *next;
+        struct timespec ts;
+} ListEntry;
+
+static ListEntry *ts_list = NULL;
+
+static inline float msdelta(struct timespec *start, struct timespec *end) {
+        unsigned sec = end->tv_sec - start->tv_sec;
+        long nsec = end->tv_nsec - start->tv_nsec;
+        return (float) sec * 1000 + (float) nsec / 1000000;
+}
+
+void timetrace_start(void) {
+        ListEntry *t = malloc(sizeof(ListEntry));
+        if (!t)
+                errExit("malloc");
+        memset(t, 0, sizeof(ListEntry));
+        clock_gettime(CLOCK_MONOTONIC, &t->ts);
+
+        // add it to the list
+        t->next = ts_list;
+        ts_list = t;
+}
+
+float timetrace_end(void) {
+        if (!ts_list)
+                return 0;
+
+        // remove start time  from the list
+        ListEntry *t = ts_list;
+        ts_list = t->next;
+
+        struct timespec end;
+        clock_gettime(CLOCK_MONOTONIC, &end);
+        float rv = msdelta(&t->ts, &end);
+        free(t);
+        return rv;
+}
diff --git a/src/fseccomp/errno.c b/src/lib/errno.c
index e5cd4e226..9edb44c22 100644
--- a/src/fseccomp/errno.c
+++ b/src/lib/errno.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,9 +17,11 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "fseccomp.h"
+#include "../include/syscall.h"
 
 #include <errno.h>
+#include <stdio.h>
+#include <string.h>
 //#include <attr/xattr.h>
 
 typedef struct {
@@ -181,7 +183,7 @@ int errno_find_name(const char *name) {
         return -1;
 }
 
-char *errno_find_nr(int nr) {
+const char *errno_find_nr(int nr) {
         int i;
         int elems = sizeof(errnolist) / sizeof(errnolist[0]);
         for (i = 0; i < elems; i++) {
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c
new file mode 100644
index 000000000..d6a3c71ab
--- /dev/null
+++ b/src/lib/firejail_user.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+//
+// Firejail access database inplementation
+//
+// The database is a simple list of users allowed to run firejail SUID executable
+// It is usually stored in /etc/firejail/firejail.users
+// One username per line in the file
+
+#include "../include/common.h"
+#include "../include/firejail_user.h"
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+
+#define MAXBUF 4098
+
+// minimum values for uid and gid extracted from /etc/login.defs
+int uid_min = 0;
+int gid_min = 0;
+
+static void init_uid_gid_min(void) {
+        if (uid_min != 0 && gid_min != 0)
+                return;
+
+        // read the real values from login.def
+        FILE *fp = fopen("/etc/login.defs", "r");
+        if (!fp) {
+                fp = fopen("/usr/etc/login.defs", "r"); // openSUSE
+                if (!fp)
+                        goto errexit;
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                // comments
+                if (*buf == '#')
+                        continue;
+                // skip empty space
+                char *ptr = buf;
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+
+                if (strncmp(ptr, "UID_MIN", 7) == 0) {
+                        int rv = sscanf(ptr + 7, "%d", &uid_min);
+                        if (rv != 1 || uid_min < 0) {
+                                fclose(fp);
+                                goto errexit;
+                        }
+                }
+                else if (strncmp(ptr, "GID_MIN", 7) == 0) {
+                        int rv = sscanf(ptr + 7, "%d", &gid_min);
+                        if (rv != 1 || gid_min < 0) {
+                                fclose(fp);
+                                goto errexit;
+                        }
+                }
+
+                if (uid_min != 0 && gid_min != 0)
+                        break;
+
+        }
+        fclose(fp);
+
+        if (uid_min == 0 || gid_min == 0)
+                goto errexit;
+//printf("uid_min %d, gid_min %d\n", uid_min, gid_min);
+
+        return;
+
+errexit:
+        fprintf(stderr, "Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default\n");
+        uid_min = 1000;
+        gid_min = 1000;
+}
+
+
+
+static inline char *get_fname(void) {
+        char *fname;
+        if (asprintf(&fname, "%s/firejail.users", SYSCONFDIR) == -1)
+                errExit("asprintf");
+        return fname;
+}
+
+
+// returns 1 if the user is found in the database or if the database was not created
+int firejail_user_check(const char *name) {
+        assert(name);
+        init_uid_gid_min();
+
+        // root is allowed to run firejail by default
+        if (strcmp(name, "root") == 0)
+                return 1;
+
+        // user nobody is never allowed
+        if (strcmp(name, "nobody") == 0)
+                return 0;
+
+        // check file existence
+        char *fname = get_fname();
+        assert(fname);
+        if (access(fname, F_OK) == -1 && errno == ENOENT) {
+                // assume the user doesn't care about access checking
+                free(fname);
+                return 1;
+        }
+
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot read %s\n", fname);
+                perror("fopen");
+                exit(1);
+        }
+        free(fname);
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                // lines starting with # are comments
+                if (*buf == '#')
+                        continue;
+
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                // compare
+                if (strcmp(buf, name) == 0) {
+                        fclose(fp);
+                        return 1;
+                }
+        }
+
+        fclose(fp);
+        return 0;
+}
+
+// add a user to the database
+void firejail_user_add(const char *name) {
+        assert(name);
+
+        // is this a real user?
+        struct passwd *pw = getpwnam(name);
+        if (!pw) {
+                fprintf(stderr, "Error: user %s not found on this system.\n", name);
+                exit(1);
+        }
+
+        // check the user is not already in the database
+        char *fname = get_fname();
+        assert(fname);
+        if (access(fname, F_OK) == 0) {
+                if (firejail_user_check(name)) {
+                        printf("User %s already in the database\n", name);
+                        free(fname);
+                        return;
+                }
+        }
+        else
+                printf("Creating %s\n", fname);
+
+        FILE *fp = fopen(fname, "a+");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                perror("fopen");
+                free(fname);
+                return;
+        }
+        free(fname);
+
+        fprintf(fp, "%s\n", name);
+        fclose(fp);
+}
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
new file mode 100644
index 000000000..c5dde85b0
--- /dev/null
+++ b/src/lib/ldd_utils.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "../include/ldd_utils.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+// todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c
+const char * const default_lib_paths[] = {
+        "/usr/lib/x86_64-linux-gnu",    // Debian & friends
+        "/lib/x86_64-linux-gnu",                // CentOS, Fedora
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        LIBDIR,
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory
+        "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory
+//    "/usr/lib/x86_64-linux-gnu/plasma-discover",
+        NULL
+};
+
+// return 1 if this is a 64 bit program/library
+int is_lib_64(const char *exe) {
+        int retval = 0;
+        int fd = open(exe, O_RDONLY);
+        if (fd < 0)
+                return 0;
+
+        unsigned char buf[EI_NIDENT];
+        ssize_t len = 0;
+        while (len < EI_NIDENT) {
+                ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
+                if (sz <= 0)
+                        goto doexit;
+                len += sz;
+        }
+
+        if (buf[EI_CLASS] == ELFCLASS64)
+                retval = 1;
+
+doexit:
+        close(fd);
+        return retval;
+}
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index d2975bd57..5f6ecd95c 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -3,10 +3,10 @@
  * Original source code:
  *
  * Information:
- *     http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
+ *     https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
  *
  * Download:
- *     http://www.kernel.org/pub/linux/utils/net/iproute2/
+ *     https://www.kernel.org/pub/linux/utils/net/iproute2/
  *
  * Repository:
  *     git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
diff --git a/src/lib/pid.c b/src/lib/pid.c
index 5f19944b6..ca62aaa42 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,10 +17,12 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+
 #include "../include/common.h"
 #include "../include/pid.h"
 #include <string.h>
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <pwd.h>
 #include <sys/ioctl.h>
 #include <dirent.h>
@@ -148,7 +150,7 @@ uid_t pid_get_uid(pid_t pid) {
         char buf[PIDS_BUFLEN];
         while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
                 if (strncmp(buf, "Uid:", 4) == 0) {
-                        char *ptr = buf + 5;
+                        char *ptr = buf + 4;
                         while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
                                 ptr++;
                         }
@@ -165,6 +167,10 @@ doexit:
         return rv;
 }
 
+// todo: RUN_FIREJAIL_NAME_DIR is borrowed from src/firejail/firejail.h
+// move it in a common place
+#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
+
 static void print_elem(unsigned index, int nowrap) {
         // get terminal size
         struct winsize sz;
@@ -183,15 +189,43 @@ static void print_elem(unsigned index, int nowrap) {
         uid_t uid = pids[index].uid;
         char *cmd = pid_proc_cmdline(index);
         char *user = pid_get_user_name(uid);
-        char *allocated = user;
+        char *user_allocated = user;
+
+        // extract sandbox name - pid == index
+        char *sandbox_name = "";
+        char *sandbox_name_allocated = NULL;
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(fname, &s) == 0) {
+                FILE *fp = fopen(fname, "r");
+                if (fp) {
+                        sandbox_name = malloc(s.st_size + 1);
+                        if (!sandbox_name)
+                                errExit("malloc");
+                        sandbox_name_allocated = sandbox_name;
+                        char *rv = fgets(sandbox_name, s.st_size + 1, fp);
+                        if (!rv)
+                                *sandbox_name = '\0';
+                        else {
+                                char *ptr = strchr(sandbox_name, '\n');
+                                if (ptr)
+                                        *ptr = '\0';
+                        }
+                        fclose(fp);
+                }
+        }
+        free(fname);
+
         if (user ==NULL)
                 user = "";
         if (cmd) {
                 if (col < 4 || nowrap)
-                        printf("%s%u:%s:%s\n", indent, index, user, cmd);
+                        printf("%s%u:%s:%s:%s\n", indent, index, user, sandbox_name, cmd);
                 else {
                         char *out;
-                        if (asprintf(&out, "%s%u:%s:%s\n", indent, index, user, cmd) == -1)
+                        if (asprintf(&out, "%s%u:%s:%s:%s\n", indent, index, user, sandbox_name, cmd) == -1)
                                 errExit("asprintf");
                         int len = strlen(out);
                         if (len > col) {
@@ -210,8 +244,10 @@ static void print_elem(unsigned index, int nowrap) {
                 else
                         printf("%s%u:\n", indent, index);
         }
-        if (allocated)
-                free(allocated);
+        if (user_allocated)
+                free(user_allocated);
+        if (sandbox_name_allocated)
+                free(sandbox_name_allocated);
 }
 
 // recursivity!!!
@@ -294,10 +330,9 @@ void pid_read(pid_t mon_pid) {
                 }
         }
 
-        pid_t child = -1;
         struct dirent *entry;
         char *end;
-        while (child < 0 && (entry = readdir(dir))) {
+        while ((entry = readdir(dir))) {
                 pid_t pid = strtol(entry->d_name, &end, 10);
                 pid %= max_pids;
                 if (end == entry->d_name || *end)
@@ -324,7 +359,10 @@ void pid_read(pid_t mon_pid) {
                 char buf[PIDS_BUFLEN];
                 while (fgets(buf, PIDS_BUFLEN - 1, fp)) {
                         if (strncmp(buf, "Name:", 5) == 0) {
-                                char *ptr = buf + 5;
+                                char *ptr = strchr(buf, '\n');
+                                if (ptr)
+                                        *ptr = '\0';
+                                ptr = buf + 5;
                                 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
                                         ptr++;
                                 }
@@ -333,7 +371,7 @@ void pid_read(pid_t mon_pid) {
                                         exit(1);
                                 }
 
-                                if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
+                                if ((strcmp(ptr, "firejail") == 0) && (mon_pid == 0 || mon_pid == pid)) {
                                         if (pid_proc_cmdline_x11_xpra_xephyr(pid))
                                                 pids[pid].level = -1;
                                         else
@@ -363,7 +401,7 @@ void pid_read(pid_t mon_pid) {
                                 pids[pid].parent = parent;
                         }
                         else if (strncmp(buf, "Uid:", 4) == 0) {
-                                char *ptr = buf + 5;
+                                char *ptr = buf + 4;
                                 while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
                                         ptr++;
                                 }
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
new file mode 100644
index 000000000..d0d9ff5aa
--- /dev/null
+++ b/src/lib/syscall.c
@@ -0,0 +1,1692 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include "../include/syscall.h"
+#include <assert.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include "../include/common.h"
+#include "../include/seccomp.h"
+
+#define SYSCALL_ERROR INT_MAX
+#define ERRNO_KILL -2
+
+typedef struct {
+        const char * const name;
+        int nr;
+} SyscallEntry;
+
+typedef struct {
+        const char * const name;
+        const char * const list;
+} SyscallGroupList;
+
+typedef struct {
+        const char *slist;
+        char *prelist, *postlist;
+        bool found;
+        int syscall;
+} SyscallCheckList;
+
+// Native syscalls (64 bit versions for 64 bit arch etc)
+static const SyscallEntry syslist[] = {
+#if defined(__x86_64__)
+// code generated using
+// awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h
+#include "../include/syscall_x86_64.h"
+#elif defined(__i386__)
+// awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
+#include "../include/syscall_i386.h"
+#elif defined(__arm__)
+#include "../include/syscall_armeabi.h"
+#else
+#warning "Please submit a syscall table for your architecture"
+#endif
+};
+
+// 32 bit syscalls for 64 bit arch
+static const SyscallEntry syslist32[] = {
+#if defined(__x86_64__)
+#include "../include/syscall_i386.h"
+// TODO for other 64 bit archs
+#elif defined(__i386__) || defined(__arm__) || defined(__powerpc__)
+// no secondary arch for 32 bit archs
+#endif
+};
+
+static const SyscallGroupList sysgroups[] = {
+        { .name = "@aio", .list =
+#ifdef SYS_io_cancel
+          "io_cancel,"
+#endif
+#ifdef SYS_io_destroy
+          "io_destroy,"
+#endif
+#ifdef SYS_io_getevents
+          "io_getevents,"
+#endif
+#ifdef SYS_io_pgetevents
+          "io_pgetevents,"
+#endif
+#ifdef SYS_io_setup
+          "io_setup,"
+#endif
+#ifdef SYS_io_submit
+          "io_submit"
+#endif
+        },
+        { .name = "@basic-io", .list =
+#ifdef SYS__llseek
+          "_llseek,"
+#endif
+#ifdef SYS_close
+          "close,"
+#endif
+#ifdef SYS_dup
+          "dup,"
+#endif
+#ifdef SYS_dup2
+          "dup2,"
+#endif
+#ifdef SYS_dup3
+          "dup3,"
+#endif
+#ifdef SYS_lseek
+          "lseek,"
+#endif
+#ifdef SYS_pread64
+          "pread64,"
+#endif
+#ifdef SYS_preadv
+          "preadv,"
+#endif
+#ifdef SYS_preadv2
+          "preadv2,"
+#endif
+#ifdef SYS_pwrite64
+          "pwrite64,"
+#endif
+#ifdef SYS_pwritev
+          "pwritev,"
+#endif
+#ifdef SYS_pwritev2
+          "pwritev2,"
+#endif
+#ifdef SYS_read
+          "read,"
+#endif
+#ifdef SYS_readv
+          "readv,"
+#endif
+#ifdef SYS_write
+          "write,"
+#endif
+#ifdef SYS_writev
+          "writev"
+#endif
+        },
+        { .name = "@chown", .list =
+#ifdef SYS_chown
+          "chown,"
+#endif
+#ifdef SYS_chown32
+          "chown32,"
+#endif
+#ifdef SYS_fchown
+          "fchown,"
+#endif
+#ifdef SYS_fchown32
+          "fchown32,"
+#endif
+#ifdef SYS_fchownat
+          "fchownat,"
+#endif
+#ifdef SYS_lchown
+          "lchown,"
+#endif
+#ifdef SYS_lchown32
+          "lchown32"
+#endif
+        },
+        { .name = "@clock", .list =
+#ifdef SYS_adjtimex
+          "adjtimex,"
+#endif
+#ifdef SYS_clock_adjtime
+          "clock_adjtime,"
+#endif
+#ifdef SYS_clock_settime
+          "clock_settime,"
+#endif
+#ifdef SYS_settimeofday
+          "settimeofday,"
+#endif
+#ifdef SYS_stime
+          "stime"
+#endif
+        },
+        { .name = "@cpu-emulation", .list =
+#ifdef SYS_modify_ldt
+          "modify_ldt,"
+#endif
+#ifdef SYS_subpage_prot
+          "subpage_prot,"
+#endif
+#ifdef SYS_switch_endian
+          "switch_endian,"
+#endif
+#ifdef SYS_vm86
+          "vm86,"
+#endif
+#ifdef SYS_vm86old
+          "vm86old"
+#endif
+#if !defined(SYS_modify_ldt) && !defined(SYS_subpage_prot) && !defined(SYS_switch_endian) && !defined(SYS_vm86) && !defined(SYS_vm86old)
+          "__dummy_syscall__" // workaround for arm64, s390x and sparc64 which don't have any of above defined and empty syscall lists are not allowed
+#endif
+        },
+        { .name = "@debug", .list =
+#ifdef SYS_lookup_dcookie
+          "lookup_dcookie,"
+#endif
+#ifdef SYS_perf_event_open
+          "perf_event_open,"
+#endif
+#ifdef SYS_process_vm_writev
+          "process_vm_writev,"
+#endif
+#ifdef SYS_rtas
+          "rtas,"
+#endif
+#ifdef SYS_s390_runtime_instr
+          "s390_runtime_instr,"
+#endif
+#ifdef SYS_sys_debug_setcontext
+          "sys_debug_setcontext,"
+#endif
+        },
+        { .name = "@default", .list =
+          "@clock,"
+          "@cpu-emulation,"
+          "@debug,"
+          "@module,"
+          "@mount,"
+          "@obsolete,"
+          "@raw-io,"
+          "@reboot,"
+          "@swap,"
+#ifdef SYS_open_by_handle_at
+          "open_by_handle_at,"
+#endif
+#ifdef SYS_name_to_handle_at
+          "name_to_handle_at,"
+#endif
+#ifdef SYS_ioprio_set
+          "ioprio_set,"
+#endif
+#ifdef SYS_ni_syscall
+          "ni_syscall,"
+#endif
+#ifdef SYS_syslog
+          "syslog,"
+#endif
+#ifdef SYS_fanotify_init
+          "fanotify_init,"
+#endif
+#ifdef SYS_add_key
+          "add_key,"
+#endif
+#ifdef SYS_request_key
+          "request_key,"
+#endif
+#ifdef SYS_mbind
+          "mbind,"
+#endif
+#ifdef SYS_migrate_pages
+          "migrate_pages,"
+#endif
+#ifdef SYS_move_pages
+          "move_pages,"
+#endif
+#ifdef SYS_keyctl
+          "keyctl,"
+#endif
+#ifdef SYS_io_setup
+          "io_setup,"
+#endif
+#ifdef SYS_io_destroy
+          "io_destroy,"
+#endif
+#ifdef SYS_io_getevents
+          "io_getevents,"
+#endif
+#ifdef SYS_io_submit
+          "io_submit,"
+#endif
+#ifdef SYS_io_cancel
+          "io_cancel,"
+#endif
+#ifdef SYS_remap_file_pages
+          "remap_file_pages,"
+#endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
+#ifdef SYS_vmsplice
+          "vmsplice,"
+#endif
+#ifdef SYS_userfaultfd
+          "userfaultfd,"
+#endif
+#ifdef SYS_acct
+          "acct,"
+#endif
+#ifdef SYS_bpf
+          "bpf,"
+#endif
+#ifdef SYS_nfsservctl
+          "nfsservctl,"
+#endif
+#ifdef SYS_setdomainname
+          "setdomainname,"
+#endif
+#ifdef SYS_sethostname
+          "sethostname,"
+#endif
+#ifdef SYS_vhangup
+          "vhangup"
+#endif
+//#ifdef SYS_mincore    // 0.9.57 - problem fixed in Linux kernel 5.0; on 4.x it will break kodi, mpv, totem
+//        "mincore"
+//#endif
+        },
+        { .name = "@default-nodebuggers", .list =
+          "@default,"
+#ifdef SYS_ptrace
+          "ptrace,"
+#endif
+#ifdef SYS_personality
+          "personality,"
+#endif
+#ifdef SYS_process_vm_readv
+          "process_vm_readv"
+#endif
+        },
+        { .name = "@default-keep", .list =
+          "execveat," // commonly used by fexecve
+          "execve,"
+          "prctl"
+        },
+        { .name = "@file-system", .list =
+#ifdef SYS_access
+          "access,"
+#endif
+#ifdef SYS_chdir
+          "chdir,"
+#endif
+#ifdef SYS_chmod
+          "chmod,"
+#endif
+#ifdef SYS_close
+          "close,"
+#endif
+#ifdef SYS_creat
+          "creat,"
+#endif
+#ifdef SYS_faccessat
+          "faccessat,"
+#endif
+#ifdef SYS_faccessat2
+          "faccessat2,"
+#endif
+#ifdef SYS_fallocate
+          "fallocate,"
+#endif
+#ifdef SYS_fchdir
+          "fchdir,"
+#endif
+#ifdef SYS_fchmod
+          "fchmod,"
+#endif
+#ifdef SYS_fchmodat
+          "fchmodat,"
+#endif
+#ifdef SYS_fcntl
+          "fcntl,"
+#endif
+#ifdef SYS_fcntl64
+          "fcntl64,"
+#endif
+#ifdef SYS_fgetxattr
+          "fgetxattr,"
+#endif
+#ifdef SYS_flistxattr
+          "flistxattr,"
+#endif
+#ifdef SYS_fremovexattr
+          "fremovexattr,"
+#endif
+#ifdef SYS_fsetxattr
+          "fsetxattr,"
+#endif
+#ifdef SYS_fstat
+          "fstat,"
+#endif
+#ifdef SYS_fstat64
+          "fstat64,"
+#endif
+#ifdef SYS_fstatat64
+          "fstatat64,"
+#endif
+#ifdef SYS_fstatfs
+          "fstatfs,"
+#endif
+#ifdef SYS_fstatfs64
+          "fstatfs64,"
+#endif
+#ifdef SYS_ftruncate
+          "ftruncate,"
+#endif
+#ifdef SYS_ftruncate64
+          "ftruncate64,"
+#endif
+#ifdef SYS_futimesat
+          "futimesat,"
+#endif
+#ifdef SYS_getcwd
+          "getcwd,"
+#endif
+#ifdef SYS_getdents
+          "getdents,"
+#endif
+#ifdef SYS_getdents64
+          "getdents64,"
+#endif
+#ifdef SYS_getxattr
+          "getxattr,"
+#endif
+#ifdef SYS_inotify_add_watch
+          "inotify_add_watch,"
+#endif
+#ifdef SYS_inotify_init
+          "inotify_init,"
+#endif
+#ifdef SYS_inotify_init1
+          "inotify_init1,"
+#endif
+#ifdef SYS_inotify_rm_watch
+          "inotify_rm_watch,"
+#endif
+#ifdef SYS_lgetxattr
+          "lgetxattr,"
+#endif
+#ifdef SYS_link
+          "link,"
+#endif
+#ifdef SYS_linkat
+          "linkat,"
+#endif
+#ifdef SYS_listxattr
+          "listxattr,"
+#endif
+#ifdef SYS_llistxattr
+          "llistxattr,"
+#endif
+#ifdef SYS_lremovexattr
+          "lremovexattr,"
+#endif
+#ifdef SYS_lsetxattr
+          "lsetxattr,"
+#endif
+#ifdef SYS_lstat
+          "lstat,"
+#endif
+#ifdef SYS_lstat64
+          "lstat64,"
+#endif
+#ifdef SYS_mkdir
+          "mkdir,"
+#endif
+#ifdef SYS_mkdirat
+          "mkdirat,"
+#endif
+#ifdef SYS_mknod
+          "mknod,"
+#endif
+#ifdef SYS_mknodat
+          "mknodat,"
+#endif
+#ifdef SYS_mmap
+          "mmap,"
+#endif
+#ifdef SYS_mmap2
+          "mmap2,"
+#endif
+#ifdef SYS_munmap
+          "munmap,"
+#endif
+#ifdef SYS_newfstatat
+          "newfstatat,"
+#endif
+#ifdef SYS_oldfstat
+          "oldfstat,"
+#endif
+#ifdef SYS_oldlstat
+          "oldlstat,"
+#endif
+#ifdef SYS_oldstat
+          "oldstat,"
+#endif
+#ifdef SYS_open
+          "open,"
+#endif
+#ifdef SYS_openat
+          "openat,"
+#endif
+#ifdef SYS_readlink
+          "readlink,"
+#endif
+#ifdef SYS_readlinkat
+          "readlinkat,"
+#endif
+#ifdef SYS_removexattr
+          "removexattr,"
+#endif
+#ifdef SYS_rename
+          "rename,"
+#endif
+#ifdef SYS_renameat
+          "renameat,"
+#endif
+#ifdef SYS_renameat2
+          "renameat2,"
+#endif
+#ifdef SYS_rmdir
+          "rmdir,"
+#endif
+#ifdef SYS_setxattr
+          "setxattr,"
+#endif
+#ifdef SYS_stat
+          "stat,"
+#endif
+#ifdef SYS_stat64
+          "stat64,"
+#endif
+#ifdef SYS_statfs
+          "statfs,"
+#endif
+#ifdef SYS_statfs64
+          "statfs64,"
+#endif
+#ifdef SYS_statx
+          "statx,"
+#endif
+#ifdef SYS_symlink
+          "symlink,"
+#endif
+#ifdef SYS_symlinkat
+          "symlinkat,"
+#endif
+#ifdef SYS_truncate
+          "truncate,"
+#endif
+#ifdef SYS_truncate64
+          "truncate64,"
+#endif
+#ifdef SYS_unlink
+          "unlink,"
+#endif
+#ifdef SYS_unlinkat
+          "unlinkat,"
+#endif
+#ifdef SYS_utime
+          "utime,"
+#endif
+#ifdef SYS_utimensat
+          "utimensat,"
+#endif
+#ifdef SYS_utimes
+          "utimes"
+#endif
+        },
+        { .name = "@io-event", .list =
+#ifdef SYS__newselect
+          "_newselect,"
+#endif
+#ifdef SYS_epoll_create
+          "epoll_create,"
+#endif
+#ifdef SYS_epoll_create1
+          "epoll_create1,"
+#endif
+#ifdef SYS_epoll_ctl
+          "epoll_ctl,"
+#endif
+#ifdef SYS_epoll_ctl_old
+          "epoll_ctl_old,"
+#endif
+#ifdef SYS_epoll_pwait
+          "epoll_pwait,"
+#endif
+#ifdef SYS_epoll_wait
+          "epoll_wait,"
+#endif
+#ifdef SYS_epoll_wait_old
+          "epoll_wait_old,"
+#endif
+#ifdef SYS_eventfd
+          "eventfd,"
+#endif
+#ifdef SYS_eventfd2
+          "eventfd2,"
+#endif
+#ifdef SYS_poll
+          "poll,"
+#endif
+#ifdef SYS_ppoll
+          "ppoll,"
+#endif
+#ifdef SYS_pselect6
+          "pselect6,"
+#endif
+#ifdef SYS_select
+          "select"
+#endif
+        },
+        { .name = "@ipc", .list =
+#ifdef SYS_ipc
+          "ipc,"
+#endif
+#ifdef SYS_memfd_create
+          "memfd_create,"
+#endif
+#ifdef SYS_mq_getsetattr
+          "mq_getsetattr,"
+#endif
+#ifdef SYS_mq_notify
+          "mq_notify,"
+#endif
+#ifdef SYS_mq_open
+          "mq_open,"
+#endif
+#ifdef SYS_mq_timedreceive
+          "mq_timedreceive,"
+#endif
+#ifdef SYS_mq_timedsend
+          "mq_timedsend,"
+#endif
+#ifdef SYS_mq_unlink
+          "mq_unlink,"
+#endif
+#ifdef SYS_msgctl
+          "msgctl,"
+#endif
+#ifdef SYS_msgget
+          "msgget,"
+#endif
+#ifdef SYS_msgrcv
+          "msgrcv,"
+#endif
+#ifdef SYS_msgsnd
+          "msgsnd,"
+#endif
+#ifdef SYS_pipe
+          "pipe,"
+#endif
+#ifdef SYS_pipe2
+          "pipe2,"
+#endif
+#ifdef SYS_process_vm_readv
+          "process_vm_readv,"
+#endif
+#ifdef SYS_process_vm_writev
+          "process_vm_writev,"
+#endif
+#ifdef SYS_semctl
+          "semctl,"
+#endif
+#ifdef SYS_semget
+          "semget,"
+#endif
+#ifdef SYS_semop
+          "semop,"
+#endif
+#ifdef SYS_semtimedop
+          "semtimedop,"
+#endif
+#ifdef SYS_shmat
+          "shmat,"
+#endif
+#ifdef SYS_shmctl
+          "shmctl,"
+#endif
+#ifdef SYS_shmdt
+          "shmdt,"
+#endif
+#ifdef SYS_shmget
+          "shmget"
+#endif
+        },
+        { .name = "@keyring", .list =
+#ifdef SYS_add_key
+          "add_key,"
+#endif
+#ifdef SYS_keyctl
+          "keyctl,"
+#endif
+#ifdef SYS_request_key
+          "request_key"
+#endif
+        },
+        { .name = "@memlock", .list =
+#ifdef SYS_mlock
+          "mlock,"
+#endif
+#ifdef SYS_mlock2
+          "mlock2,"
+#endif
+#ifdef SYS_mlockall
+          "mlockall,"
+#endif
+#ifdef SYS_munlock
+          "munlock,"
+#endif
+#ifdef SYS_munlockall
+          "munlockall"
+#endif
+        },
+        { .name = "@module", .list =
+#ifdef SYS_delete_module
+          "delete_module,"
+#endif
+#ifdef SYS_finit_module
+          "finit_module,"
+#endif
+#ifdef SYS_init_module
+          "init_module"
+#endif
+        },
+        { .name = "@mount", .list =
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_umount
+          "umount,"
+#endif
+#ifdef SYS_umount2
+          "umount2"
+#endif
+        },
+        { .name = "@network-io", .list =
+#ifdef SYS_accept
+          "accept,"
+#endif
+#ifdef SYS_accept4
+          "accept4,"
+#endif
+#ifdef SYS_bind
+          "bind,"
+#endif
+#ifdef SYS_connect
+          "connect,"
+#endif
+#ifdef SYS_getpeername
+          "getpeername,"
+#endif
+#ifdef SYS_getsockname
+          "getsockname,"
+#endif
+#ifdef SYS_getsockopt
+          "getsockopt,"
+#endif
+#ifdef SYS_listen
+          "listen,"
+#endif
+#ifdef SYS_recv
+          "recv,"
+#endif
+#ifdef SYS_recvfrom
+          "recvfrom,"
+#endif
+#ifdef SYS_recvmmsg
+          "recvmmsg,"
+#endif
+#ifdef SYS_recvmsg
+          "recvmsg,"
+#endif
+#ifdef SYS_send
+          "send,"
+#endif
+#ifdef SYS_sendmmsg
+          "sendmmsg,"
+#endif
+#ifdef SYS_sendmsg
+          "sendmsg,"
+#endif
+#ifdef SYS_sendto
+          "sendto,"
+#endif
+#ifdef SYS_setsockopt
+          "setsockopt,"
+#endif
+#ifdef SYS_shutdown
+          "shutdown,"
+#endif
+#ifdef SYS_socket
+          "socket,"
+#endif
+#ifdef SYS_socketcall
+          "socketcall,"
+#endif
+#ifdef SYS_socketpair
+          "socketpair"
+#endif
+        },
+        { .name = "@obsolete", .list =
+#ifdef SYS__sysctl
+          "_sysctl,"
+#endif
+#ifdef SYS_afs_syscall
+          "afs_syscall,"
+#endif
+#ifdef SYS_bdflush
+          "bdflush,"
+#endif
+#ifdef SYS_break
+          "break,"
+#endif
+#ifdef SYS_create_module
+          "create_module,"
+#endif
+#ifdef SYS_ftime
+          "ftime,"
+#endif
+#ifdef SYS_get_kernel_syms
+          "get_kernel_syms,"
+#endif
+#ifdef SYS_getpmsg
+          "getpmsg,"
+#endif
+#ifdef SYS_gtty
+          "gtty,"
+#endif
+#ifdef SYS_idle
+          "idle,"
+#endif
+#ifdef SYS_lock
+          "lock,"
+#endif
+#ifdef SYS_mpx
+          "mpx,"
+#endif
+#ifdef SYS_prof
+          "prof,"
+#endif
+#ifdef SYS_profil
+          "profil,"
+#endif
+#ifdef SYS_putpmsg
+          "putpmsg,"
+#endif
+#ifdef SYS_query_module
+          "query_module,"
+#endif
+#ifdef SYS_security
+          "security,"
+#endif
+#ifdef SYS_sgetmask
+          "sgetmask,"
+#endif
+#ifdef SYS_ssetmask
+          "ssetmask,"
+#endif
+#ifdef SYS_stty
+          "stty,"
+#endif
+#ifdef SYS_sysfs
+          "sysfs,"
+#endif
+#ifdef SYS_tuxcall
+          "tuxcall,"
+#endif
+#ifdef SYS_ulimit
+          "ulimit,"
+#endif
+#ifdef SYS_uselib
+          "uselib,"
+#endif
+#ifdef SYS_ustat
+          "ustat,"
+#endif
+#ifdef SYS_vserver
+          "vserver"
+#endif
+#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
+          "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
+        },
+        { .name = "@privileged", .list =
+          "@chown,"
+          "@clock,"
+          "@module,"
+          "@raw-io,"
+          "@reboot,"
+          "@swap,"
+#ifdef SYS__sysctl
+          "_sysctl,"
+#endif
+#ifdef SYS_acct
+          "acct,"
+#endif
+#ifdef SYS_bpf
+          "bpf,"
+#endif
+#ifdef SYS_capset
+          "capset,"
+#endif
+#ifdef SYS_chroot
+          "chroot,"
+#endif
+#ifdef SYS_fanotify_init
+          "fanotify_init,"
+#endif
+#ifdef SYS_mount
+          "mount,"
+#endif
+#ifdef SYS_nfsservctl
+          "nfsservctl,"
+#endif
+#ifdef SYS_open_by_handle_at
+          "open_by_handle_at,"
+#endif
+#ifdef SYS_pivot_root
+          "pivot_root,"
+#endif
+#ifdef SYS_quotactl
+          "quotactl,"
+#endif
+#ifdef SYS_setdomainname
+          "setdomainname,"
+#endif
+#ifdef SYS_setfsuid
+          "setfsuid,"
+#endif
+#ifdef SYS_setfsuid32
+          "setfsuid32,"
+#endif
+#ifdef SYS_setgroups
+          "setgroups,"
+#endif
+#ifdef SYS_setgroups32
+          "setgroups32,"
+#endif
+#ifdef SYS_sethostname
+          "sethostname,"
+#endif
+#ifdef SYS_setresuid
+          "setresuid,"
+#endif
+#ifdef SYS_setresuid32
+          "setresuid32,"
+#endif
+#ifdef SYS_setreuid
+          "setreuid,"
+#endif
+#ifdef SYS_setreuid32
+          "setreuid32,"
+#endif
+#ifdef SYS_setuid
+          "setuid,"
+#endif
+#ifdef SYS_setuid32
+          "setuid32,"
+#endif
+#ifdef SYS_umount2
+          "umount2,"
+#endif
+#ifdef SYS_vhangup
+          "vhangup"
+#endif
+        },
+        { .name = "@process", .list =
+#ifdef SYS_arch_prctl
+          "arch_prctl,"
+#endif
+#ifdef SYS_capget
+          "capget,"
+#endif
+#ifdef SYS_clone
+          "clone,"
+#endif
+#ifdef SYS_execveat
+          "execveat,"
+#endif
+#ifdef SYS_fork
+          "fork,"
+#endif
+#ifdef SYS_getrusage
+          "getrusage,"
+#endif
+#ifdef SYS_kill
+          "kill,"
+#endif
+#ifdef SYS_pidfd_send_signal
+          "pidfd_send_signal,"
+#endif
+#ifdef SYS_prctl
+          "prctl,"
+#endif
+#ifdef SYS_rt_sigqueueinfo
+          "rt_sigqueueinfo,"
+#endif
+#ifdef SYS_rt_tgsigqueueinfo
+          "rt_tgsigqueueinfo,"
+#endif
+#ifdef SYS_setns
+          "setns,"
+#endif
+#ifdef SYS_swapcontext
+          "swapcontext,"
+#endif
+#ifdef SYS_tgkill
+          "tgkill,"
+#endif
+#ifdef SYS_times
+          "times,"
+#endif
+#ifdef SYS_tkill
+          "tkill,"
+#endif
+#ifdef SYS_unshare
+          "unshare,"
+#endif
+#ifdef SYS_vfork
+          "vfork,"
+#endif
+#ifdef SYS_wait4
+          "wait4,"
+#endif
+#ifdef SYS_waitid
+          "waitid,"
+#endif
+#ifdef SYS_waitpid
+          "waitpid"
+#endif
+        },
+        { .name = "@raw-io", .list =
+#ifdef SYS_ioperm
+          "ioperm,"
+#endif
+#ifdef SYS_iopl
+          "iopl,"
+#endif
+#ifdef SYS_pciconfig_iobase
+          "pciconfig_iobase,"
+#endif
+#ifdef SYS_pciconfig_read
+          "pciconfig_read,"
+#endif
+#ifdef SYS_pciconfig_write
+          "pciconfig_write,"
+#endif
+#ifdef SYS_s390_mmio_read
+          "s390_mmio_read,"
+#endif
+#ifdef SYS_s390_mmio_write
+          "s390_mmio_write"
+#endif
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+          "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
+        },
+        { .name = "@reboot", .list =
+#ifdef SYS_kexec_load
+          "kexec_load,"
+#endif
+#ifdef SYS_kexec_file_load
+          "kexec_file_load,"
+#endif
+#ifdef SYS_reboot
+          "reboot,"
+#endif
+        },
+        { .name = "@resources", .list =
+#ifdef SYS_ioprio_set
+          "ioprio_set,"
+#endif
+#ifdef SYS_mbind
+          "mbind,"
+#endif
+#ifdef SYS_migrate_pages
+          "migrate_pages,"
+#endif
+#ifdef SYS_move_pages
+          "move_pages,"
+#endif
+#ifdef SYS_nice
+          "nice,"
+#endif
+#ifdef SYS_sched_setaffinity
+          "sched_setaffinity,"
+#endif
+#ifdef SYS_sched_setattr
+          "sched_setattr,"
+#endif
+#ifdef SYS_sched_setparam
+          "sched_setparam,"
+#endif
+#ifdef SYS_sched_setscheduler
+          "sched_setscheduler,"
+#endif
+#ifdef SYS_set_mempolicy
+          "set_mempolicy"
+#endif
+        },
+        { .name = "@setuid", .list =
+#ifdef SYS_setgid
+          "setgid,"
+#endif
+#ifdef SYS_setgid32
+          "setgid32,"
+#endif
+#ifdef SYS_setgroups
+          "setgroups,"
+#endif
+#ifdef SYS_setgroups32
+          "setgroups32,"
+#endif
+#ifdef SYS_setregid
+          "setregid,"
+#endif
+#ifdef SYS_setregid32
+          "setregid32,"
+#endif
+#ifdef SYS_setresgid
+          "setresgid,"
+#endif
+#ifdef SYS_setresgid32
+          "setresgid32,"
+#endif
+#ifdef SYS_setresuid
+          "setresuid,"
+#endif
+#ifdef SYS_setresuid32
+          "setresuid32,"
+#endif
+#ifdef SYS_setreuid
+          "setreuid,"
+#endif
+#ifdef SYS_setreuid32
+          "setreuid32,"
+#endif
+#ifdef SYS_setuid
+          "setuid,"
+#endif
+#ifdef SYS_setuid32
+          "setuid32"
+#endif
+        },
+        { .name = "@signal", .list =
+#ifdef SYS_rt_sigaction
+          "rt_sigaction,"
+#endif
+#ifdef SYS_rt_sigpending
+          "rt_sigpending,"
+#endif
+#ifdef SYS_rt_sigprocmask
+          "rt_sigprocmask,"
+#endif
+#ifdef SYS_rt_sigsuspend
+          "rt_sigsuspend,"
+#endif
+#ifdef SYS_rt_sigtimedwait
+          "rt_sigtimedwait,"
+#endif
+#ifdef SYS_sigaction
+          "sigaction,"
+#endif
+#ifdef SYS_sigaltstack
+          "sigaltstack,"
+#endif
+#ifdef SYS_signal
+          "signal,"
+#endif
+#ifdef SYS_signalfd
+          "signalfd,"
+#endif
+#ifdef SYS_signalfd4
+          "signalfd4,"
+#endif
+#ifdef SYS_sigpending
+          "sigpending,"
+#endif
+#ifdef SYS_sigprocmask
+          "sigprocmask,"
+#endif
+#ifdef SYS_sigsuspend
+          "sigsuspend"
+#endif
+        },
+        { .name = "@swap", .list =
+#ifdef SYS_swapon
+          "swapon,"
+#endif
+#ifdef SYS_swapoff
+          "swapoff"
+#endif
+        },
+        { .name = "@sync", .list =
+#ifdef SYS_fdatasync
+          "fdatasync,"
+#endif
+#ifdef SYS_fsync
+          "fsync,"
+#endif
+#ifdef SYS_msync
+          "msync,"
+#endif
+#ifdef SYS_sync
+          "sync,"
+#endif
+#ifdef SYS_sync_file_range
+          "sync_file_range,"
+#endif
+#ifdef SYS_sync_file_range2
+          "sync_file_range2,"
+#endif
+#ifdef SYS_syncfs
+          "syncfs"
+#endif
+        },
+        { .name = "@system-service", .list =
+          "@aio,"
+          "@basic-io,"
+          "@chown,"
+          "@default,"
+          "@file-system,"
+          "@io-event,"
+          "@ipc,"
+          "@keyring,"
+          "@memlock,"
+          "@network-io,"
+          "@process,"
+          "@resources,"
+          "@setuid,"
+          "@signal,"
+          "@sync,"
+          "@timer,"
+#ifdef SYS_brk
+          "brk,"
+#endif
+#ifdef SYS_capget
+          "capget,"
+#endif
+#ifdef SYS_capset
+          "capset,"
+#endif
+#ifdef SYS_copy_file_range
+          "copy_file_range,"
+#endif
+#ifdef SYS_fadvise64
+          "fadvise64,"
+#endif
+#ifdef SYS_fadvise64_64
+          "fadvise64_64,"
+#endif
+#ifdef SYS_flock
+          "flock,"
+#endif
+#ifdef SYS_get_mempolicy
+          "get_mempolicy,"
+#endif
+#ifdef SYS_getcpu
+          "getcpu,"
+#endif
+#ifdef SYS_getpriority
+          "getpriority,"
+#endif
+#ifdef SYS_getrandom
+          "getrandom,"
+#endif
+#ifdef SYS_ioctl
+          "ioctl,"
+#endif
+#ifdef SYS_ioprio_get
+          "ioprio_get,"
+#endif
+#ifdef SYS_kcmp
+          "kcmp,"
+#endif
+#ifdef SYS_madvise
+          "madvise,"
+#endif
+#ifdef SYS_mprotect
+          "mprotect,"
+#endif
+#ifdef SYS_mremap
+          "mremap,"
+#endif
+#ifdef SYS_name_to_handle_at
+          "name_to_handle_at,"
+#endif
+#ifdef SYS_oldolduname
+          "oldolduname,"
+#endif
+#ifdef SYS_olduname
+          "olduname,"
+#endif
+#ifdef SYS_personality
+          "personality,"
+#endif
+#ifdef SYS_readahead
+          "readahead,"
+#endif
+#ifdef SYS_readdir
+          "readdir,"
+#endif
+#ifdef SYS_remap_file_pages
+          "remap_file_pages,"
+#endif
+#ifdef SYS_sched_get_priority_max
+          "sched_get_priority_max,"
+#endif
+#ifdef SYS_sched_get_priority_min
+          "sched_get_priority_min,"
+#endif
+#ifdef SYS_sched_getaffinity
+          "sched_getaffinity,"
+#endif
+#ifdef SYS_sched_getattr
+          "sched_getattr,"
+#endif
+#ifdef SYS_sched_getparam
+          "sched_getparam,"
+#endif
+#ifdef SYS_sched_getscheduler
+          "sched_getscheduler,"
+#endif
+#ifdef SYS_sched_rr_get_interval
+          "sched_rr_get_interval,"
+#endif
+#ifdef SYS_sched_yield
+          "sched_yield,"
+#endif
+#ifdef SYS_sendfile
+          "sendfile,"
+#endif
+#ifdef SYS_sendfile64
+          "sendfile64,"
+#endif
+#ifdef SYS_setfsgid
+          "setfsgid,"
+#endif
+#ifdef SYS_setfsgid32
+          "setfsgid32,"
+#endif
+#ifdef SYS_setfsuid
+          "setfsuid,"
+#endif
+#ifdef SYS_setfsuid32
+          "setfsuid32,"
+#endif
+#ifdef SYS_setpgid
+          "setpgid,"
+#endif
+#ifdef SYS_setsid
+          "setsid,"
+#endif
+#ifdef SYS_splice
+          "splice,"
+#endif
+#ifdef SYS_sysinfo
+          "sysinfo,"
+#endif
+#ifdef SYS_tee
+          "tee,"
+#endif
+#ifdef SYS_umask
+          "umask,"
+#endif
+#ifdef SYS_uname
+          "uname,"
+#endif
+#ifdef SYS_userfaultfd
+          "userfaultfd,"
+#endif
+#ifdef SYS_vmsplice
+          "vmsplice"
+#endif
+        },
+        { .name = "@timer", .list =
+#ifdef SYS_alarm
+          "alarm,"
+#endif
+#ifdef SYS_getitimer
+          "getitimer,"
+#endif
+#ifdef SYS_setitimer
+          "setitimer,"
+#endif
+#ifdef SYS_timer_create
+          "timer_create,"
+#endif
+#ifdef SYS_timer_delete
+          "timer_delete,"
+#endif
+#ifdef SYS_timer_getoverrun
+          "timer_getoverrun,"
+#endif
+#ifdef SYS_timer_gettime
+          "timer_gettime,"
+#endif
+#ifdef SYS_timer_settime
+          "timer_settime,"
+#endif
+#ifdef SYS_timerfd_create
+          "timerfd_create,"
+#endif
+#ifdef SYS_timerfd_gettime
+          "timerfd_gettime,"
+#endif
+#ifdef SYS_timerfd_settime
+          "timerfd_settime,"
+#endif
+#ifdef SYS_times
+          "times"
+#endif
+        }
+};
+
+// return SYSCALL_ERROR if error, or syscall number
+static int syscall_find_name(const char *name) {
+        int i;
+        int elems = sizeof(syslist) / sizeof(syslist[0]);
+        for (i = 0; i < elems; i++) {
+                if (strcmp(name, syslist[i].name) == 0)
+                        return syslist[i].nr;
+        }
+
+        return SYSCALL_ERROR;
+}
+
+static int syscall_find_name_32(const char *name) {
+        int i;
+        int elems = sizeof(syslist32) / sizeof(syslist32[0]);
+        for (i = 0; i < elems; i++) {
+                if (strcmp(name, syslist32[i].name) == 0)
+                        return syslist32[i].nr;
+        }
+
+        return SYSCALL_ERROR;
+}
+
+const char *syscall_find_nr(int nr) {
+        int i;
+        int elems = sizeof(syslist) / sizeof(syslist[0]);
+        for (i = 0; i < elems; i++) {
+                if (nr == syslist[i].nr)
+                        return syslist[i].name;
+        }
+
+        return "unknown";
+}
+
+const char *syscall_find_nr_32(int nr) {
+        int i;
+        int elems = sizeof(syslist32) / sizeof(syslist32[0]);
+        for (i = 0; i < elems; i++) {
+                if (nr == syslist32[i].nr)
+                        return syslist32[i].name;
+        }
+
+        return "unknown";
+}
+
+void syscall_print(void) {
+        int i;
+        int elems = sizeof(syslist) / sizeof(syslist[0]);
+        for (i = 0; i < elems; i++) {
+                printf("%d\t- %s\n", syslist[i].nr, syslist[i].name);
+        }
+        printf("\n");
+}
+
+void syscall_print_32(void) {
+        int i;
+        int elems = sizeof(syslist32) / sizeof(syslist32[0]);
+        for (i = 0; i < elems; i++) {
+                printf("%d\t- %s\n", syslist32[i].nr, syslist32[i].name);
+        }
+        printf("\n");
+}
+
+static const char *syscall_find_group(const char *name) {
+        int i;
+        int elems = sizeof(sysgroups) / sizeof(sysgroups[0]);
+        for (i = 0; i < elems; i++) {
+                if (strcmp(name, sysgroups[i].name) == 0)
+                        return sysgroups[i].list;
+        }
+
+        return NULL;
+}
+
+// allowed input:
+// - syscall
+// - syscall(error)
+static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr, bool native) {
+        assert(name);
+        if (strlen(name) == 0)
+                goto error;
+        *error_nr = -1;
+
+        // syntax check
+        char *str = strdup(name);
+        if (!str)
+                errExit("strdup");
+
+        char *syscall_name = str;
+        char *error_name = strchr(str, ':');
+        if (error_name) {
+                *error_name = '\0';
+                error_name++;
+        }
+        if (strlen(syscall_name) == 0) {
+                free(str);
+                goto error;
+        }
+
+        if (*syscall_name == '$')
+                *syscall_nr = strtol(syscall_name + 1, NULL, 0);
+        else {
+                if (native)
+                        *syscall_nr = syscall_find_name(syscall_name);
+                else
+                        *syscall_nr = syscall_find_name_32(syscall_name);
+        }
+        if (error_name) {
+                if (strcmp(error_name, "kill") == 0)
+                        *error_nr = ERRNO_KILL;
+                else {
+                        *error_nr = errno_find_name(error_name);
+                        if (*error_nr == -1)
+                                *syscall_nr = SYSCALL_ERROR;
+                }
+        }
+
+        free(str);
+        return;
+
+error:
+        fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
+        exit(1);
+}
+
+// return 1 if error, 0 if OK
+int syscall_check_list(const char *slist, filter_fn *callback, int fd, int arg, void *ptrarg, bool native) {
+        // don't allow empty lists
+        if (slist == NULL || *slist == '\0') {
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
+                exit(1);
+        }
+
+        // work on a copy of the string
+        char *str = strdup(slist);
+        if (!str)
+                errExit("strdup");
+
+        char *saveptr;
+        char *ptr = strtok_r(str, ",", &saveptr);
+        if (ptr == NULL) {
+                fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
+                exit(1);
+        }
+
+        while (ptr) {
+                int syscall_nr;
+                int error_nr;
+                if (*ptr == '@') {
+                        const char *new_list = syscall_find_group(ptr);
+                        if (!new_list) {
+                                fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr);
+                                exit(1);
+                        }
+                        syscall_check_list(new_list, callback, fd, arg, ptrarg, native);
+                }
+                else {
+                        bool negate = false;
+                        if (*ptr == '!') {
+                                negate = true;
+                                ptr++;
+                        }
+                        syscall_process_name(ptr, &syscall_nr, &error_nr, native);
+                        if (syscall_nr != SYSCALL_ERROR && callback != NULL) {
+                                if (negate) {
+                                        syscall_nr = -syscall_nr;
+                                }
+                                if (error_nr >= 0 && fd > 0)
+                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg, native);
+                                else if (error_nr == ERRNO_KILL && fd > 0)
+                                        filter_add_blacklist_override(fd, syscall_nr, 0, ptrarg, native);
+                                else if (error_nr >= 0 && fd == 0) {
+                                        callback(fd, syscall_nr, error_nr, ptrarg, native);
+                                }
+                                else {
+                                        callback(fd, syscall_nr, arg, ptrarg, native);
+                                }
+                        }
+                }
+                ptr = strtok_r(NULL, ",", &saveptr);
+        }
+
+        free(str);
+        return 0;
+}
+
+static void find_syscall(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void)fd;
+        (void) arg;
+        (void)native;
+        SyscallCheckList *ptr = ptrarg;
+        if (abs(syscall) == ptr->syscall)
+                ptr->found = true;
+}
+
+// go through list2 and find matches for problem syscall
+static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void)arg;
+        SyscallCheckList *ptr = ptrarg;
+        SyscallCheckList sl;
+        const char *name;
+
+        sl.found = false;
+        sl.syscall = syscall;
+        syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl, native);
+
+        if (native)
+                name = syscall_find_nr(syscall);
+        else
+                name = syscall_find_nr_32(syscall);
+
+        // if found in the problem list, add to post-exec list
+        if (sl.found) {
+                if (ptr->postlist) {
+                        if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, name) == -1)
+                                errExit("asprintf");
+                }
+                else
+                        ptr->postlist = strdup(name);
+        }
+        else { // no problem, add to pre-exec list
+                // build syscall:error_no
+                char *newcall = NULL;
+                if (arg != 0) {
+                        if (asprintf(&newcall, "%s:%s", name, errno_find_nr(arg)) == -1)
+                                errExit("asprintf");
+                }
+                else {
+                        newcall = strdup(name);
+                        if (!newcall)
+                                errExit("strdup");
+                }
+
+                if (ptr->prelist) {
+                        if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1)
+                                errExit("asprintf");
+                        free(newcall);
+                }
+                else
+                        ptr->prelist = newcall;
+        }
+}
+
+// go through list and find matches for syscalls in list @default-keep
+void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist, bool native) {
+        (void) fd;
+        SyscallCheckList sl;
+        // these syscalls are used by firejail after the seccomp filter is initialized
+        sl.slist = slist;
+        sl.prelist = NULL;
+        sl.postlist = NULL;
+        syscall_check_list(list, syscall_in_list, 0, 0, &sl, native);
+        if (!arg_quiet) {
+                printf("Seccomp list in: %s,", list);
+                if (sl.slist)
+                        printf(" check list: %s,", sl.slist);
+                if (sl.prelist)
+                        printf(" prelist: %s,", sl.prelist);
+                if (sl.postlist)
+                        printf(" postlist: %s", sl.postlist);
+                printf("\n");
+        }
+        *prelist = sl.prelist;
+        *postlist = sl.postlist;
+}
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 92803342c..c08ae78ce 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -4,23 +4,25 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
+H_FILE_LIST       = $(sort $(wildcard *.h))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
+.PHONY: all
 all: libpostexecseccomp.so
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 libpostexecseccomp.so: $(OBJS)
         $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
+.PHONY: clean
+clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist
 
-clean:; rm -f $(OBJS) libpostexecseccomp.so
-
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index 2c9d02c84..1d1eb283b 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,30 +17,36 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "libpostexecseccomp.h"
 #include "../include/seccomp.h"
+#include "../include/rundefs.h"
 #include <fcntl.h>
 #include <linux/filter.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <unistd.h>
+#include <stdio.h>
 
 __attribute__((constructor))
 static void load_seccomp(void) {
         int fd = open(RUN_SECCOMP_POSTEXEC, O_RDONLY);
-        if (fd == -1)
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open seccomp postexec filter file %s\n", RUN_SECCOMP_POSTEXEC);
                 return;
+        }
 
-        int size = lseek(fd, 0, SEEK_END);
+        off_t size = lseek(fd, 0, SEEK_END);
+        if (size <= 0) {
+                close(fd);
+                return;
+        }
         unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
-        struct sock_filter *filter = MAP_FAILED;
-        if (size != 0)
-                filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-
+        struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
         close(fd);
 
-        if (size == 0 || filter == MAP_FAILED)
+        if (filter == MAP_FAILED) {
+                fprintf(stderr, "Error: cannot map seccomp postexec filter data\n");
                 return;
+        }
 
         // install filter
         struct sock_fprog prog = {
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in
index 6ae078f46..804671ee2 100644
--- a/src/libtrace/Makefile.in
+++ b/src/libtrace/Makefile.in
@@ -4,13 +4,14 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
+H_FILE_LIST       = $(sort $(wildcard *.h))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
+.PHONY: all
 all: libtrace.so
 
 %.o : %.c $(H_FILE_LIST)
@@ -19,8 +20,9 @@ all: libtrace.so
 libtrace.so: $(OBJS)
         $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
+.PHONY: clean
+clean:; rm -fr $(OBJS) libtrace.so *.plist
 
-clean:; rm -f $(OBJS) libtrace.so
-
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 04cf64997..d88512b0a 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -23,69 +23,97 @@
 #include <string.h>
 #include <dlfcn.h>
 #include <sys/types.h>
+#include <limits.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <sys/un.h>
 #include <sys/stat.h>
+#include <syslog.h>
 #include <dirent.h>
+#include "../include/rundefs.h"
+
+#define tprintf(fp, args...) \
+    do { \
+        if (!fp)\
+            init(); \
+        fprintf(fp, args); \
+    } while(0)
 
 // break recursivity on fopen call
 typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode);
 static orig_fopen_t orig_fopen = NULL;
 typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
 static orig_fopen64_t orig_fopen64 = NULL;
+typedef int (*orig_access_t)(const char *pathname, int mode);
+static orig_access_t orig_access = NULL;
 
 //
-// pid
+// library constructor/destructor
 //
+// Using fprintf to /dev/tty instead of printf in order to fix #561
+static FILE *ftty = NULL;
 static pid_t mypid = 0;
-static inline pid_t pid(void) {
-        if (!mypid)
-                mypid = getpid();
-        return mypid;
-}
+#define MAXNAME 16 // 8 or larger
+static char myname[MAXNAME] = "unknown";
+
+static void init(void) __attribute__((constructor));
+void init(void) {
+        if (ftty)
+                return;
+
+        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
+        orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
+
+        // allow environment variable to override defaults
+        char *logfile = getenv("FIREJAIL_TRACEFILE");
+        if (!logfile) {
+                // if exists, log to trace file
+                logfile = RUN_TRACE_FILE;
+                if (orig_access(logfile, F_OK))
+                        // else log to associated tty
+                        logfile = "/dev/tty";
+        }
 
-//
-// process name
-//
-#define MAXNAME 16
-static char myname[MAXNAME];
-static int nameinit = 0;
-static char *name(void) {
-        if (!nameinit) {
-                // initialize the name of the process based on /proc/PID/comm
-                memset(myname, 0, MAXNAME);
-
-                pid_t p = pid();
-                char *fname;
-                if (asprintf(&fname, "/proc/%u/comm", p) == -1)
-                        return "unknown";
-
-                // read file
-                if (!orig_fopen)
-                        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
-                FILE *fp  = orig_fopen(fname, "r");
-                if (!fp)
-                        return "unknown";
-                if (fgets(myname, MAXNAME, fp) == NULL) {
-                        fclose(fp);
-                        free(fname);
-                        return "unknown";
+        // logfile
+        unsigned cnt = 0;
+        while ((ftty = orig_fopen(logfile, "a")) == NULL) {
+                if (++cnt > 10) { // 10 sec
+                        perror("Cannot open trace log file");
+                        exit(1);
                 }
+                sleep(1);
+        }
+        // line buffered stream
+        setvbuf(ftty, NULL, _IOLBF, BUFSIZ);
 
-                // clean '\n'
-                char *ptr = strchr(myname, '\n');
-                if (ptr)
-                        *ptr = '\0';
+        // pid
+        mypid = getpid();
 
-                fclose(fp);
+        // process name
+        char *fname;
+        if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
+                FILE *fp = orig_fopen(fname, "r");
                 free(fname);
-                nameinit = 1;
+                if (fp) {
+                        if (fgets(myname, MAXNAME, fp) == NULL)
+                                strcpy(myname, "unknown");
+                        fclose(fp);
+                }
         }
 
-        return myname;
+        // clean '\n'
+        char *ptr = strchr(myname, '\n');
+        if (ptr)
+                *ptr = '\0';
+
+//      tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
+}
+
+static void fini(void) __attribute__((destructor));
+void fini(void) {
+        fclose(ftty);
 }
 
 //
@@ -232,23 +260,23 @@ static char *translate(XTable *table, int val) {
 static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
         if (addr->sa_family == AF_INET) {
                 struct sockaddr_in *a = (struct sockaddr_in *) addr;
-                printf("%u:%s:%s %d %s port %u:%d\n", pid(), name(), call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
+                tprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
         }
         else if (addr->sa_family == AF_INET6) {
                 struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr;
                 char str[INET6_ADDRSTRLEN];
                 inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN);
-                printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, str, rv);
+                tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv);
         }
         else if (addr->sa_family == AF_UNIX) {
                 struct sockaddr_un *a = (struct sockaddr_un *) addr;
                 if (a->sun_path[0])
-                        printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, a->sun_path, rv);
+                        tprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv);
                 else
-                        printf("%u:%s:%s %d @%s:%d\n", pid(), name(), call, sockfd, a->sun_path + 1, rv);
+                        tprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv);
         }
         else {
-                printf("%u:%s:%s %d family %d:%d\n", pid(), name(), call, sockfd, addr->sa_family, rv);
+                tprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv);
         }
 }
 
@@ -264,7 +292,7 @@ int open(const char *pathname, int flags, mode_t mode) {
                 orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
 
         int rv = orig_open(pathname, flags, mode);
-        printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -275,7 +303,7 @@ int open64(const char *pathname, int flags, mode_t mode) {
                 orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
 
         int rv = orig_open64(pathname, flags, mode);
-        printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -287,7 +315,7 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
                 orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat");
 
         int rv = orig_openat(dirfd, pathname, flags, mode);
-        printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -298,7 +326,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
                 orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
 
         int rv = orig_openat64(dirfd, pathname, flags, mode);
-        printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -309,7 +337,7 @@ FILE *fopen(const char *pathname, const char *mode) {
                 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
 
         FILE *rv = orig_fopen(pathname, mode);
-        printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -319,7 +347,7 @@ FILE *fopen64(const char *pathname, const char *mode) {
                 orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
 
         FILE *rv = orig_fopen64(pathname, mode);
-        printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -333,7 +361,7 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
                 orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen");
 
         FILE *rv = orig_freopen(pathname, mode, stream);
-        printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -345,7 +373,7 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
                 orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
 
         FILE *rv = orig_freopen64(pathname, mode, stream);
-        printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -358,7 +386,7 @@ int unlink(const char *pathname) {
                 orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink");
 
         int rv = orig_unlink(pathname);
-        printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -369,7 +397,7 @@ int unlinkat(int dirfd, const char *pathname, int flags) {
                 orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat");
 
         int rv = orig_unlinkat(dirfd, pathname, flags);
-        printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -381,7 +409,7 @@ int mkdir(const char *pathname, mode_t mode) {
                 orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir");
 
         int rv = orig_mkdir(pathname, mode);
-        printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -392,7 +420,7 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) {
                 orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat");
 
         int rv = orig_mkdirat(dirfd, pathname, mode);
-        printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -403,56 +431,56 @@ int rmdir(const char *pathname) {
                 orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir");
 
         int rv = orig_rmdir(pathname);
-        printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
 // stat
-typedef int (*orig_stat_t)(const char *pathname, struct stat *buf);
+typedef int (*orig_stat_t)(const char *pathname, struct stat *statbuf);
 static orig_stat_t orig_stat = NULL;
-int stat(const char *pathname, struct stat *buf) {
+int stat(const char *pathname, struct stat *statbuf) {
         if (!orig_stat)
                 orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat");
 
-        int rv = orig_stat(pathname, buf);
-        printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv);
+        int rv = orig_stat(pathname, statbuf);
+        tprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
 #ifdef __GLIBC__
-typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
+typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf);
 static orig_stat64_t orig_stat64 = NULL;
-int stat64(const char *pathname, struct stat64 *buf) {
+int stat64(const char *pathname, struct stat64 *statbuf) {
         if (!orig_stat64)
                 orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
 
-        int rv = orig_stat64(pathname, buf);
-        printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv);
+        int rv = orig_stat64(pathname, statbuf);
+        tprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 #endif /* __GLIBC__ */
 
 // lstat
-typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf);
+typedef int (*orig_lstat_t)(const char *pathname, struct stat *statbuf);
 static orig_lstat_t orig_lstat = NULL;
-int lstat(const char *pathname, struct stat *buf) {
+int lstat(const char *pathname, struct stat *statbuf) {
         if (!orig_lstat)
                 orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
 
-        int rv = orig_lstat(pathname, buf);
-        printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv);
+        int rv = orig_lstat(pathname, statbuf);
+        tprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
 #ifdef __GLIBC__
-typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf);
+typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf);
 static orig_lstat64_t orig_lstat64 = NULL;
-int lstat64(const char *pathname, struct stat64 *buf) {
+int lstat64(const char *pathname, struct stat64 *statbuf) {
         if (!orig_lstat64)
                 orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
 
-        int rv = orig_lstat64(pathname, buf);
-        printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv);
+        int rv = orig_lstat64(pathname, statbuf);
+        tprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 #endif /* __GLIBC__ */
@@ -465,19 +493,17 @@ DIR *opendir(const char *pathname) {
                 orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir");
 
         DIR *rv = orig_opendir(pathname);
-        printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv);
         return rv;
 }
 
 // access
-typedef int (*orig_access_t)(const char *pathname, int mode);
-static orig_access_t orig_access = NULL;
 int access(const char *pathname, int mode) {
         if (!orig_access)
                 orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
 
         int rv = orig_access(pathname, mode);
-        printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv);
+        tprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv);
         return rv;
 }
 
@@ -498,14 +524,14 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
 // socket
 typedef int (*orig_socket_t)(int domain, int type, int protocol);
 static orig_socket_t orig_socket = NULL;
-static char buf[1024];
+static char socketbuf[1024];
 int socket(int domain, int type, int protocol) {
         if (!orig_socket)
                 orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket");
 
         int rv = orig_socket(domain, type, protocol);
-        char *ptr = buf;
-        ptr += sprintf(ptr, "%u:%s:socket ", pid(), name());
+        char *ptr = socketbuf;
+        ptr += sprintf(ptr, "%u:%s:socket ", mypid, myname);
         char *str = translate(socket_domain, domain);
         if (str == NULL)
                 ptr += sprintf(ptr, "%d ", domain);
@@ -535,7 +561,7 @@ int socket(int domain, int type, int protocol) {
                         sprintf(ptr, "%s", str);
         }
 
-        printf("%s:%d\n", buf, rv);
+        tprintf(ftty, "%s:%d\n", socketbuf, rv);
         return rv;
 }
 
@@ -573,7 +599,7 @@ int system(const char *command) {
                 orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system");
 
         int rv = orig_system(command);
-        printf("%u:%s:system %s:%d\n", pid(), name(), command, rv);
+        tprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv);
 
         return rv;
 }
@@ -585,7 +611,7 @@ int setuid(uid_t uid) {
                 orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid");
 
         int rv = orig_setuid(uid);
-        printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv);
+        tprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv);
 
         return rv;
 }
@@ -597,7 +623,7 @@ int setgid(gid_t gid) {
                 orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid");
 
         int rv = orig_setgid(gid);
-        printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv);
+        tprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv);
 
         return rv;
 }
@@ -609,7 +635,7 @@ int setfsuid(uid_t uid) {
                 orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid");
 
         int rv = orig_setfsuid(uid);
-        printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv);
+        tprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv);
 
         return rv;
 }
@@ -621,7 +647,7 @@ int setfsgid(gid_t gid) {
                 orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid");
 
         int rv = orig_setfsgid(gid);
-        printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv);
+        tprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv);
 
         return rv;
 }
@@ -633,7 +659,7 @@ int setreuid(uid_t ruid, uid_t euid) {
                 orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid");
 
         int rv = orig_setreuid(ruid, euid);
-        printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv);
+        tprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv);
 
         return rv;
 }
@@ -645,7 +671,7 @@ int setregid(gid_t rgid, gid_t egid) {
                 orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid");
 
         int rv = orig_setregid(rgid, egid);
-        printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv);
+        tprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv);
 
         return rv;
 }
@@ -657,7 +683,7 @@ int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
                 orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid");
 
         int rv = orig_setresuid(ruid, euid, suid);
-        printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv);
+        tprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv);
 
         return rv;
 }
@@ -669,7 +695,7 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
                 orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid");
 
         int rv = orig_setresgid(rgid, egid, sgid);
-        printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv);
+        tprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv);
 
         return rv;
 }
@@ -678,10 +704,12 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
 // it can be used to build things like private-bin
 __attribute__((constructor))
 static void log_exec(int argc, char** argv) {
+        (void) argc;
+        (void) argv;
         static char buf[PATH_MAX + 1];
         int rv = readlink("/proc/self/exe", buf, PATH_MAX);
         if (rv != -1) {
                 buf[rv] = '\0'; // readlink does not add a '\0' at the end
-                printf("%u:%s:exec %s:0\n", pid(), name(), buf);
+                tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
         }
 }
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index 3927c762a..aea1b11f2 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -4,23 +4,25 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 
-H_FILE_LIST       = $(sort $(wildcard *.[h]))
+H_FILE_LIST       = $(sort $(wildcard *.h))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
+.PHONY: all
 all: libtracelog.so
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/rundefs.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 libtracelog.so: $(OBJS)
         $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl
 
+.PHONY: clean
+clean:; rm -fr $(OBJS) libtracelog.so *.plist
 
-clean:; rm -f $(OBJS) libtracelog.so
-
+.PHONY: distclean
 distclean: clean
         rm -fr Makefile
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index dc68b0620..b946cc889 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -32,6 +32,7 @@
 #include <syslog.h>
 #include <dirent.h>
 #include <limits.h>
+#include "../include/rundefs.h"
 
 //#define DEBUG
 
@@ -64,9 +65,6 @@ static inline uint32_t hash(const char *str) {
 }
 
 static void storage_add(const char *str) {
-#ifdef DEBUG
-        printf("add %s\n", str);
-#endif
         if (!str) {
 #ifdef DEBUG
                 printf("null pointer passed to storage_add\n");
@@ -74,6 +72,10 @@ static void storage_add(const char *str) {
                 return;
         }
 
+#ifdef DEBUG
+        printf("add %s\n", str);
+#endif
+
         ListElem *ptr = malloc(sizeof(ListElem));
         if (!ptr) {
                 fprintf(stderr, "Error: cannot allocate memory\n");
@@ -96,15 +98,17 @@ static void storage_add(const char *str) {
 static char* cwd = NULL;
 
 static char *storage_find(const char *str) {
-#ifdef DEBUG
-        printf("storage find %s\n", str);
-#endif
         if (!str) {
 #ifdef DEBUG
                 printf("null pointer passed to storage_find\n");
 #endif
                 return NULL;
         }
+
+#ifdef DEBUG
+        printf("storage find %s\n", str);
+#endif
+
         const char *tofind = str;
         int allocated = 0;
 
@@ -160,7 +164,6 @@ static char *storage_find(const char *str) {
 //
 // load blacklist form /run/firejail/mnt/fslogger
 //
-#define RUN_FSLOGGER_FILE               "/run/firejail/mnt/fslogger"
 #define MAXBUF 4096
 static int blacklist_loaded = 0;
 static char *sandbox_pid_str = NULL;
@@ -178,7 +181,9 @@ static void load_blacklist(void) {
 
         // extract blacklists
         char buf[MAXBUF];
+#ifdef DEBUG
         int cnt = 0;
+#endif
         while (fgets(buf, MAXBUF, fp)) {
                 if (strncmp(buf, "sandbox pid: ", 13) == 0) {
                         char *ptr = strchr(buf, '\n');
@@ -199,7 +204,9 @@ static void load_blacklist(void) {
                         if (ptr)
                                 *ptr = '\0';
                         storage_add(buf + 10);
+#ifdef DEBUG
                         cnt++;
+#endif
                 }
         }
         fclose(fp);
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
new file mode 100644
index 000000000..fbd2d795e
--- /dev/null
+++ b/src/man/Makefile.in
@@ -0,0 +1,14 @@
+.PHONY: all
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
+
+include ../common.mk
+
+%.man: %.txt
+        gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
+
+.PHONY: clean
+clean:; rm -fr *.man
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index f99704579..7e0a57f92 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -30,9 +30,41 @@ installing new programs. If the program is supported by Firejail, the symbolic l
 will be created. For a full list of programs supported by default run "cat /usr/lib/firejail/firecfg.config".
 
 For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+.SH DEFAULT ACTIONS
+The following actions are implemented by default by running sudo firecfg:
+
+.RS
+- set or update the symbolic links for desktop integration;
+.br
+
+.br
+- add the current user to Firejail user access database (firecfg --add-users);
+.br
+
+.br
+- fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
+.br
+#ifdef HAVE_APPARMOR
+.br
+- automatically loads and forces the AppArmor profile "firejail-default".
+#endif
+.RE
 
 .SH OPTIONS
 .TP
+\fB\-\-add-users user [user]
+Add the list of users to Firejail user access database.
+
+Example:
+.br
+$ sudo firecfg --add-users dustin lucas mike eleven
+
+.TP
+\fB\-\-bindir=directory
+Create and search symbolic links in directory instead of the default location /usr/local/bin.
+Directory should precede /usr/bin and /bin in the PATH environment variable.
+
+.TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 
@@ -96,9 +128,11 @@ $ sudo firecfg --clean
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
-Homepage: http://firejail.wordpress.com
+Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailcheck (1)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index cb192b450..05afd55b5 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -1,9 +1,9 @@
-.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
+.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page"
 .SH NAME
 login.users \- Login file syntax for Firejail
 
 .SH DESCRIPTION
-/etc/firejail/login.users file describes additional arguments passed to firejail executable
+/etc/firejail/login.users file describes additional arguments passed to the firejail executable
 upon user logging into a Firejail restricted shell. Each user entry in the file consists of
 a user name followed by the arguments passed to firejail. The format is as follows:
 
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo
 
 Example:
 
-        netblue:--net=none --protocol=unix
+        netblue: --net=none --protocol=unix
 
 Wildcard patterns are accepted in the user name field:
 
@@ -19,8 +19,8 @@ Wildcard patterns are accepted in the user name field:
 
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  using adduser or usermod commands:
+the /etc/passwd file for each user that needs to be restricted. Alternatively,
+you can specify /usr/bin/firejail using the `adduser` or `usermod` commands:
 
 adduser \-\-shell /usr/bin/firejail username
 .br
@@ -32,9 +32,11 @@ usermod \-\-shell /usr/bin/firejail username
 .SH LICENSE
 Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
-Homepage: http://firejail.wordpress.com
+Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-users (5),
+.BR jailcheck (1)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 14485d5c1..a768829a1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -1,16 +1,84 @@
 .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
 .SH NAME
-profile \- Security profile file syntax for Firejail
+profile \- Security profile file syntax, and information about building new application profiles.
 
-.SH USAGE
+.SH SYNOPSIS
+
+Using a specific profile:
+.PP
+.RS
+.TP
+\fBfirejail \-\-profile=filename.profile
+.br
+
+.br
+Example:
+.br
+$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage
+.br
+
+.br
 .TP
-firejail \-\-profile=filename.profile
+\fBfirejail \-\-profile=profile_name
+.br
+
+.br
+Example:
+.br
+$ firejail --profile=kdenlive --appimage kdenlive.appimage
+.br
+
+.br
+.RE
+.PP
+
+
+
+Building a profile manually:
+.PP
+.RS
+Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor.
+To integrate the program in your desktop environment copy the profile file in ~/.config/firejail
+directory and run "sudo firecfg".
+.RE
+.PP
+
+Aliases and redirections:
+.PP
+.RS
+In some cases the same profile can be used for several applications.
+One such example is LibreOffice.
+Build a regular profile for the main application, and for the rest use
+/usr/share/doc/firejail/redirect_alias-profile.template.
+.RE
+.PP
+
+Running the profile builder:
+.PP
+.RS
+.TP
+\fBfirejail \-\-build=appname.profile appname
+.br
+
+.br
+Example:
+.br
+$ firejail --build=blobby.profile blobby
+.br
+
+.br
+Run the program in "firejail \-\-build" and try to exercise as many program features as possible.
+The profile is extracted and saved in the current directory. Open it in a text editor and add or remove
+sandboxing options as necessary. Test again after modifying the profile. To integrate the program
+in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg".
+.RE
+.PP
 
 .SH DESCRIPTION
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded.
+\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix.
 Example:
 .PP
 .RS
@@ -21,6 +89,15 @@ Reading profile /home/netblue/icecat.profile
 [...]
 .RE
 
+.PP
+.RS
+$ firejail --profile=icecat icecat-wrapper.sh
+.br
+Reading profile /etc/firejail/icecat.profile
+.br
+[...]
+.RE
+
 \fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or
 in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
 .PP
@@ -63,6 +140,15 @@ Child process initialized
 [...]
 .RE
 
+.SH Templates
+In /usr/share/doc/firejail there are two templates to write new profiles.
+.RS
+profile.template - for regular profiles
+.br
+redirect_alias-profile.template - for aliasing/redirecting profiles
+.RE
+
+
 .SH Scripting
 Scripting commands:
 
@@ -74,6 +160,24 @@ Example: "blacklist ~/My Virtual Machines"
 
 .TP
 \fB# this is a comment
+Example:
+
+# disable networking
+.br
+net none # this command creates an empty network namespace
+
+.TP
+\fB?CONDITIONAL: profile line
+Conditionally add profile line.
+
+Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
+
+This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
+
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+can be enabled or disabled globally in Firejail's configuration file.
+
+The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
 
 .TP
 \fBinclude other.profile
@@ -90,6 +194,10 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1"
 
 Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file.
 
+The file name may also be just the name without the leading directory components.  In this case, first the user config directory (${HOME}/.config/firejail) is searched for the file name and if not found then the system configuration directory is search for the file name.  Note: Unlike the \-\-profile option which takes a profile name without the '.profile' suffix, include must be given the full file name.
+
+Example: "include firefox.profile" will load "${HOME}/.config/firejail/firefox.profile" file and if it does not exist "${CFG}/firefox.profile" will be loaded.
+
 System configuration files in ${CFG} are overwritten during software installation.
 Persistent configuration at system level is handled in ".local" files. For every
 profile file in ${CFG} directory, the user can create a corresponding .local file
@@ -113,7 +221,10 @@ Example: "nowhitelist ~/.config"
 Ignore command.
 
 Example: "ignore seccomp"
-
+#ifdef HAVE_NETWORK
+.br
+Example: "ignore net eth0"
+#endif
 .TP
 \fBquiet
 Disable Firejail's output. This should be the first uncommented command in the profile file.
@@ -122,12 +233,13 @@ Example: "quiet"
 
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
-host filesystem. Each line describes a file element that is removed from
-the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
+host filesystem. Each line describes a file/directory that is inaccessible
+(\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
-or mount-bind a directory  or file on top of another directory or file (\fBbind\fR).
-Use \fBprivate\fR to set private mode.
-File globbing is supported, and PATH and HOME directories are searched.
+or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
+Use \fBprivate\fR to set private mode.  File globbing is supported, and PATH and
+HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section
+for more details.
 Examples:
 .TP
 \fBblacklist file_or_directory
@@ -164,8 +276,18 @@ Mount-bind file1 on top of file2. This option is only available when running as
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
+\fBkeep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.TP
+\fBkeep-dev-shm
+/dev/shm directory is untouched (even with private-dev).
+.TP
+\fBkeep-var-tmp
+/var/tmp directory is untouched.
+.TP
 \fBmkdir directory
-Create a directory in user home or under /tmp before the sandbox is started.
+Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started.
 The directory is created if it doesn't already exist.
 .br
 
@@ -184,13 +306,22 @@ whitelist ~/.mozilla
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
+.br
+
+.br
+For files in /run/user/<PID> use ${RUNUSER} macro:
+.br
+
+.br
+mkdir ${RUNUSER}/firejail-testing
 .TP
 \fBmkfile file
-Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started.
-The file is created if it doesn't already exist.
+Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID>
+before the sandbox is started. The file is created if it doesn't already exist.
 .TP
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.
+#ifdef HAVE_OVERLAYFS
 .TP
 \fBoverlay
 Mount  a  filesystem  overlay  on top of the current filesystem.
@@ -203,6 +334,7 @@ The overlay is stored in $HOME/.firejail/name  directory.
 \fBoverlay-tmpfs
 Mount  a  filesystem  overlay  on top of the current filesystem.
 All filesystem  modifications are discarded when the sandbox is closed.
+#endif
 .TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
@@ -212,36 +344,70 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
-\fBprivate-home file,directory
-Build a new user home in a temporary
-filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
-closed.
-.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
+The files in the list must be expressed as relative to the /bin,
+/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
+\fBprivate-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
+.TP
+\fBprivate-cwd
+Set working directory inside jail to the home directory, and failing that, the root directory.
+.TP
+\fBprivate-cwd directory
+Set working directory inside the jail.
+.TP
 \fBprivate-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx,
+random, snd, urandom, video, log, shm and usb devices are available.
+Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions.
+
 .TP
 \fBprivate-etc file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /etc directory, and must not contain the / character
+(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
+#ifdef HAVE_PRIVATE_HOME
+.TP
+\fBprivate-home file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home.
+The files and directories in the list must be expressed as relative to
+the current user's home directory.
+All modifications are discarded when the sandbox is
+closed.
+#endif
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
-This feature is still under development, see man 1 firejail for some examples.
+The files and directories in the list must be expressed as relative to
+the /lib directory.
+This feature is still under development, see \fBman 1 firejail\fR for some examples.
 .TP
 \fBprivate-opt file,directory
-Build a new /optin a temporary
+Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-srv file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /srv directory, and must not contain the / character
+(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
+expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
@@ -254,7 +420,7 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
@@ -262,8 +428,9 @@ Blacklist violations logged to syslog.
 \fBwhitelist file_or_directory
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
@@ -287,56 +454,81 @@ directory, and a skeleton filesystem is created based on the original /var/log.
 The following security filters are currently implemented:
 
 .TP
+\fBallow-debuggers
+Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
+#ifdef HAVE_APPARMOR
+.TP
 \fBapparmor
 Enable AppArmor confinement.
+#endif
 .TP
 \fBcaps
 Enable default Linux capabilities filter.
 .TP
-\fBcaps.drop all
-Blacklist all Linux capabilities.
-.TP
 \fBcaps.drop capability,capability,capability
 Blacklist given Linux capabilities.
 .TP
+\fBcaps.drop all
+Blacklist all Linux capabilities.
+.TP
 \fBcaps.keep capability,capability,capability
 Whitelist given Linux capabilities.
 .TP
+\fBmemory-deny-write-execute
+Install a seccomp filter to block attempts to create memory mappings
+that are both writable and executable, to change mappings to be
+executable or to create executable shared memory.
+.TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege.
+#ifdef HAVE_USERNS
+.TP
+\fBnoroot
+Use this command  to enable an user namespace. The namespace has only one user, the current user.
+There is no root account (uid 0) defined in the namespace.
+#endif
+.TP
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and  checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
 .TP
+\fBseccomp.32
+Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
+.TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
 .TP
+\fBseccomp.32 syscall,syscall,syscall
+Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
+.TP
 \fBseccomp.block-secondary
 Enable seccomp filter and filter system call architectures
 so that only the native architecture is allowed.
 .TP
 \fBseccomp.drop syscall,syscall,syscall
-Enable seccomp filter and blacklist  the system calls in the list.
+Enable seccomp filter and blacklist the system calls in the list.
+.TP
+\fBseccomp.32.drop syscall,syscall,syscall
+Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
-\fBmemory-deny-write-execute
-Install a seccomp filter to block attempts to create memory mappings
-that are both writable and executable, to change mappings to be
-executable or to create executable shared memory.
-.TP
-\fBnonewprivs
-Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
-cannot acquire new privileges using execve(2);  in particular,
-this means that calling a suid binary (or one with file capabilities)
-does not result in an increase of privilege.
+\fBseccomp.32.keep syscall,syscall,syscall
+Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
-\fBnoroot
-Use this command  to enable an user namespace. The namespace has only one user, the current user.
-There is no root account (uid 0) defined in the namespace.
+\fBseccomp-error-action kill | log | ERRNO
+Return a different error instead of EPERM to the process, kill it when
+an attempt is made to call a blocked system call, or allow but log the
+attempt.
+#ifdef HAVE_X11
 .TP
 \fBx11
 Enable X11 sandboxing.
@@ -370,9 +562,103 @@ Example:
 xephyr-screen 640x480
 .br
 x11 xephyr
+#endif
+#ifdef HAVE_DBUSPROXY
+.SH DBus filtering
 
+Access to the session and system DBus UNIX sockets can be allowed, filtered or
+disabled. To disable the abstract sockets (and force applications to use the
+filtered UNIX socket) you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from the \-\-protocol set.
+.br
 
+.br
+Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be
+specified for well-known DBus names, but they are also propagated to the owning
+unique name, too. The permissions are "sticky" and are kept even if the
+corresponding well-known name is released (however, applications rarely release
+well-known names in practice). Names may have a .* suffix to match all names
+underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar",
+"foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information,
+see xdg-dbus-proxy(1).
+.br
 
+.br
+Examples:
+
+.TP
+\fBdbus-system filter
+Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.
+.TP
+\fBdbus-system none
+Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-system.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
+.TP
+\fBdbus-system.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.see org.freedesktop.Notifications
+Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-user filter
+Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
+.TP
+\fBdbus-user none
+Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-user.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
+.TP
+\fBdbus-user.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.see org.freedesktop.Notifications
+Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBnodbus \fR(deprecated)
+Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
+.TP
+.br
+
+.br
+Individual filters can be overridden via the \-\-ignore command. Supposing a profile has
+.br
+[...]
+.br
+dbus-user filter
+.br
+dbus-user.own org.mozilla.firefox.*
+.br
+dbus-user.talk org.freedesktop.Notifications
+.br
+dbus-system none
+.br
+[...]
+.br
+
+.br
+and the user wants to disable notifications, this can be achieved by putting the below in a local override file:
+.br
+[...]
+.br
+ignore dbus-user.talk org.freedesktop.Notifications
+.br
+[...]
+#endif
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
 The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command
@@ -382,6 +668,21 @@ place the sandbox in an existing control group.
 Examples:
 
 .TP
+\fBcgroup /sys/fs/cgroup/g1/tasks
+The sandbox is placed in g1 control group.
+.TP
+\fBcpu 0,1,2
+Use only CPU cores 0, 1 and 2.
+.TP
+\fBnice -5
+Set a nice value of -5 to all processes running inside the sandbox.
+.TP
+\fBrlimit-as 123456789012
+Set the maximum size of the process's virtual memory to 123456789012 bytes.
+.TP
+\fBrlimit-cpu 123
+Set the maximum CPU time in seconds.
+.TP
 \fBrlimit-fsize 1024
 Set the maximum file size that can be created by a process to 1024 bytes.
 .TP
@@ -394,14 +695,8 @@ Set the maximum number of files that can be opened by a process to 500.
 \fBrlimit-sigpending 200
 Set the maximum number of processes that can be created for the real user ID of the calling process to 200.
 .TP
-\fBcpu 0,1,2
-Use only CPU cores 0, 1 and 2.
-.TP
-\fBnice -5
-Set a nice value of -5 to all processes running inside the sandbox.
-.TP
-\fBcgroup /sys/fs/cgroup/g1/tasks
-The sandbox is placed in g1 control group.
+\fBtimeout hh:mm:ss
+Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
 
 .SH User Environment
 .TP
@@ -409,14 +704,6 @@ The sandbox is placed in g1 control group.
 All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
 
 .TP
-\fBname sandboxname
-Set sandbox name. Example:
-.br
-
-.br
-name browser
-
-.TP
 \fBenv name=value
 Set environment variable. Examples:
 .br
@@ -427,17 +714,31 @@ env LD_LIBRARY_PATH=/opt/test/lib
 env CFLAGS="-W -Wall -Werror"
 
 .TP
+\fBipc-namespace
+Enable IPC namespace.
+.TP
+\fBname sandboxname
+Set sandbox name. Example:
+.br
+
+.br
+name browser
+
+.TP
+\fBno3d
+Disable 3D hardware acceleration.
+.TP
+\fBnoautopulse \fR(deprecated)
+See keep-config-pulse.
+.TP
 \fBnodvd
 Disable DVD and audio CD devices.
 .TP
 \fBnogroups
 Disable supplementary user groups
 .TP
-\fBshell none
-Run the program directly, without a shell.
-.TP
-\fBipc-namespace
-Enable IPC namespace.
+\fBnoinput
+Disable input devices.
 .TP
 \fBnosound
 Disable sound system.
@@ -445,12 +746,20 @@ Disable sound system.
 \fBnotv
 Disable DVB (Digital Video Broadcasting) TV devices.
 .TP
+\fBnou2f
+Disable U2F devices.
+.TP
 \fBnovideo
-Disable video devices.
+Disable video capture devices.
 .TP
-\fBno3d
-Disable 3D hardware acceleration.
+\fBmachine-id
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
+.TP
+\fBshell none
+Run the program directly, without a shell.
 
+
+#ifdef HAVE_NETWORK
 .SH Networking
 Networking features available in profile files.
 
@@ -498,6 +807,33 @@ net eth0
 ip none
 
 .TP
+\fBip dhcp
+Acquire an IP address and default gateway for the last interface defined by a
+net command, as well as set the DNS servers according to the DHCP response.
+This command requires the ISC dhclient DHCP client to be installed and will start
+it automatically inside the sandbox.
+.br
+
+.br
+Example:
+.br
+net br0
+.br
+ip dhcp
+.br
+
+.br
+This command should not be used in conjunction with the dns command if the
+DHCP server is set to configure DNS servers for the clients, because the
+manually specified DNS servers will be overwritten.
+
+.br
+The DHCP client will NOT release the DHCP lease when the sandbox terminates.
+If your DHCP server requires leases to be explicitly released, consider running
+a DHCP client and releasing the lease manually in conjunction with the
+net none command.
+
+.TP
 \fBip6 address
 Assign IPv6 addresses to the last network interface defined by a net command.
 .br
@@ -510,6 +846,32 @@ net eth0
 ip6 2001:0db8:0:f101::1/64
 
 .TP
+\fBip6 dhcp
+Acquire an IPv6 address and default gateway for the last interface defined by a
+net command, as well as set the DNS servers according to the DHCP response.
+This command requires the ISC dhclient DHCP client to be installed and will start
+it automatically inside the sandbox.
+.br
+
+.br
+Example:
+.br
+net br0
+.br
+ip6 dhcp
+.br
+
+.br
+This command should not be used in conjunction with the dns command if the
+DHCP server is set to configure DNS servers for the clients, because the
+manually specified DNS servers will be overwritten.
+
+.br
+The DHCP client will NOT release the DHCP lease when the sandbox terminates.
+If your DHCP server requires leases to be explicitly released, consider running
+a DHCP client and releasing the lease manually.
+
+.TP
 \fBiprange address,address
 Assign  an  IP address in the provided range to the last network
 interface defined by  a  net command.  A  default  gateway  is assigned by default.
@@ -530,23 +892,9 @@ iprange 192.168.1.150,192.168.1.160
 Assign MAC addresses to the last network interface defined by a net command.
 
 .TP
-\fBmachine-id
-Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
-
-.TP
 \fBmtu number
 Assign a MTU value to the last network interface defined by a net command.
 
-
-
-.TP
-\fBnetfilter
-If a new network namespace is created, enabled default network filter.
-
-.TP
-\fBnetfilter filename
-If a new network namespace is created, enabled the network filter in filename.
-
 .TP
 \fBnet bridge_interface
 Enable a new network namespace and connect it to this bridge interface.
@@ -556,16 +904,15 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne
 bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
 
 .TP
-\fBnet ethernet_interface
+\fBnet ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan
+to this ethernet interface using the standard Linux macvlan or ipvlan
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
 assignment. The address configured as default gateway is the
 default gateway of the host. Up to four \-\-net devices can
 be defined. Mixing bridge and macvlan devices is allowed.
-Note: wlan devices are not supported for this option.
 
 .TP
 \fBnet none
@@ -575,56 +922,76 @@ Use this option to deny network access to programs that don't
 really need network access.
 
 .TP
+\fBnet tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver.  If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use ip, netmask and defaultgw to specify the configuration.
+
+.TP
+\fBnetfilter
+If a new network namespace is created, enabled default network filter.
+
+.TP
+\fBnetfilter filename
+If a new network namespace is created, enabled the network filter in filename.
+
+
+.TP
+\fBnetmask address
+Use this option when you want to assign an IP address in a new namespace and
+the parent interface specified by --net is not configured. An IP address and
+a default gateway address also have to be added.
+
+.TP
+\fBnetns namespace
+Run the program in a named, persistent network namespace. These can
+be created and configured using "ip netns".
+
+.TP
 \fBveth-name name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
-
+#endif
 .SH Other
 .TP
+\fBdeterministic-exit-code
+Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+
+.TP
 \fBjoin-or-start sandboxname
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 
-.SH RELOCATING PROFILES
-For various reasons some users might want to keep the profile files in a different directory.
-Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
-into this directory.
-
-This is an example of relocating the profile files into a new
-directory, /home/netblue/myprofiles. Start by creating the new directory and copy all
-the profile files in:
-.br
-
-.br
-$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .
-.br
-
-.br
-Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands:
-.br
-
-.br
-$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile
-.br
-$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc
-.br
+.SH FILES
+.TP
+\fB/etc/firejail/appname.profile
+Global Firejail configuration consisting mainly of profiles for each application supported by default.
 
-.br
-Start Firejail using the new path:
-.br
+.TP
+\fB$HOME/.config/firejail/appname.profile
+User application profiles, will take precedence over the global profiles.
 
-.br
-$ firejail --profile-path=~/myprofiles
+.TP
+\fB/usr/share/doc/firejail/profile.template
+Template for building new profiles.
 
-.SH FILES
-/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
+.TP
+\fB/usr/share/doc/firejail/redirect_alias-profile.template
+Template for aliasing/redirecting profiles.
 
 .SH LICENSE
 Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
-Homepage: http://firejail.wordpress.com
+Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-login\fR\|(5)
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailcheck (1)
+
+.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
+.UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
new file mode 100644
index 000000000..e3cce7ed5
--- /dev/null
+++ b/src/man/firejail-users.txt
@@ -0,0 +1,62 @@
+.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page"
+.SH NAME
+firejail.users \- Firejail user access database
+
+.SH DESCRIPTION
+/etc/firejail/firejail.users lists the users allowed to run firejail SUID executable.
+root user is allowed by default, user nobody is never allowed.
+
+If the user is not allowed to start the sandbox, Firejail will attempt to run the
+program without sandboxing it.
+
+If the file is not present in the system, all users are allowed to use the sandbox.
+
+Example:
+
+        $ cat /etc/firejail/firejail.users
+.br
+        dustin
+.br
+        lucas
+.br
+        mike
+.br
+        eleven
+
+Use a text editor to add or remove users from the list. You can also use firecfg \-\-add-users
+command. Example:
+
+        $ sudo firecfg --add-users dustin lucas mike eleven
+
+By default, running firecfg creates the file and adds the current user to the list. Example:
+
+        $ sudo firecfg
+
+See \fBman 1 firecfg\fR for details.
+
+.SH ALTERNATIVE SOLUTION
+An alternative way of restricting user access to firejail executable is to create a special firejail user group and
+allow only users in this group to run the sandbox:
+
+        # addgroup --system firejail
+.br
+        # chown root:firejail /usr/bin/firejail
+.br
+        # chmod 4750 /usr/bin/firejail
+
+
+.SH FILES
+/etc/firejail/firejail.users
+
+.SH LICENSE
+Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: https://firejail.wordpress.com
+.SH SEE ALSO
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR jailcheck (1)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 17ddd5c88..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -8,18 +8,28 @@ Start a sandbox:
 firejail [OPTIONS] [program and arguments]
 .RE
 .PP
+Start an AppImage program:
+.PP
+.RS
+firejail [OPTIONS] --appimage [appimage-file and arguments]
+.RE
+.PP
+#ifdef HAVE_FILE_TRANSFER
 File transfer from an existing sandbox
 .PP
 .RS
-firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
+firejail {\-\-ls | \-\-get | \-\-put | \-\-cat} dir_or_filename
 .RE
 .PP
+#endif
+#ifdef HAVE_NETWORK
 Network traffic shaping for an existing sandbox:
 .PP
 .RS
 firejail \-\-bandwidth={name|pid} bandwidth-command
 .RE
 .PP
+#endif
 Monitoring:
 .PP
 .RS
@@ -29,9 +39,18 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree}
 Miscellaneous:
 .PP
 .RS
-firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version}
+firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
 .RE
 .SH DESCRIPTION
+#ifdef HAVE_LTS
+This is Firejail long-term support (LTS), an enterprise focused version of the software,
+LTS is usually supported for two or three years.
+During this time  only bugs and the occasional documentation problems are fixed.
+The attack surface of the SUID executable was greatly reduced by removing some of the features.
+.br
+
+.br
+#endif
 Firejail is a SUID sandbox program that reduces the risk of security breaches by
 restricting the running environment of untrusted applications using Linux
 namespaces, seccomp-bpf and Linux capabilities.
@@ -48,6 +67,10 @@ Firejail allows the user to manage application security using security profiles.
 Each profile defines a set of permissions for a specific application or group
 of applications. The software includes security profiles for a number of more common
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+.PP
+Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
+are not supported. Snap and flatpak packages have their own native management tools and will
+not work when sandboxed with Firejail.
 
 .SH USAGE
 Without any options, the sandbox consists of a filesystem build in a new mount namespace,
@@ -56,15 +79,16 @@ command line options. The default Firejail filesystem is based on the host files
 system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32,
 /libx32 and /lib64. Only /home and /tmp are writable.
 .PP
-As it starts up, Firejail tries to find a security profile based on the name of the application.
+Upon execution Firejail first looks in ~/.config/firejail/ for a profile and if it doesn't find one, it looks in /etc/firejail/.
+For profile resolution detail see https://github.com/netblue30/firejail/wiki/Creating-Profiles#locations-and-types.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -87,15 +111,6 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
-\fB\-\-allow-private-blacklist
-Allow blacklisting files in private home directory. By default these blacklists are disabled.
-.br
-
-.br
-Example:
-.br
-$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
-.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
@@ -104,31 +119,46 @@ All directories under /home are visible inside the sandbox. By default, only cur
 Example:
 .br
 $ firejail --allusers
+#ifdef HAVE_APPARMOR
 .TP
 \fB\-\-apparmor
 Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
 .TP
-\fB\-\-appimage
-Sandbox an AppImage (http://appimage.org/) application.
+\fB\-\-apparmor.print=name|pid
+Print the AppArmor confinement status for the sandbox identified by name or by PID.
 .br
 
 .br
 Example:
 .br
-$ firejail --appimage krita-3.0-x86_64.appimage
+$ firejail \-\-apparmor.print=browser
 .br
-$ firejail --appimage --private krita-3.0-x86_64.appimage
+5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
 .br
-$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
-.TP
-\fB\-\-audit
-Audit the sandbox, see \fBAUDIT\fR section for more details.
+  AppArmor: firejail-default enforce
+#endif
 .TP
-\fB\-\-audit=test-program
-Audit the sandbox, see \fBAUDIT\fR section for more details.
+\fB\-\-appimage
+Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started
+as a regular user, nonewprivs and a default capabilities filter are enabled.
+private-bin and private-lib are disabled by default when running appimages.
+.br
+
+.br
+Example:
+.br
+$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage
+.br
+#ifdef HAVE_X11
+$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
+#endif
 .TP
+#ifdef HAVE_NETWORK
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
+#endif
 .TP
 \fB\-\-bind=filename1,filename2
 Mount-bind filename1 on top of filename2. This option is only available when running as root.
@@ -140,7 +170,7 @@ Example:
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
 \fB\-\-blacklist=dirname_or_filename
-Blacklist directory or file.
+Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -155,7 +185,7 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
 \fB\-\-build
-The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also
+The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
 builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
 with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
 in order to allow strace to run. Chromium and Chromium-based browsers will not work.
@@ -166,8 +196,22 @@ Example:
 .br
 $ firejail --build vlc ~/Videos/test.mp4
 .TP
+\fB\-\-build=profile-file
+The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
+builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
+in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+.br
+
+.br
+Example:
+.br
+$ firejail --build=vlc.profile vlc ~/Videos/test.mp4
+.TP
 \fB\-c
-Execute command and exit.
+Login shell compatibility option. This option is use by some login programs when executing
+the login shell, such as when firejail is used as a restricted login shell. It currently does
+not change the execution of firejail.
 .TP
 \fB\-\-caps
 Linux capabilities is a kernel feature designed to split up the root privilege into a set of distinct privileges.
@@ -236,10 +280,15 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-caps.print=3272
 
+#ifdef HAVE_FILE_TRANSFER
+.TP
+\fB\-\-cat=name|pid filename
+Print content of file from sandbox container, see FILE TRANSFER section for more details.
+#endif
 .TP
 \fB\-\-cgroup=tasks-file
 Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
@@ -249,20 +298,19 @@ Place the sandbox in the specified control group. tasks-file is the full path of
 Example:
 .br
 # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
-
+#ifdef HAVE_CHROOT
 .TP
 \fB\-\-chroot=dirname
 Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
 the system directories are mounted read-write. If the sandbox is started as a
-regular user, default seccomp and capabilities filters are enabled. This
-option is not available on Grsecurity systems.
+regular user, nonewprivs and a default capabilities filter are enabled.
 .br
 
 .br
 Example:
 .br
 $ firejail \-\-chroot=/media/ubuntu warzone2100
-
+#endif
 .TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
 Set CPU affinity.
@@ -291,19 +339,280 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-cpu.print=3272
+#ifdef HAVE_DBUSPROXY
+.TP
+\fB\-\-dbus-log=file
+Specify the location for the DBus log file.
+.br
+
+.br
+The log file contains events for both the system and session buses if both of
+the --dbus-system.log and --dbus-user.log options are specified. If no log file
+path is given, logs are written to the standard output instead.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.log \\
+.br
+--dbus-log=dbus.txt
+
+.TP
+\fB\-\-dbus-system=filter|none
+Set system DBus sandboxing policy.
+.br
+
+.br
+The \fBfilter\fR policy enables the system DBus filter. This option requires
+installing the xdg-dbus-proxy utility. Permissions for well-known can be
+specified with the --dbus-system.talk and --dbus-system.own options.
+.br
+
+.br
+The \fBnone\fR policy disables access to the system DBus.
+.br
+
+.br
+Only the regular system DBus UNIX socket is handled by this option. To disable
+the abstract sockets (and force applications to use the filtered UNIX socket)
+you would need to request a new network namespace using \-\-net command. Another
+option is to remove unix from the \-\-protocol set.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-dbus-system=none
 
 .TP
-\fB\-\-csh
-Use /bin/csh as default user shell.
+\fB\-\-dbus-system.broadcast=name=[member][@path]
+Allows the application to receive broadcast signals from theindicated interface
+member at the indicated object path exposed by the indicated bus name on the
+system DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-csh
+$ firejail --dbus-system=filter --dbus-system.broadcast=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-system.call=name=[member][@path]
+Allows the application to call the indicated interface member at the indicated
+object path exposed by the indicated bus name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.call=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-system.log
+Turn on DBus logging for the system DBus. This option requires --dbus-system=filter.
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.log
+
+.TP
+\fB\-\-dbus-system.own=name
+Allows the application to own the specified well-known name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.own=\\
+.br
+org.gnome.ghex.*
+
+.TP
+\fB\-\-dbus-system.see=name
+Allows the application to see, but not talk to the specified well-known name on
+the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.see=\\
+.br
+org.freedesktop.Notifications
+
+.TP
+\fB\-\-dbus-system.talk=name
+Allows the application to talk to the specified well-known name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.talk=\\
+.br
+org.freedesktop.Notifications
+
+.TP
+\fB\-\-dbus-user=filter|none
+Set session DBus sandboxing policy.
+.br
+
+.br
+The \fBfilter\fR policy enables the session DBus filter. This option requires
+installing the xdg-dbus-proxy utility. Permissions for well-known names can be
+added with the --dbus-user.talk and --dbus-user.own options.
+.br
+
+.br
+The \fBnone\fR policy disables access to the session DBus.
+.br
+
+.br
+Only the regular session DBus UNIX socket is handled by this option. To disable
+the abstract sockets (and force applications to use the filtered UNIX socket)
+you would need to request a new network namespace using \-\-net command. Another
+option is to remove unix from the \-\-protocol set.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-dbus-user=none
+
+.TP
+\fB\-\-dbus-user.broadcast=name=[member][@path]
+Allows the application to receive broadcast signals from theindicated interface
+member at the indicated object path exposed by the indicated bus name on the
+session DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.broadcast=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-user.call=name=[member][@path]
+Allows the application to call the indicated interface member at the indicated
+object path exposed by the indicated bus name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.call=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-user.log
+Turn on DBus logging for the session DBus. This option requires --dbus-user=filter.
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.log
+
+.TP
+\fB\-\-dbus-user.own=name
+Allows the application to own the specified well-known name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
+
+.TP
+\fB\-\-dbus-user.talk=name
+Allows the application to talk to the specified well-known name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.talk=\\
+.br
+org.freedesktop.Notifications
+
+.TP
+\fB\-\-dbus-user.see=name
+Allows the application to see, but not talk to the specified well-known name on
+the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.see=\\
+.br
+org.freedesktop.Notifications
+#endif
 .TP
 \fB\-\-debug\fR
 Print debug messages.
@@ -333,15 +642,6 @@ Print all recognized capabilities in the current Firejail software build and exi
 Example:
 .br
 $ firejail \-\-debug-caps
-.TP
-\fB\-\-debug-check-filename\fR
-Debug filename checking.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-debug-check-filename firefox
 
 .TP
 \fB\-\-debug-errnos
@@ -353,6 +653,9 @@ Example:
 .br
 $ firejail \-\-debug-errnos
 .TP
+\fB\-\-debug-private-lib
+Debug messages for --private-lib option.
+.TP
 \fB\-\-debug-protocols
 Print all recognized protocols in the current Firejail software build and exit.
 .br
@@ -371,6 +674,10 @@ Example:
 .br
 $ firejail \-\-debug-syscalls
 .TP
+\fB\-\-debug-syscalls32
+Print all recognized 32 bit system calls in the current Firejail software build and exit.
+.br
+.TP
 \fB\-\-debug-whitelists\fR
 Debug whitelisting.
 .br
@@ -379,7 +686,7 @@ Debug whitelisting.
 Example:
 .br
 $ firejail \-\-debug-whitelists firefox
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-defaultgw=address
 Use this address as default gateway in the new network namespace.
@@ -389,10 +696,14 @@ Use this address as default gateway in the new network namespace.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
-
+#endif
+.TP
+\fB\-\-deterministic-exit-code
+Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+.br
 .TP
 \fB\-\-disable-mnt
-Disable /mnt, /media, /run/mount and /run/media access.
+Blacklist /mnt, /media, /run/mount and /run/media access.
 .br
 
 .br
@@ -410,7 +721,10 @@ Use this option if you don't trust the DNS setup on your network.
 Example:
 .br
 $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
+.br
 
+.br
+Note: this feature is not supported on systemd-resolved setups.
 .TP
 \fB\-\-dns.print=name|pid
 Print DNS configuration for a sandbox identified by name or by PID.
@@ -429,7 +743,7 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-dns.print=3272
 
@@ -444,14 +758,7 @@ Example:
 $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
 
 .TP
-\fB\-\-force
-By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell.
-This option disables this behavior, and attempts to start Firejail in the existing sandbox.
-There could be lots of reasons for it to fail, for example if the existing sandbox disables
-admin capabilities, SUID binaries, or if it runs seccomp.
-
-.TP
-\fB\-\-fs.print=name|print
+\fB\-\-fs.print=name|pid
 Print the filesystem log for the sandbox identified by name or by PID.
 .br
 
@@ -468,47 +775,15 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-fs.print=3272
 
+#ifdef HAVE_FILE_TRANSFER
 .TP
 \fB\-\-get=name|pid filename
 Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
-
-
-.TP
-\fB\-\-git-install
-Download, compile and install mainline git version of Firejail from the official repository on GitHub.
-The software is installed in /usr/local/bin, and takes precedence over the (old) version
-installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it
-using \-\-git-uninstall command and revert to the old version.
-.br
-
-.br
-Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu
-systems this support is installed using "sudo apt-get install build-essential git".
-.br
-
-.br
-Example:
-.br
-
-.br
-$ firejail \-\-git-install
-
-.TP
-\fB\-\-git-uninstall
-Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command.
-.br
-
-.br
-Example:
-.br
-
-.br
-$ firejail \-\-git-uninstall
-
+#endif
 .TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
@@ -543,8 +818,23 @@ Ignore command in profile file.
 Example:
 .br
 $ firejail \-\-ignore=shell --ignore=seccomp firefox
+#ifdef HAVE_NETWORK
+.br
+$ firejail \-\-ignore="net eth0" firefox
+#endif
 
 .TP
+\fB\-\-\include=file.profile
+Include a profile file before the regular profiles are used.
+.br
+
+.br
+Example:
+.br
+$ firejail --include=/etc/firejail/disable-devel.inc gedit
+
+#ifdef HAVE_NETWORK
+.TP
 \fB\-\-interface=interface
 Move interface in a new network namespace. Up to four --interface options can be specified.
 Note: wlan devices are not supported for this option.
@@ -584,6 +874,31 @@ If the corresponding interface doesn't have an IP address configured, this
 option is enabled by default.
 
 .TP
+\fB\-\-ip=dhcp
+Acquire an IP address and default gateway for the last interface defined by a
+\-\-net option, as well as set the DNS servers according to the DHCP response.
+This option requires the ISC dhclient DHCP client to be installed and will start
+it automatically inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=br0 \-\-ip=dhcp
+.br
+
+.br
+This option should not be used in conjunction with the \-\-dns option if the
+DHCP server is set to configure DNS servers for the clients, because the
+manually specified DNS servers will be overwritten.
+
+.br
+The DHCP client will NOT release the DHCP lease when the sandbox terminates.
+If your DHCP server requires leases to be explicitly released, consider running
+a DHCP client and releasing the lease manually in conjunction with the
+\-\-net=none option.
+
+.TP
 \fB\-\-ip6=address
 Assign IPv6 addresses to the last network interface defined by a \-\-net option.
 .br
@@ -596,6 +911,30 @@ $ firejail \-\-net=eth0 \-\-ip6=2001:0db8:0:f101::1/64 firefox
 Note: you don't need this option if you obtain your ip6 address from router via SLAAC (your ip6 address and default route will be configured by kernel automatically).
 
 .TP
+\fB\-\-ip6=dhcp
+Acquire an IPv6 address and default gateway for the last interface defined by a
+\-\-net option, as well as set the DNS servers according to the DHCP response.
+This option requires the ISC dhclient DHCP client to be installed and will start
+it automatically inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=br0 \-\-ip6=dhcp
+.br
+
+.br
+This option should not be used in conjunction with the \-\-dns option if the
+DHCP server is set to configure DNS servers for the clients, because the
+manually specified DNS servers will be overwritten.
+
+.br
+The DHCP client will NOT release the DHCP lease when the sandbox terminates.
+If your DHCP server requires leases to be explicitly released, consider running
+a DHCP client and releasing the lease manually.
+
+.TP
 \fB\-\-iprange=address,address
 Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A
 default gateway is assigned by default.
@@ -616,6 +955,7 @@ for sandboxes started as root.
 Example:
 .br
 $ firejail \-\-ipc-namespace firefox
+#endif
 .TP
 \fB\-\-join=name|pid
 Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
@@ -638,7 +978,7 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-join=3272
 
@@ -647,9 +987,9 @@ $ firejail \-\-join=3272
 Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-
+#ifdef HAVE_NETWORK
 .TP
-\fB\-\-join-network=name|PID
+\fB\-\-join-network=name|pid
 Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
@@ -703,7 +1043,7 @@ Switching to pid 1932, the first child process inside the sandbox
     inet6 fe80::7458:14ff:fe42:78e4/64 scope link
 .br
        valid_lft forever preferred_lft forever
-
+#endif
 .TP
 \fB\-\-join-or-start=name
 Join the sandbox identified by name or start a new one.
@@ -712,8 +1052,35 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
 Note that in contrary to other join options there is respective profile option.
 
 .TP
-\fB\-\-ls=name|pid dir_or_filename
-List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+\fB\-\-keep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-keep-config-pulse firefox
+
+.TP
+\fB\-\-keep-dev-shm
+/dev/shm directory is untouched (even with --private-dev)
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-dev-shm --private-dev
+
+.TP
+\fB\-\-keep-var-tmp
+/var/tmp directory is untouched.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-var-tmp
 
 .TP
 \fB\-\-list
@@ -725,26 +1092,37 @@ Example:
 .br
 $ firejail \-\-list
 .br
-7015:netblue:firejail firefox
+7015:netblue:browser:firejail firefox
+#ifdef HAVE_NETWORK
 .br
-7056:netblue:firejail \-\-net=eth0 transmission-gtk
+7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk
+#endif
+#ifdef HAVE_USERNS
 .br
-7064:netblue:firejail \-\-noroot xterm
+7064:netblue::firejail \-\-noroot xterm
 .br
-$
+#endif
+#ifdef HAVE_FILE_TRANSFER
+.TP
+\fB\-\-ls=name|pid dir_or_filename
+List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+#endif
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-mac=address
-Assign MAC addresses to the last network interface defined by a \-\-net option.
+Assign MAC addresses to the last network interface defined by a \-\-net option. This option
+is not supported for wireless interfaces.
 .br
 
 .br
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
-
+#endif
 .TP
 \fB\-\-machine-id
 Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
+Note that this breaks audio support. Enable it when sound is not required.
 .br
 
 .br
@@ -753,19 +1131,40 @@ Example:
 $ firejail \-\-machine-id
 
 .TP
+\fB\-\-mkdir=dirname
+Create a directory in user home. Parent directories are created as needed.
+.br
+
+.br
+Example:
+.br
+$ firejail --mkdir=~/work/project
+
+.TP
+\fB\-\-mkfile=filename
+Create an empty file in user home.
+.br
+
+.br
+Example:
+.br
+$ firejail --mkfile=~/work/project/readme
+
+.TP
 \fB\-\-memory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect and shmat system calls
-and kills the process if necessary.
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
+and shmat system calls and returns error EPERM to the process (or
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 .br
 
 .br
 Note: shmat is not implemented
 as a system call on some platforms including i386, and it cannot be
 handled by seccomp-bpf.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
@@ -775,25 +1174,39 @@ Assign a MTU value to the last network interface defined by a \-\-net option.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-mtu=1492
-
+#endif
 .TP
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
 this name to identify a sandbox.
+
+In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
+new name as "name-PID", where PID is the process ID of the sandbox. This functionality
+can be disabled at run time in /etc/firejail/firejail.config file, by setting "name-change" flag to "no".
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-name=mybrowser firefox
-
+$ firejail \-\-name=browser firefox &
+.br
+$ firejail \-\-name=browser \-\-private \
+firefox \-\-no-remote &
+.br
+$ firejail --list
+.br
+1198:netblue:browser:firejail --name=browser firefox
+.br
+1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
+.br
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=bridge_interface
 Enable a new network namespace and connect it to this bridge interface.
 Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned
 automatically to the sandbox. The IP address is verified using ARP before assignment. The address
 configured as default gateway is the bridge device IP address. Up to four \-\-net
-bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
+options can be specified.
 .br
 
 .br
@@ -810,23 +1223,24 @@ $ sudo ifconfig br1 10.10.30.1/24
 $ firejail \-\-net=br0 \-\-net=br1
 
 .TP
-\fB\-\-net=ethernet_interface
+\fB\-\-net=ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan
+to this ethernet interface using the standard Linux macvlan|ipvaln
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
 assignment. The address configured as default gateway is the
-default gateway of the host. Up to four \-\-net devices can
-be defined. Mixing bridge and macvlan devices is allowed.
-Note: wlan devices are not supported for this option.
+default gateway of the host. Up to four \-\-net options can be specified.
+Support for ipvlan driver was introduced in Linux kernel 3.19.
 .br
 
 .br
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
-
+.br
+$ firejail \-\-net=wlan0 firefox
+#endif
 .TP
 \fB\-\-net=none
 Enable a new, unconnected network namespace. The only interface
@@ -844,18 +1258,47 @@ $ firejail \-\-net=none vlc
 .br
 Note: \-\-net=none can crash the application on some platforms.
 In these cases, it can be replaced with \-\-protocol=unix.
+#ifdef HAVE_NETWORK
+.TP
+\fB\-\-net=tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver. If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox
 
 .TP
-\fB\-\-netns=name
-Run the program in a named, persistent network namespace.  These can
-be created and configured using "ip netns".
+\fB\-\-net.print=name|pid
+If a new network namespace is enabled, print network interface configuration for the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --net.print=browser
+.br
+Switching to pid 1853, the first child process inside the sandbox
+.br
+Interface  MAC               IP            Mask        Status
+.br
+lo                           127.0.0.1     255.0.0.0     UP
+.br
+eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
+.br
 
 .TP
 \fB\-\-netfilter
-Enable a default client network filter in the new network namespace.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter option does nothing.
-The default filter is as follows:
+Enable a default firewall if a new network namespace is created inside the sandbox.
+This option has no effect for sandboxes using the system network namespace.
+.br
+
+.br
+The default firewall is optimized for regular desktop applications. No incoming
+connections are accepted:
 .br
 
 .br
@@ -898,19 +1341,18 @@ Example:
 $ firejail \-\-net=eth0 \-\-netfilter firefox
 .TP
 \fB\-\-netfilter=filename
-Enable the network filter specified by filename in the new network namespace. The filter file format
-is the format of iptables-save and iptable-restore commands.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter option does nothing.
+Enable the firewall specified by filename if a new network namespace is created inside the sandbox.
+This option has no effect for sandboxes using the system network namespace.
 .br
 
 .br
-The following filters are available in /etc/firejail directory:
+Please use the regular iptables-save/iptables-restore format for the filter file. The following
+examples are available in /etc/firejail directory:
 .br
 
 .br
 .B webserver.net
-is a webserver filter that allows access only to TCP ports 80 and 443.
+is a webserver firewall that allows access only to TCP ports 80 and 443.
 Example:
 .br
 
@@ -921,20 +1363,74 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
 .br
 
 .br
-.B nolocal.net
-is a client filter that disable access to local network. Example:
+.B nolocal.net/nolocal6.net
+is a desktop client firewall that disable access to local network. Example:
 .br
 
 .br
 $ firejail --netfilter=/etc/firejail/nolocal.net \\
 .br
 --net=eth0 firefox
+
+.TP
+\fB\-\-netfilter=filename,arg1,arg2,arg3 ...
+This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script
+are replaced with arg1, arg2, arg3 ... passed on the command line. Up to 16 arguments are supported.
+Example:
+.br
+
+.br
+$ firejail --net=eth0 --ip=192.168.1.105 \\
+.br
+--netfilter=/etc/firejail/tcpserver.net,5001 server-program
+.br
+
+.TP
+\fB\-\-netfilter.print=name|pid
+Print the firewall installed in the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --name=browser --net=eth0 --netfilter firefox &
+.br
+$ firejail --netfilter.print=browser
+
 .TP
 \fB\-\-netfilter6=filename
-Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format
-is the format of ip6tables-save and ip6table-restore commands.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter6 option does nothing.
+Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox.
+This option has no effect for sandboxes using the system network namespace.
+Please use the regular iptables-save/iptables-restore format for the filter file.
+
+.TP
+\fB\-\-netfilter6.print=name|pid
+Print the IPv6 firewall installed in the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --name=browser --net=eth0 --netfilter firefox &
+.br
+$ firejail --netfilter6.print=browser
+
+.TP
+\fB\-\-netmask=address
+Use this option when you want to assign an IP address in a new namespace and
+the parent interface specified by --net is not configured. An IP address and
+a default gateway address also have to be added. By default the new namespace
+interface comes without IP address and default gateway configured. Example:
+.br
+
+.br
+$ sudo /sbin/brctl addbr br0
+.br
+$ sudo /sbin/ifconfig br0 up
+.br
+$ firejail --ip=10.10.20.67 --netmask=255.255.255.0 --defaultgw=10.10.20.1
+
+.TP
+\fB\-\-netns=name
+Run the program in a named, persistent network namespace.  These can
+be created and configured using "ip netns".
+
 .TP
 \fB\-\-netstats
 Monitor network namespace statistics, see \fBMONITORING\fR section for more details.
@@ -952,7 +1448,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
-
+#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -975,6 +1471,10 @@ Example:
 $ firejail --no3d firefox
 
 .TP
+\fB\-\-noautopulse \fR(deprecated)
+See --keep-config-pulse.
+
+.TP
 \fB\-\-noblacklist=dirname_or_filename
 Disable blacklist for this directory or file.
 .br
@@ -999,6 +1499,17 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-nodbus \fR(deprecated)
+#ifdef HAVE_DBUSPROXY
+Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-nodbus \-\-net=none
+#endif
+.TP
 \fB\-\-nodvd
 Disable DVD and audio CD devices.
 .br
@@ -1008,8 +1519,17 @@ Example:
 .br
 $ firejail \-\-nodvd
 .TP
+\fB\-\-noinput
+Disable input devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noinput
+.TP
 \fB\-\-noexec=dirname_or_filename
-Remount directory or file noexec, nodev and nosuid.
+Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1019,8 +1539,7 @@ $ firejail \-\-noexec=/tmp
 .br
 
 .br
-/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
-on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
+/etc and /var are noexec by default if the sandbox was started as a regular user.
 
 .TP
 \fB\-\-nogroups
@@ -1053,6 +1572,14 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
 $
 
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
+
+.TP
 \fB\-\-noprofile
 Do not use a security profile.
 .br
@@ -1079,7 +1606,7 @@ Parent pid 8553, child pid 8554
 Child process initialized
 .br
 [...]
-
+#ifdef HAVE_USERNS
 .TP
 \fB\-\-noroot
 Install a user namespace with a single user - the current user.
@@ -1103,15 +1630,7 @@ $ ping google.com
 ping: icmp open socket: Operation not permitted
 .br
 $
-
-.TP
-\fB\-\-nonewprivs
-Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
-cannot acquire new privileges using execve(2);  in particular,
-this means that calling a suid binary (or one with file capabilities)
-does not result in an increase of privilege. This option
-is enabled by default if seccomp filter is activated.
-
+#endif
 .TP
 \fB\-\-nosound
 Disable sound system.
@@ -1133,6 +1652,16 @@ Example:
 $ firejail \-\-notv vlc
 
 .TP
+\fB\-\-nou2f
+Disable U2F devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-nou2f
+
+.TP
 \fB\-\-novideo
 Disable video devices.
 .br
@@ -1141,6 +1670,7 @@ Disable video devices.
 \fB\-\-nowhitelist=dirname_or_filename
 Disable whitelist for this directory or file.
 
+#ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
 stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
@@ -1171,12 +1701,15 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-output-stderr=logfile
 Similar to \-\-output, but stderr is also stored.
+#endif
 
+#ifdef HAVE_OVERLAYFS
 .TP
 \fB\-\-overlay
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail/<PID> directory.
+Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<PID> directory.
+If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled.
 .br
 
 .br
@@ -1191,11 +1724,22 @@ Example:
 $ firejail \-\-overlay firefox
 
 .TP
+\fB\-\-overlay-clean
+Clean all overlays stored in $HOME/.firejail directory.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-overlay-clean
+
+.TP
 \fB\-\-overlay-named=name
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
 the system directories are mounted read-write. All filesystem modifications go into the overlay.
-The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
-sessions.
+Directories /run, /tmp and /dev are not covered by the overlay. The overlay is stored in $HOME/.firejail/<NAME> directory.
+The created overlay can be reused between multiple sessions.
+If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled.
 .br
 
 .br
@@ -1212,7 +1756,8 @@ $ firejail \-\-overlay-named=jail1 firefox
 .TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications
-are discarded when the sandbox is closed.
+are discarded when the sandbox is closed. Directories /run, /tmp and /dev are not covered by the overlay.
+If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled.
 .br
 
 .br
@@ -1225,17 +1770,7 @@ This option is not available on Grsecurity systems.
 Example:
 .br
 $ firejail \-\-overlay-tmpfs firefox
-
-.TP
-\fB\-\-overlay-clean
-Clean all overlays stored in $HOME/.firejail directory.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-overlay-clean
-
+#endif
 .TP
 \fB\-\-private
 Mount new /root and /home/user directories in temporary
@@ -1247,9 +1782,11 @@ closed.
 Example:
 .br
 $ firejail \-\-private firefox
+
 .TP
 \fB\-\-private=directory
 Use directory as user home.
+--private and --private=directory cannot be used together.
 .br
 
 .br
@@ -1258,24 +1795,14 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 
 .TP
-\fB\-\-private-home=file,directory
-Build a new user home in a temporary
-filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
-closed.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-private-home=.mozilla firefox
-
-.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
-If no listed file is found, /bin directory will be empty.
+The files in the list must be expressed as relative to the /bin,
+/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
+If no listed files are found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
-All modifications are discarded when the sandbox is closed.
+All modifications are discarded when the sandbox is closed. File globbing is supported,
+see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1292,59 +1819,62 @@ $ ls /bin
 bash  cat  ls  sed
 
 .TP
-\fB\-\-private-lib=file,directory
-This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
-The idea is to build a new /lib in a temporary filesystem,
-with only the library files necessary to run the application.
-It could be as simple as:
+\fB\-\-private-cache
+Mount an empty temporary filesystem on top of the .cache directory in user home. All
+modifications are discarded when the sandbox is closed.
 .br
 
 .br
-$ firejail --private-lib galculator
+Example:
 .br
+$ firejail \-\-private-cache openbox
 
+.TP
+\fB\-\-private-cwd
+Set working directory inside jail to the home directory, and failing that, the root directory.
 .br
-but it gets complicated really fast:
+Does not impact working directory of profile include paths.
 .br
 
 .br
-$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
-.br
-
+Example:
 .br
-The feature is integrated with \-\-private-bin:
+$ pwd
 .br
-
+/tmp
 .br
-$ firejail --private-lib --private-bin=bash,ls,ps
+$ firejail \-\-private-cwd
 .br
-$ ls /lib
+$ pwd
 .br
-ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
+/home/user
 .br
-libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
+
+.TP
+\fB\-\-private-cwd=directory
+Set working directory inside the jail.
 .br
-libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+Does not impact working directory of profile include paths.
 .br
-libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+
 .br
-$ ps
+Example:
 .br
- PID TTY          TIME CMD
+$ pwd
 .br
-    1 pts/0    00:00:00 firejail
+/tmp
 .br
-   45 pts/0    00:00:00 bash
+$ firejail \-\-private-cwd=/opt
 .br
-   48 pts/0    00:00:00 ps
+$ pwd
 .br
-$
+/opt
 .br
 
-
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
+Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available.
+Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions.
 .br
 
 .br
@@ -1365,6 +1895,8 @@ $
 \fB\-\-private-etc=file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /etc directory (e.g., /etc/foo must be expressed as foo).
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1375,11 +1907,83 @@ Example:
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
 nsswitch.conf,passwd,resolv.conf
+#ifdef HAVE_PRIVATE_HOME
+.TP
+\fB\-\-private-home=file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home.
+The files and directories in the list must be expressed as relative to
+the current user's home directory.
+All modifications are discarded when the sandbox is
+closed.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-private-home=.mozilla firefox
+#endif
+.TP
+\fB\-\-private-lib=file,directory
+This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
+The files and directories in the list must be expressed as relative to
+the /lib directory.
+The idea is to build a new /lib in a temporary filesystem,
+with only the library files necessary to run the application.
+It could be as simple as:
+.br
+
+.br
+$ firejail --private-lib galculator
+.br
+
+.br
+but it gets complicated really fast:
+.br
+
+.br
+$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
+.br
+
+.br
+The feature is integrated with \-\-private-bin:
+.br
+
+.br
+$ firejail --private-lib --private-bin=bash,ls,ps
+.br
+$ ls /lib
+.br
+ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
+.br
+libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
+.br
+libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
+.br
+libgcrypt.so.20 libpcre.so.3 libselinux.so.1
+.br
+$ ps
+.br
+ PID TTY          TIME CMD
+.br
+    1 pts/0    00:00:00 firejail
+.br
+   45 pts/0    00:00:00 bash
+.br
+   48 pts/0    00:00:00 ps
+.br
+$
+.br
 
 .TP
 \fB\-\-private-opt=file,directory
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /opt directory, and must not contain the / character
+(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar --
+expressed as foo/bar -- is disallowed).
 If no listed file is found, /opt directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1393,6 +1997,10 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
 \fB\-\-private-srv=file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /srv directory, and must not contain the / character
+(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar --
+expressed as srv/bar -- is disallowed).
 If no listed file is found, /srv directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1423,9 +2031,8 @@ drwx------  2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n
 drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
 .br
 
-
 .TP
-\fB\-\-profile=filename
+\fB\-\-profile=filename_or_profilename
 Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.
 For more information, see \fBSECURITY PROFILES\fR section below.
 .br
@@ -1447,25 +2054,10 @@ $ firejail \-\-profile.print=browser
 .br
 /etc/firejail/firefox.profile
 .br
-
-.TP
-\fB\-\-profile-path=directory
-Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/.
-For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in
-\fBman 5 firejail-profile\fR.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-profile-path=~/myprofiles
-.br
-$ firejail \-\-profile-path=/home/netblue/myprofiles
-
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br
@@ -1492,20 +2084,26 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-protocol.print=3272
 .br
 unix,inet,inet6,netlink
+#ifdef HAVE_FILE_TRANSFER
 .TP
 \fB\-\-put=name|pid src-filename dest-filename
 Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+#endif
 .TP
 \fB\-\-quiet
 Turn off Firejail's output.
+.br
+
+.br
+The same effect can be obtained by setting an environment variable FIREJAIL_QUIET to yes.
 .TP
 \fB\-\-read-only=dirname_or_filename
-Set directory or file read-only.
+Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1513,20 +2111,11 @@ Example:
 .br
 $ firejail \-\-read-only=~/.mozilla firefox
 .br
-
-.br
-A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
-should be made read-only independently. Making a parent directory read-only, will not
-make the whitelist read-only. Example:
-.br
-
-.br
-$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
-
 .TP
 \fB\-\-read-write=dirname_or_filename
 Set directory or file read-write. Only files or directories belonging to the current user are allowed for
-this operation. Example:
+this operation. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Example:
 .br
 
 .br
@@ -1538,8 +2127,23 @@ $ firejail --read-only=~/test --read-write=~/test/a
 
 
 .TP
+\fB\-\-rlimit-as=number
+Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
+
+.TP
+\fB\-\-rlimit-cpu=number
+Set the maximum limit, in seconds, for the amount of CPU time each
+sandboxed process  can consume. When the limit is reached, the processes are killed.
+
+The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
+the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
+track of CPU seconds for each process independently.
+
+.TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -1559,7 +2163,7 @@ Remove environment variable in the new sandbox.
 Example:
 .br
 $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -1570,31 +2174,22 @@ This makes it possible to detect macvlan kernel device drivers running on the cu
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-scan
+#endif
 .TP
 \fB\-\-seccomp
-Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
-add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
-io_destroy, io_getevents, io_submit, io_cancel,
-remap_file_pages, mbind, set_mempolicy,
-migrate_pages, move_pages, vmsplice, chroot,
-tuxcall, reboot, mfsservctl, get_kernel_syms,
-bpf, clock_settime, personality, process_vm_writev, query_module,
-settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old,
-afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
-pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
-security, setdomainname,  sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
-ulimit, vhangup and vserver.
+Enable seccomp filter and blacklist the syscalls in the default list,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
+then it is @default.
 
 .br
 To help creating useful seccomp filters more easily, the following
-system call groups are defined: @clock, @cpu-emulation, @debug,
-@default, @default-nodebuggers, @default-keep, @module, @obsolete,
-@privileged, @raw-io, @reboot, @resources and @swap. In addtion, a
-system call can be specified by its number instead of name with prefix
-$, so for example $165 would be equal to mount on i386.
+system call groups are defined: @aio, @basic-io, @chown, @clock,
+@cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep,
+@file-system, @io-event, @ipc, @keyring, @memlock, @module, @mount,
+@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
+@resources, @setuid, @swap, @sync, @system-service and @timer.
+More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
+.br
 
 .br
 System architecture is strictly imposed only if flag
@@ -1611,9 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
+
 .TP
-\fB\-\-seccomp=syscall,@group
-Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command.
+\fB\-\-seccomp=syscall,@group,!syscall2
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
+specified by the command, but don't blacklist "syscall2". On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -1623,14 +2227,26 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
 
 .br
-Instead of dropping the syscall, a specific error number can be returned
-using \fBsyscall:errorno\fR syntax.
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
+
+.br
+Instead of dropping the syscall by returning EPERM, another error
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -1639,21 +2255,26 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
 .br
 If the blocked system calls would also block Firejail from operating,
 they are handled by adding a preloaded library which performs seccomp
-system calls later.
+system calls later. However, this is incompatible with 32 bit seccomp
+filters.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -1665,11 +2286,10 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
-.br
+Operation not permitted
 
 .TP
-\fB\-\-seccomp.block_secondary
+\fB\-\-seccomp.block-secondary
 Enable seccomp filter and filter system call architectures so that
 only the native architecture is allowed. For example, on amd64, i386
 and x32 system calls are blocked as well as changing the execution
@@ -1678,7 +2298,10 @@ domain with personality(2) system call.
 
 .TP
 \fB\-\-seccomp.drop=syscall,@group
-Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.
+Enable seccomp filter, and blacklist the syscalls or the syscall
+groups specified by the command. On a 64 bit architecture, an
+additional filter for 32 bit system calls can be installed with
+\-\-seccomp.32.drop.
 .br
 
 .br
@@ -1688,8 +2311,12 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock
 .br
 
 .br
-Instead of dropping the syscall, a specific error number can be returned
-using \fBsyscall:errorno\fR syntax.
+Instead of dropping the syscall by returning EPERM, another error
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 
 .br
@@ -1703,20 +2330,22 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
-
-
-
-
 .TP
-\fB\-\-seccomp.keep=syscall,syscall,syscall
-Enable seccomp filter, and whitelist the syscalls specified by the
-command. The system calls needed by Firejail (group @default-keep:
-prctl, execve) are handled with the preload library.
+\fB\-\-seccomp.keep=syscall,@group,!syscall2
+Enable seccomp filter, blacklist all syscall not listed and "syscall2".
+The system calls needed by Firejail (group @default-keep: prctl, execve, execveat)
+are handled with the preload library. On a 64 bit architecture, an
+additional filter for 32 bit system calls can be installed with
+\-\-seccomp.32.keep.
 .br
 
 .br
@@ -1725,7 +2354,7 @@ Example:
 $ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk
 
 .TP
-\fB\-\-seccomp.print=name|PID
+\fB\-\-seccomp.print=name|pid
 Print the seccomp filter for the sandbox identified by name or PID.
 .br
 
@@ -1734,61 +2363,175 @@ Example:
 .br
 $ firejail \-\-name=browser firefox &
 .br
-$ firejail \-\-seccomp.print=browser
+$ firejail --seccomp.print=browser
+.br
+ line  OP JT JF    K
+.br
+=================================
+.br
+ 0000: 20 00 00 00000004   ld  data.architecture
+.br
+ 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
+.br
+ 0002: 06 00 00 7fff0000   ret ALLOW
+.br
+ 0003: 20 00 00 00000000   ld  data.syscall-number
+.br
+ 0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
+.br
+ 0005: 35 01 00 00000000   jge read 0007 (false 0006)
+.br
+ 0006: 06 00 00 00050001   ret ERRNO(1)
+.br
+ 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
+.br
+ 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
+.br
+ 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
+.br
+ 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
+.br
+ 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
+.br
+ 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
+.br
+ 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
+.br
+ 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
+.br
+ 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
+.br
+ 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
 .br
-SECCOMP Filter:
+ 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
 .br
-  VALIDATE_ARCHITECTURE
+ 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
 .br
-  EXAMINE_SYSCALL
+ 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
 .br
-  BLACKLIST 165 mount
+ 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
 .br
-  BLACKLIST 166 umount2
+ 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
 .br
-  BLACKLIST 101 ptrace
+ 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
 .br
-  BLACKLIST 246 kexec_load
+ 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
 .br
-  BLACKLIST 304 open_by_handle_at
+ 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
 .br
-  BLACKLIST 175 init_module
+ 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
 .br
-  BLACKLIST 176 delete_module
+ 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
 .br
-  BLACKLIST 172 iopl
+ 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
 .br
-  BLACKLIST 173 ioperm
+ 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
 .br
-  BLACKLIST 167 swapon
+ 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
 .br
-  BLACKLIST 168 swapoff
+ 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
 .br
-  BLACKLIST 103 syslog
+ 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
 .br
-  BLACKLIST 310 process_vm_readv
+ 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
 .br
-  BLACKLIST 311 process_vm_writev
+ 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
 .br
-  BLACKLIST 133 mknod
+ 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
 .br
-  BLACKLIST 139 sysfs
+ 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
 .br
-  BLACKLIST 156 _sysctl
+ 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
 .br
-  BLACKLIST 159 adjtimex
+ 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
 .br
-  BLACKLIST 305 clock_adjtime
+ 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
 .br
-  BLACKLIST 212 lookup_dcookie
+ 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
 .br
-  BLACKLIST 298 perf_event_open
+ 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
 .br
-  BLACKLIST 300 fanotify_init
+ 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
 .br
-  RETURN_ALLOW
+ 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
+.br
+ 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
+.br
+ 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
+.br
+ 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
+.br
+ 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
+.br
+ 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
+.br
+ 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
+.br
+ 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
+.br
+ 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
+.br
+ 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
+.br
+ 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
+.br
+ 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
+.br
+ 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
+.br
+ 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
+.br
+ 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
+.br
+ 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
+.br
+ 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
+.br
+ 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
+.br
+ 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
+.br
+ 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
+.br
+ 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
+.br
+ 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
+.br
+ 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
+.br
+ 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
+.br
+ 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
+.br
+ 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
+.br
+ 0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
+.br
+ 0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
+.br
+ 0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
+.br
+ 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
+.br
+ 0048: 06 00 00 7fff0000   ret ALLOW
+.br
+ 0049: 06 00 01 00000000   ret KILL
 .br
 $
+
+.TP
+\fB\-\-seccomp-error-action= kill | ERRNO | log
+By default, if a seccomp filter blocks a system call, the process gets
+EPERM as the error. With \-\-seccomp-error-action=error, another error
+number can be returned, for example ENOSYS or EACCES. The process can
+also be killed (like in versions <0.9.63 of Firejail) by using
+\-\-seccomp-error-action=kill syntax, or the attempt may be logged
+with \-\-seccomp-error-action=log. Not killing the process weakens
+Firejail slightly when trying to contain intrusion, but it may also
+allow tighter filters if the only alternative is to allow a system
+call.
+.br
+
 .TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.
@@ -1802,15 +2545,14 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
-shell.
+By default the user's preferred shell is used.
 .br
 
 .br
 Example:
 $firejail \-\-shell=/bin/dash script.sh
 .TP
-\fB\-\-shutdown=name|PID
+\fB\-\-shutdown=name|pid
 Shutdown the sandbox identified by name or PID.
 .br
 
@@ -1827,18 +2569,25 @@ Example:
 .br
 $ firejail \-\-list
 .br
-3272:netblue:firejail \-\-private firefox
+3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-shutdown=3272
 .TP
+\fB\-\-timeout=hh:mm:ss
+Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
+.br
+
+.br
+$ firejail \-\-timeout=01:30:00 firefox
+.TP
 \fB\-\-tmpfs=dirname
-Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
@@ -1849,8 +2598,9 @@ Example:
 .br
 $ firejail \-\-top
 .TP
-\fB\-\-trace
-Trace open, access and connect system calls.
+\fB\-\-trace[=filename]
+Trace open, access and connect system calls. If filename is specified, log
+trace output to filename, otherwise log to console.
 .br
 
 .br
@@ -1916,14 +2666,38 @@ $ firejail \-\-tree
   11904:netblue:iceweasel
 .br
     11957:netblue:/usr/lib/iceweasel/plugin-container
+#ifdef HAVE_NETWORK
 .br
 11969:netblue:firejail \-\-net=eth0 transmission-gtk
+#endif
 .br
   11970:netblue:transmission-gtk
 
+#ifdef HAVE_FIRETUNNEL
+.TP
+\fB\-\-tunnel[=devname]
+Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
+tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
+please specify the tunnel device using \-\-tunnel=devname.
+.br
+
+.br
+The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
+The files are regular firejail profile files containing the network configuration,
+and are created and managed by firetunnel utility.
+By default ftc is the client-side device and fts is the server-side device. For more information
+please see man 1 firetunnel.
+.br
+
+.br
+Example:
+.br
+$ firejail --tunnel firefox
+.br
+#endif
 .TP
 \fB\-\-version
-Print program version and exit.
+Print program version/compile time support and exit.
 .br
 
 .br
@@ -1933,6 +2707,21 @@ $ firejail \-\-version
 .br
 firejail version 0.9.27
 
+Compile time support:
+    - AppArmor support is enabled
+    - AppImage support is enabled
+    - chroot support is enabled
+    - file and directory whitelisting support is enabled
+    - file transfer support is enabled
+    - firetunnel support is enabled
+    - networking support is enabled
+    - overlayfs support is enabled
+    - private-home support is enabled
+    - seccomp-bpf support is enabled
+    - user namespace support is enabled
+    - X11 sandboxing support is enabled
+.br
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-veth-name=name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
@@ -1943,13 +2732,14 @@ instead of the default one.
 Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
-
+#endif
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
 whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
@@ -1958,6 +2748,10 @@ the same top directory. For user home, both the link and the real file should be
 .br
 
 .br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
 Example:
 .br
 $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
@@ -1965,6 +2759,8 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
 .TP
 \fB\-\-writable-etc
@@ -2007,13 +2803,13 @@ Example:
 .br
 $ sudo firejail --writable-var-log
 
-
+#ifdef HAVE_X11
 .TP
 \fB\-\-x11
 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
-The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
+The sandbox will prevent screenshot and keylogger applications started inside the sandbox from accessing
 clients running outside the sandbox.
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+Firejail will try Xpra first, and if Xpra is not installed on the system, it will try to find Xephyr.
 If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
 .br
 
@@ -2082,7 +2878,7 @@ $ firejail \-\-x11=xorg firefox
 
 .TP
 \fB\-\-x11=xpra
-Start Xpra (http://xpra.org) and attach the sandbox to this server.
+Start Xpra (https://xpra.org) and attach the sandbox to this server.
 Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
 A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
 .br
@@ -2168,16 +2964,51 @@ Example:
 .br
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
+#endif
+#ifdef HAVE_APPARMOR
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
 
+.br
+$ ./configure --prefix=/usr --enable-apparmor
 .TP
-\fB\-\-zsh
-Use /usr/bin/zsh as default user shell.
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations must be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root:
 .br
 
 .br
-Example:
+# apparmor_parser -r /etc/apparmor.d/firejail-default
+.TP
+The installed profile is supplemental for main firejail functions and among other things does the following:
+.br
+
+.br
+- Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging. You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
 .br
-$ firejail \-\-zsh
+
+.br
+- Whitelist write access to several files under /run, /proc and /sys.
+.br
+
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+
+.br
+- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
+.br
+
+.br
+- Deny access to known sensitive paths like .snapshots.
+
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+
+.br
+$ firejail --apparmor firefox
+#endif
 
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
@@ -2192,7 +3023,7 @@ Make a firefox symlink to /usr/bin/firejail:
 .br
 
 .br
-$ ln -s /usr/bin/firejail /usr/local/bin/firefox
+$ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
 .br
 
 .br
@@ -2232,49 +3063,90 @@ $ firejail --tree
       1221:netblue:/usr/lib/firefox/firefox
 .RE
 
-We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details.
+We provide a tool that automates all this integration, please see \&\flfirecfg\fR\|(1) for more details.
 
-.SH APPARMOR
+.SH EXAMPLES
 .TP
-AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
-.br
+\f\firejail
+Sandbox a regular shell session.
+.TP
+\f\firejail firefox
+Start Mozilla Firefox.
+.TP
+\f\firejail \-\-debug firefox
+Debug Firefox sandbox.
+.TP
+\f\firejail \-\-private firefox
+Start Firefox with a new, empty home directory.
+.TP
+\f\firejail --net=none vlc
+Start VLC in an unconnected network namespace.
+#ifdef HAVE_NETWORK
+.TP
+\f\firejail \-\-net=eth0 firefox
+Start Firefox in a new network namespace. An IP address is
+assigned automatically.
+.TP
+\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
+Start a shell session in a new network namespace and connect it
+to br0, br1, and br2 host bridge devices. IP addresses are assigned
+automatically for the interfaces connected to br1 and b2
+#endif
+.TP
+\f\firejail \-\-list
+List all sandboxed processes.
 
-.br
-$ ./configure --prefix=/usr --enable-apparmor
+.SH FILE GLOBBING
 .TP
-During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+Globbing is the operation that expands a wildcard pattern into the
+list of pathnames matching the pattern.  This pattern is matched at
+firejail \fBstart\fR, and is NOT UPDATED at runtime.  \fBFiles matching
+a blacklist, but created after firejail start will be accessible within
+the jail.\fR Matching is defined by:
 .br
 
 .br
-# aa-enforce firejail-default
-.TP
-The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+- '?' matches any character
 .br
-
+- '*' matches any string
+.br
+- '[' denotes a range of characters
 .br
-- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
-commands such as "top" and "ps aux".
+.TP
+The globbing feature is implemented using glibc glob command. For
+more information on the wildcard syntax see man 7 glob.
 .br
 
 .br
-- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
-programs and scripts from user home or other directories writable by the user is not allowed.
+.TP
+The following command line options are supported: \-\-blacklist,
+\-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write,
+\-\-tmpfs, and \-\-whitelist.
 .br
 
 .br
-- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
-You should have no problems running Chromium or Firefox.
-
 .TP
-To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+Examples:
 .br
 
 .br
-$ firejail --apparmor firefox
+$ firejail --private-bin=sh,bash,python*
+.br
+$ firejail --blacklist=~/dir[1234]
+.br
+$ firejail --read-only=~/dir[1-4]
+.br
 
+#ifdef HAVE_FILE_TRANSFER
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
-and transfer files from the container to the host filesystem.
+and transfer files between the container and the host filesystem.
+
+.TP
+\fB\-\-cat=name|pid filename
+Write content of a container file to standard out. The container is specified by name or PID.
+If standard out is a terminal, all ASCII control characters except new line and horizontal tab
+are replaced.
 
 .TP
 \fB\-\-get=name|pid filename
@@ -2320,87 +3192,28 @@ $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
 $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
 .br
 
-.SH TRAFFIC SHAPING
-Network bandwidth is an expensive resource shared among all sandboxes running on a system.
-Traffic shaping allows the user to increase network performance by controlling
-the amount of data that flows into and out of the sandboxes.
-
-Firejail implements a simple rate-limiting shaper based on Linux command tc.
-The shaper works at sandbox level, and can be used only for sandboxes configured with new network namespaces.
-
-Set rate-limits:
-
-        $ firejail --bandwidth=name|pid set network download upload
-
-Clear rate-limits:
-
-        $ firejail --bandwidth=name|pid clear network
-
-Status:
-
-        $ firejail --bandwidth=name|pid status
-
-where:
-.br
-        name - sandbox name
-.br
-        pid - sandbox pid
-.br
-        network - network interface as used by \-\-net option
-.br
-        download - download speed in KB/s (kilobyte per second)
-.br
-        upload - upload speed in KB/s (kilobyte per second)
-
-Example:
-.br
-        $ firejail \-\-name=mybrowser \-\-net=eth0 firefox &
-.br
-        $ firejail \-\-bandwidth=mybrowser set eth0 80 20
 .br
-        $ firejail \-\-bandwidth=mybrowser status
+$ firejail \-\-cat=mybrowser ~/.bashrc
 .br
-        $ firejail \-\-bandwidth=mybrowser clear eth0
-
-.SH AUDIT
-Audit feature allows the user to point out gaps in security profiles. The
-implementation replaces the program to be sandboxed with a test program. By
-default, we use faudit program distributed with Firejail. A custom test program
-can also be supplied by the user. Examples:
-
-Running the default audit program:
-.br
-        $ firejail --audit transmission-gtk
-
-Running a custom audit program:
-.br
-        $ firejail --audit=~/sandbox-test transmission-gtk
-
-In the examples above, the sandbox configures transmission-gtk profile and
-starts the test program. The real program, transmission-gtk, will not be
-started.
-
-Limitations: audit feature is not implemented for --x11 commands.
-
+#endif
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
 
-        PID:USER:Command
+        PID:USER:Sandbox Name:Command
 
 Option \-\-tree prints the tree of processes running in the sandbox. The format
 for each process entry is as follows:
 
-        PID:USER:Command
+        PID:USER:Sandbox Name:Command
 
 Option \-\-top is similar to the UNIX top command, however it applies only to
 sandboxes.
 
 Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces.
 
-
 Listed below are the available fields (columns) in alphabetical
-order for \-\-top and \-\-netstat options:
+order for \-\-top and \-\-netstats options:
 
 .TP
 Command
@@ -2423,6 +3236,9 @@ It is a sum of the RES values for all processes running in the sandbox.
 RX(KB/s)
 Network receive speed.
 .TP
+Sandbox Name
+The name of the sandbox, if any.
+.TP
 SHR
 Shared Memory Size (KiB), it reflects memory shared with other
 processes. It is a sum of the SHR values for all processes running
@@ -2434,14 +3250,23 @@ Network transmit speed.
 Uptime
 Sandbox running time in hours:minutes:seconds format.
 .TP
-User
+USER
 The owner of the sandbox.
 
+.SH RESTRICTED SHELL
+To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
+/etc/passwd file for each user that needs to be restricted. Alternatively,
+you can specify /usr/bin/firejail  in adduser command:
+
+adduser \-\-shell /usr/bin/firejail username
+
+Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
+
 .SH SECURITY PROFILES
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-1. If a profile file is provided by the user with --profile option, the profile file is loaded.
+1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
 Example:
 .PP
 .RS
@@ -2452,6 +3277,15 @@ Reading profile /home/netblue/icecat.profile
 [...]
 .RE
 
+.PP
+.RS
+$ firejail --profile=icecat icecat-wrapper.sh
+.br
+Reading profile /etc/firejail/icecat.profile
+.br
+[...]
+.RE
+
 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or
 in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
 .PP
@@ -2494,51 +3328,63 @@ Child process initialized
 [...]
 .RE
 
-See man 5 firejail-profile for profile file syntax information.
+See \fBman 5 firejail-profile\fR for profile file syntax information.
+#ifdef HAVE_NETWORK
+.SH TRAFFIC SHAPING
+Network bandwidth is an expensive resource shared among all sandboxes running on a system.
+Traffic shaping allows the user to increase network performance by controlling
+the amount of data that flows into and out of the sandboxes.
 
-.SH RESTRICTED SHELL
-To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
+Firejail implements a simple rate-limiting shaper based on Linux command tc.
+The shaper works at sandbox level, and can be used only for sandboxes configured with new network namespaces.
 
-adduser \-\-shell /usr/bin/firejail username
+Set rate-limits:
 
-Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
+        $ firejail --bandwidth=name|pid set network download upload
 
-.SH EXAMPLES
-.TP
-\f\firejail
-Sandbox a regular /bin/bash session.
-.TP
-\f\firejail firefox
-Start Mozilla Firefox.
-.TP
-\f\firejail \-\-debug firefox
-Debug Firefox sandbox.
-.TP
-\f\firejail \-\-private firefox
-Start Firefox with a new, empty home directory.
-.TP
-\f\firejail --net=none vlc
-Start VLC in an unconnected network namespace.
-.TP
-\f\firejail \-\-net=eth0 firefox
-Start Firefox in a new network namespace. An IP address is
-assigned automatically.
-.TP
-\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
-to br0, br1, and br2 host bridge devices. IP addresses are assigned
-automatically for the interfaces connected to br1 and b2
-.TP
-\f\firejail \-\-list
-List all sandboxed processes.
+Clear rate-limits:
+
+        $ firejail --bandwidth=name|pid clear network
+
+Status:
+
+        $ firejail --bandwidth=name|pid status
+
+where:
+.br
+        name - sandbox name
+.br
+        pid - sandbox pid
+.br
+        network - network interface as used by \-\-net option
+.br
+        download - download speed in KB/s (kilobyte per second)
+.br
+        upload - upload speed in KB/s (kilobyte per second)
+
+Example:
+.br
+        $ firejail \-\-name=mybrowser \-\-net=eth0 firefox &
+.br
+        $ firejail \-\-bandwidth=mybrowser set eth0 80 20
+.br
+        $ firejail \-\-bandwidth=mybrowser status
+.br
+        $ firejail \-\-bandwidth=mybrowser clear eth0
+#endif
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
-Homepage: http://firejail.wordpress.com
+Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailcheck (1)
+
+.UR https://github.com/netblue30/firejail/wiki
+.UE ,
+.UR https://github.com/netblue30/firejail
+.UE
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 957a224c6..76b2f7be2 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -10,8 +10,13 @@ these processes are also being monitored. On Grsecurity systems only root user
 can run this program.
 .SH OPTIONS
 .TP
+\fB\-\-apparmor
+Print AppArmor confinement status for each sandbox.
+#ifdef HAVE_NETWORK
+.TP
 \fB\-\-arp
 Print ARP table for each sandbox.
+#endif
 .TP
 \fB\-\-caps
 Print capabilities configuration for each sandbox.
@@ -22,6 +27,9 @@ Print control group information for each sandbox.
 \fB\-\-cpu
 Print CPU affinity for each sandbox.
 .TP
+\fB\-\-debug
+Print debug messages
+.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
@@ -33,46 +41,42 @@ List all sandboxes.
 .TP
 \fB\-\-name=name
 Print information only about named sandbox.
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-netstats
 Monitor network statistics for sandboxes creating a new network namespace.
-.TP
-\fB\-\-nowrap
-Enable line wrapping in terminals. By default the lines are trimmed.
+#endif
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-route
 Print route table for each sandbox.
+#endif
 .TP
 \fB\-\-seccomp
 Print seccomp configuration for each sandbox.
 .TP
 \fB\-\-top
-Monitor the most CPU-intensive sandboxes.
+Monitor the most CPU-intensive sandboxes. This command  is similar to
+the regular UNIX top command, however it applies only to sandboxes.
 .TP
 \fB\-\-tree
 Print a tree of all sandboxed processes.
 .TP
 \fB\-\-version
 Print program version and exit.
-
+.TP
+\fB\-\-wrap
+Enable line wrapping in terminals. By default the lines are trimmed.
 .TP
 \fB\-\-x11
 Print X11 display number.
 
 .PP
-Option \-\-list prints a list of all sandboxes. The format
-for each entry is as follows:
-
-        PID:USER:Command
+The format for each listed sandbox entry is as follows:
 
-Option \-\-tree prints the tree of processes running in the sandbox. The format
-for each process entry is as follows:
+        PID:USER:Sandbox Name:Command
 
-        PID:USER:Command
-
-Option \-\-top is similar to the UNIX top command, however it applies only to
-sandboxes. Listed below are the available fields (columns) in alphabetical
-order:
+Listed below are the available fields (columns) in various firemon commands in alphabetical order:
 
 .TP
 Command
@@ -92,6 +96,9 @@ RES
 Resident Memory Size (KiB), sandbox non-swapped physical memory.
 It is a sum of the RES values for all processes running in the sandbox.
 .TP
+Sandbox Name
+The name of the sandbox, if any.
+.TP
 SHR
 Shared Memory Size (KiB), it reflects memory shared with other
 processes. It is a sum of the SHR values for all processes running
@@ -100,15 +107,17 @@ in the sandbox, including the controlling process.
 Uptime
 Sandbox running time in hours:minutes:seconds format.
 .TP
-User
+USER
 The owner of the sandbox.
 
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
-Homepage: http://firejail.wordpress.com
+Homepage: https://firejail.wordpress.com
 .SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
+.BR firejail (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
+.BR jailcheck (1)
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
new file mode 100644
index 000000000..483f47fb9
--- /dev/null
+++ b/src/man/jailcheck.txt
@@ -0,0 +1,117 @@
+.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page"
+.SH NAME
+jailcheck \- Simple utility program to test running sandboxes
+.SH SYNOPSIS
+sudo jailcheck [OPTIONS] [directory]
+.SH DESCRIPTION
+jailcheck attaches itself to all sandboxes started by the user and performs some basic tests
+on the sandbox filesystem:
+.TP
+\fB1. Virtual directories
+jailcheck extracts a list with the main virtual directories installed by the sandbox.
+These directories are build by firejail at startup using --private* and --whitelist commands.
+.TP
+\fB2. Noexec test
+jailcheck inserts executable programs in /home/username, /tmp, and /var/tmp directories
+and tries to run them from inside the sandbox, thus testing if the directory is executable or not.
+.TP
+\fB3. Read access test
+jailcheck creates test files in the directories specified by the user and tries to read
+them from inside the sandbox.
+.TP
+\fB4. AppArmor test
+.TP
+\fB5. Seccomp test
+.TP
+\fB6. Networking test
+.TP
+The program is started as root using sudo.
+
+.SH OPTIONS
+.TP
+\fB\-\-debug
+Print debug messages.
+.TP
+\fB\-?\fR, \fB\-\-help\fR
+Print options and exit.
+.TP
+\fB\-\-version
+Print program version and exit.
+.TP
+\fB[directory]
+One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default.
+
+.SH OUTPUT
+For each sandbox detected we print the following line:
+
+        PID:USER:Sandbox Name:Command
+
+It is followed by relevant sandbox information, such as the virtual directories and various warnings.
+
+.SH EXAMPLE
+
+$ sudo jailcheck
+.br
+2014:netblue::firejail /usr/bin/gimp
+.br
+   Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+   Networking: disabled
+.br
+
+.br
+2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+.br
+   Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
+.br
+   Warning: I can read ~/.ssh
+.br
+   Networking: enabled
+.br
+
+.br
+2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
+.br
+   Virtual dirs: /tmp, /var/tmp, /dev,
+.br
+   Networking: enabled
+.br
+
+.br
+26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+.br
+                 /run/user/1000,
+.br
+   Networking: enabled
+.br
+
+.br
+26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+.br
+   Warning: AppArmor not enabled
+.br
+   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+.br
+                 /usr/share, /run/user/1000,
+.br
+   Warning: I can run programs in /home/netblue
+.br
+   Networking: enabled
+.br
+
+
+.SH LICENSE
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+.PP
+Homepage: https://firejail.wordpress.com
+.SH SEE ALSO
+.BR firejail (1),
+.BR firemon (1),
+.BR firecfg (1),
+.BR firejail-profile (5),
+.BR firejail-login (5),
+.BR firejail-users (5),
diff --git a/src/man/preproc.awk b/src/man/preproc.awk
new file mode 100755
index 000000000..1ce5c82de
--- /dev/null
+++ b/src/man/preproc.awk
@@ -0,0 +1,55 @@
+#!/usr/bin/gawk -E
+
+# Copyright (c) 2019-2021 rusty-snake
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+BEGIN {
+        macros[0] = 0
+        for (arg in ARGV) {
+                if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) {
+                        macros[length(macros) + 1] = substr(ARGV[arg], 3)
+                }
+                ARGV[arg] = ""
+        }
+
+        include = 1
+}
+/^#ifdef [A-Z0-9_]+$/ {
+        macro = substr($0, 8)
+        for (i in macros) {
+                if (macros[i] == macro) {
+                        include = 1
+                        next
+                }
+        }
+        include = 0
+}
+/^#if 0$/ {
+        include = 0
+        next
+}
+/^#endif$/ {
+        include = 1
+        next
+}
+{
+        if (include)
+                print
+}
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
new file mode 100644
index 000000000..e025f5939
--- /dev/null
+++ b/src/profstats/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: profstats
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+profstats: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/profstats/main.c b/src/profstats/main.c
new file mode 100644
index 000000000..10e44bd65
--- /dev/null
+++ b/src/profstats/main.c
@@ -0,0 +1,378 @@
+ /*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#define MAXBUF 2048
+// stats
+static int cnt_profiles = 0;
+static int cnt_apparmor = 0;
+static int cnt_seccomp = 0;
+static int cnt_caps = 0;
+static int cnt_dbus_system_none = 0;
+static int cnt_dbus_user_none = 0;
+static int cnt_dbus_system_filter = 0;
+static int cnt_dbus_user_filter = 0;
+static int cnt_dotlocal = 0;
+static int cnt_globalsdotlocal = 0;
+static int cnt_netnone = 0;
+static int cnt_noexec = 0;      // include disable-exec.inc
+static int cnt_privatebin = 0;
+static int cnt_privatedev = 0;
+static int cnt_privatetmp = 0;
+static int cnt_privateetc = 0;
+static int cnt_whitelistvar = 0;        // include whitelist-var-common.inc
+static int cnt_whitelistrunuser = 0;    // include whitelist-runuser-common.inc
+static int cnt_whitelistusrshare = 0;   // include whitelist-usr-share-common.inc
+static int cnt_ssh = 0;
+static int cnt_mdwx = 0;
+static int cnt_whitelisthome = 0;
+static int cnt_noroot = 0;
+
+static int level = 0;
+static int arg_debug = 0;
+static int arg_apparmor = 0;
+static int arg_caps = 0;
+static int arg_seccomp = 0;
+static int arg_noexec = 0;
+static int arg_privatebin = 0;
+static int arg_privatedev = 0;
+static int arg_privatetmp = 0;
+static int arg_privateetc = 0;
+static int arg_whitelistvar = 0;
+static int arg_whitelistrunuser = 0;
+static int arg_whitelistusrshare = 0;
+static int arg_ssh = 0;
+static int arg_mdwx = 0;
+static int arg_dbus_system_none = 0;
+static int arg_dbus_user_none = 0;
+static int arg_whitelisthome = 0;
+static int arg_noroot = 0;
+
+
+static char *profile = NULL;
+
+
+static void usage(void) {
+        printf("proftool - print profile statistics\n");
+        printf("Usage: proftool [options] file[s]\n");
+        printf("Options:\n");
+        printf("   --apparmor - print profiles without apparmor\n");
+        printf("   --caps - print profiles without caps\n");
+        printf("   --dbus-system-none - profiles without  \"dbus-system none\"\n");
+        printf("   --dbus-user-none - profiles without  \"dbus-user none\"\n");
+        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
+        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
+        printf("   --noroot - print profiles without \"noroot\"\n");
+        printf("   --private-bin - print profiles without private-bin\n");
+        printf("   --private-dev - print profiles without private-dev\n");
+        printf("   --private-etc - print profiles without private-etc\n");
+        printf("   --private-tmp - print profiles without private-tmp\n");
+        printf("   --seccomp - print profiles without seccomp\n");
+        printf("   --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n");
+        printf("   --whitelist-home - print profiles whitelisting home directory\n");
+        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
+        printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
+        printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
+        printf("   --debug\n");
+        printf("\n");
+}
+
+void process_file(const char *fname) {
+        assert(fname);
+
+        if (arg_debug)
+                printf("processing #%s#\n", fname);
+        level++;
+        assert(level < 32); // to do - check in firejail code
+
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
+                level--;
+                return;
+        }
+
+        int have_include_local = 0;
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                ptr = buf;
+
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\n' || *ptr == '#')
+                        continue;
+
+                if (strncmp(ptr, "seccomp", 7) == 0)
+                        cnt_seccomp++;
+                else if (strncmp(ptr, "caps", 4) == 0)
+                        cnt_caps++;
+                else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
+                        cnt_noexec++;
+                else if (strncmp(ptr, "noroot", 6) == 0)
+                        cnt_noroot++;
+                else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
+                        cnt_whitelistvar++;
+                else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 ||
+                        strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0)
+                        cnt_whitelistrunuser++;
+                else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0)
+                        cnt_whitelisthome++;
+                else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0)
+                        cnt_whitelistusrshare++;
+                else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
+                        cnt_ssh++;
+                else if (strncmp(ptr, "memory-deny-write-execute", 25) == 0)
+                        cnt_mdwx++;
+                else if (strncmp(ptr, "net none", 8) == 0)
+                        cnt_netnone++;
+                else if (strncmp(ptr, "apparmor", 8) == 0)
+                        cnt_apparmor++;
+                else if (strncmp(ptr, "private-bin", 11) == 0)
+                        cnt_privatebin++;
+                else if (strncmp(ptr, "private-dev", 11) == 0)
+                        cnt_privatedev++;
+                else if (strncmp(ptr, "private-tmp", 11) == 0)
+                        cnt_privatetmp++;
+                else if (strncmp(ptr, "private-etc", 11) == 0)
+                        cnt_privateetc++;
+                else if (strncmp(ptr, "dbus-system none", 16) == 0)
+                        cnt_dbus_system_none++;
+                else if (strncmp(ptr, "dbus-system", 11) == 0)
+                        cnt_dbus_system_filter++;
+                else if (strncmp(ptr, "dbus-user none", 14) == 0)
+                        cnt_dbus_user_none++;
+                else if (strncmp(ptr, "dbus-user", 9) == 0)
+                        cnt_dbus_user_filter++;
+                else if (strncmp(ptr, "include ", 8) == 0) {
+                        // not processing .local files
+                        if (strstr(ptr, ".local")) {
+                                have_include_local = 1;
+//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
+                                if (strstr(ptr, "globals.local"))
+                                        cnt_globalsdotlocal++;
+                                else
+                                        cnt_dotlocal++;
+                                continue;
+                        }
+                        // clean blanks
+                        char *ptr = buf + 8;
+                        while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t')
+                                ptr++;
+                        *ptr = '\0';
+                        process_file(buf + 8);
+                }
+        }
+
+        fclose(fp);
+        if (!have_include_local)
+                printf("No include .local found in %s\n", fname);
+        level--;
+}
+
+int main(int argc, char **argv) {
+        if (argc <= 1) {
+                usage();
+                return 1;
+        }
+
+        int start = 1;
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+                else if (strcmp(argv[i], "--caps") == 0)
+                        arg_caps = 1;
+                else if (strcmp(argv[i], "--seccomp") == 0)
+                        arg_seccomp = 1;
+                else if (strcmp(argv[i], "--memory-deny-write-execute") == 0)
+                        arg_mdwx = 1;
+                else if (strcmp(argv[i], "--noexec") == 0)
+                        arg_noexec = 1;
+                else if (strcmp(argv[i], "--noroot") == 0)
+                        arg_noroot = 1;
+                else if (strcmp(argv[i], "--private-bin") == 0)
+                        arg_privatebin = 1;
+                else if (strcmp(argv[i], "--private-dev") == 0)
+                        arg_privatedev = 1;
+                else if (strcmp(argv[i], "--private-tmp") == 0)
+                        arg_privatetmp = 1;
+                else if (strcmp(argv[i], "--private-etc") == 0)
+                        arg_privateetc = 1;
+                else if (strcmp(argv[i], "--whitelist-home") == 0)
+                        arg_whitelisthome = 1;
+                else if (strcmp(argv[i], "--whitelist-var") == 0)
+                        arg_whitelistvar = 1;
+                else if (strcmp(argv[i], "--whitelist-runuser") == 0)
+                        arg_whitelistrunuser = 1;
+                else if (strcmp(argv[i], "--whitelist-usrshare") == 0)
+                        arg_whitelistusrshare = 1;
+                else if (strcmp(argv[i], "--ssh") == 0)
+                        arg_ssh = 1;
+                else if (strcmp(argv[i], "--dbus-system-none") == 0)
+                        arg_dbus_system_none = 1;
+                else if (strcmp(argv[i], "--dbus-user-none") == 0)
+                        arg_dbus_user_none = 1;
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid option %s\n", argv[i]);
+                        return 1;
+                 }
+                 else
+                        break;
+        }
+
+        start = i;
+        if (i == argc) {
+                fprintf(stderr, "Error: no profile file specified\n");
+                return 1;
+        }
+
+        for (i = start; i < argc; i++) {
+                cnt_profiles++;
+
+                // watch seccomp
+                int seccomp = cnt_seccomp;
+                int caps = cnt_caps;
+                int apparmor = cnt_apparmor;
+                int noexec = cnt_noexec;
+                int noroot = cnt_noroot;
+                int privatebin = cnt_privatebin;
+                int privatetmp = cnt_privatetmp;
+                int privatedev = cnt_privatedev;
+                int privateetc = cnt_privateetc;
+                int dotlocal = cnt_dotlocal;
+                int globalsdotlocal = cnt_globalsdotlocal;
+                int whitelisthome = cnt_whitelisthome;
+                int whitelistvar = cnt_whitelistvar;
+                int whitelistrunuser = cnt_whitelistrunuser;
+                int whitelistusrshare = cnt_whitelistusrshare;
+                int dbussystemnone = cnt_dbus_system_none;
+                int dbussystemfilter = cnt_dbus_system_filter;
+                int dbususernone = cnt_dbus_user_none;
+                int dbususerfilter = cnt_dbus_user_filter;
+                int ssh = cnt_ssh;
+                int mdwx = cnt_mdwx;
+
+                // process file
+                profile = argv[i];
+                process_file(argv[i]);
+
+                // warnings
+                if ((caps + 2) <= cnt_caps) {
+                        printf("Warning: multiple caps in %s\n", argv[i]);
+                        cnt_caps = caps + 1;
+                }
+
+                // fix redirections
+                if (cnt_dotlocal > (dotlocal + 1))
+                        cnt_dotlocal = dotlocal + 1;
+                if (cnt_globalsdotlocal > (globalsdotlocal + 1))
+                        cnt_globalsdotlocal = globalsdotlocal + 1;
+                if (cnt_whitelistrunuser > (whitelistrunuser + 1))
+                        cnt_whitelistrunuser = whitelistrunuser + 1;
+                if (cnt_seccomp > (seccomp + 1))
+                        cnt_seccomp = seccomp + 1;
+                if (cnt_dbus_user_none > (dbususernone + 1))
+                        cnt_dbus_user_none = dbususernone + 1;
+                if (cnt_dbus_user_filter > (dbususerfilter + 1))
+                        cnt_dbus_user_filter = dbususerfilter + 1;
+                if (cnt_dbus_system_none > (dbussystemnone + 1))
+                        cnt_dbus_system_none = dbussystemnone + 1;
+                if (cnt_dbus_system_filter > (dbussystemfilter + 1))
+                        cnt_dbus_system_filter = dbussystemfilter + 1;
+
+                if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
+                        printf("No dbus-system none found in %s\n", argv[i]);
+                if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none)
+                        printf("No dbus-user none found in %s\n", argv[i]);
+                if (arg_apparmor && apparmor == cnt_apparmor)
+                        printf("No apparmor found in %s\n", argv[i]);
+                if (arg_caps && caps == cnt_caps)
+                        printf("No caps found in %s\n", argv[i]);
+                if (arg_seccomp && seccomp == cnt_seccomp)
+                        printf("No seccomp found in %s\n", argv[i]);
+                if (arg_noexec && noexec == cnt_noexec)
+                        printf("No include disable-exec.inc found in %s\n", argv[i]);
+                if (arg_noroot && noroot == cnt_noroot)
+                        printf("No noroot found in %s\n", argv[i]);
+                if (arg_privatedev && privatedev == cnt_privatedev)
+                        printf("No private-dev found in %s\n", argv[i]);
+                if (arg_privatebin && privatebin == cnt_privatebin)
+                        printf("No private-bin found in %s\n", argv[i]);
+                if (arg_privatetmp && privatetmp == cnt_privatetmp)
+                        printf("No private-tmp found in %s\n", argv[i]);
+                if (arg_privateetc && privateetc == cnt_privateetc)
+                        printf("No private-etc found in %s\n", argv[i]);
+                if (arg_whitelisthome && whitelisthome == cnt_whitelisthome)
+                        printf("Home directory not whitelisted in %s\n", argv[i]);
+                if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
+                        printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
+                if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser)
+                        printf("No include whitelist-runuser-common.inc found in %s\n", argv[i]);
+                if (arg_whitelistusrshare && whitelistusrshare == cnt_whitelistusrshare)
+                        printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]);
+                if (arg_ssh && ssh == cnt_ssh)
+                        printf("No include disable-common.inc found in %s\n", argv[i]);
+                if (arg_mdwx && mdwx == cnt_mdwx)
+                        printf("No memory-deny-write-execute found in %s\n", argv[i]);
+
+                assert(level == 0);
+        }
+
+        printf("\n");
+        printf("Stats:\n");
+        printf("    profiles\t\t\t%d\n", cnt_profiles);
+        printf("    include local profile\t%d   (include profile-name.local)\n", cnt_dotlocal);
+        printf("    include globals\t\t%d   (include globals.local)\n", cnt_globalsdotlocal);
+        printf("    blacklist ~/.ssh\t\t%d   (include disable-common.inc)\n", cnt_ssh);
+        printf("    seccomp\t\t\t%d\n", cnt_seccomp);
+        printf("    capabilities\t\t%d\n", cnt_caps);
+        printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    noroot\t\t\t%d\n", cnt_noroot);
+        printf("    memory-deny-write-execute\t%d\n", cnt_mdwx);
+        printf("    apparmor\t\t\t%d\n", cnt_apparmor);
+        printf("    private-bin\t\t\t%d\n", cnt_privatebin);
+        printf("    private-dev\t\t\t%d\n", cnt_privatedev);
+        printf("    private-etc\t\t\t%d\n", cnt_privateetc);
+        printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
+        printf("    whitelist home directory\t%d\n", cnt_whitelisthome);
+        printf("    whitelist var\t\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    whitelist run/user\t\t%d   (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser);
+        printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");
+        printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
+        printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("    dbus-user none \t\t%d\n", cnt_dbus_user_none);
+        printf("    dbus-user filter \t\t%d\n", cnt_dbus_user_filter);
+        printf("    dbus-system none \t\t%d\n", cnt_dbus_system_none);
+        printf("    dbus-system filter \t\t%d\n", cnt_dbus_system_filter);
+        printf("\n");
+        return 0;
+}
diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh
index 13525677b..b7026b1cd 100755
--- a/src/tools/check-caps.sh
+++ b/src/tools/check-caps.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 if [ $# -eq 0 ]
 then
diff --git a/src/tools/config-4.4.0-1-grsec-amd64 b/src/tools/config-4.4.0-1-grsec-amd64
deleted file mode 100644
index 82215c460..000000000
--- a/src/tools/config-4.4.0-1-grsec-amd64
+++ /dev/null
@@ -1,7430 +0,0 @@
-#
-# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.4.6 Kernel Configuration
-#
-CONFIG_64BIT=y
-CONFIG_X86_64=y
-CONFIG_X86=y
-CONFIG_INSTRUCTION_DECODER=y
-CONFIG_PERF_EVENTS_INTEL_UNCORE=y
-CONFIG_OUTPUT_FORMAT="elf64-x86-64"
-CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
-CONFIG_LOCKDEP_SUPPORT=y
-CONFIG_STACKTRACE_SUPPORT=y
-CONFIG_HAVE_LATENCYTOP_SUPPORT=y
-CONFIG_MMU=y
-CONFIG_NEED_DMA_MAP_STATE=y
-CONFIG_NEED_SG_DMA_LENGTH=y
-CONFIG_GENERIC_ISA_DMA=y
-CONFIG_GENERIC_BUG=y
-CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
-CONFIG_GENERIC_HWEIGHT=y
-CONFIG_ARCH_MAY_HAVE_PC_FDC=y
-CONFIG_RWSEM_XCHGADD_ALGORITHM=y
-CONFIG_GENERIC_CALIBRATE_DELAY=y
-CONFIG_ARCH_HAS_CPU_RELAX=y
-CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
-CONFIG_HAVE_SETUP_PER_CPU_AREA=y
-CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
-CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
-CONFIG_ARCH_HIBERNATION_POSSIBLE=y
-CONFIG_ARCH_SUSPEND_POSSIBLE=y
-CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
-CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
-CONFIG_ZONE_DMA32=y
-CONFIG_AUDIT_ARCH=y
-CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
-CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
-CONFIG_HAVE_INTEL_TXT=y
-CONFIG_X86_64_SMP=y
-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
-CONFIG_ARCH_SUPPORTS_UPROBES=y
-CONFIG_FIX_EARLYCON_MEM=y
-CONFIG_PGTABLE_LEVELS=4
-CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
-CONFIG_IRQ_WORK=y
-CONFIG_BUILDTIME_EXTABLE_SORT=y
-
-#
-# General setup
-#
-CONFIG_INIT_ENV_ARG_LIMIT=32
-CONFIG_CROSS_COMPILE=""
-# CONFIG_COMPILE_TEST is not set
-CONFIG_LOCALVERSION=""
-# CONFIG_LOCALVERSION_AUTO is not set
-CONFIG_HAVE_KERNEL_GZIP=y
-CONFIG_HAVE_KERNEL_BZIP2=y
-CONFIG_HAVE_KERNEL_LZMA=y
-CONFIG_HAVE_KERNEL_XZ=y
-CONFIG_HAVE_KERNEL_LZO=y
-CONFIG_HAVE_KERNEL_LZ4=y
-# CONFIG_KERNEL_GZIP is not set
-# CONFIG_KERNEL_BZIP2 is not set
-# CONFIG_KERNEL_LZMA is not set
-CONFIG_KERNEL_XZ=y
-# CONFIG_KERNEL_LZO is not set
-# CONFIG_KERNEL_LZ4 is not set
-CONFIG_DEFAULT_HOSTNAME="(none)"
-CONFIG_SWAP=y
-CONFIG_SYSVIPC=y
-CONFIG_SYSVIPC_SYSCTL=y
-CONFIG_POSIX_MQUEUE=y
-CONFIG_POSIX_MQUEUE_SYSCTL=y
-CONFIG_CROSS_MEMORY_ATTACH=y
-CONFIG_FHANDLE=y
-CONFIG_AUDIT=y
-CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
-
-#
-# IRQ subsystem
-#
-CONFIG_GENERIC_IRQ_PROBE=y
-CONFIG_GENERIC_IRQ_SHOW=y
-CONFIG_GENERIC_PENDING_IRQ=y
-CONFIG_GENERIC_IRQ_CHIP=y
-CONFIG_IRQ_DOMAIN=y
-CONFIG_IRQ_DOMAIN_HIERARCHY=y
-CONFIG_GENERIC_MSI_IRQ=y
-CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
-CONFIG_IRQ_FORCED_THREADING=y
-CONFIG_SPARSE_IRQ=y
-CONFIG_CLOCKSOURCE_WATCHDOG=y
-CONFIG_ARCH_CLOCKSOURCE_DATA=y
-CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
-CONFIG_GENERIC_TIME_VSYSCALL=y
-CONFIG_GENERIC_CLOCKEVENTS=y
-CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
-CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
-CONFIG_GENERIC_CMOS_UPDATE=y
-
-#
-# Timers subsystem
-#
-CONFIG_TICK_ONESHOT=y
-CONFIG_NO_HZ_COMMON=y
-# CONFIG_HZ_PERIODIC is not set
-CONFIG_NO_HZ_IDLE=y
-# CONFIG_NO_HZ_FULL is not set
-# CONFIG_NO_HZ is not set
-CONFIG_HIGH_RES_TIMERS=y
-
-#
-# CPU/Task time and stats accounting
-#
-CONFIG_TICK_CPU_ACCOUNTING=y
-# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
-# CONFIG_IRQ_TIME_ACCOUNTING is not set
-CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BSD_PROCESS_ACCT_V3=y
-CONFIG_TASKSTATS=y
-CONFIG_TASK_DELAY_ACCT=y
-CONFIG_TASK_XACCT=y
-CONFIG_TASK_IO_ACCOUNTING=y
-
-#
-# RCU Subsystem
-#
-CONFIG_TREE_RCU=y
-# CONFIG_RCU_EXPERT is not set
-CONFIG_SRCU=y
-# CONFIG_TASKS_RCU is not set
-CONFIG_RCU_STALL_COMMON=y
-# CONFIG_RCU_EXPEDITE_BOOT is not set
-CONFIG_BUILD_BIN2C=y
-# CONFIG_IKCONFIG is not set
-CONFIG_LOG_BUF_SHIFT=17
-CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
-CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
-CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
-CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
-CONFIG_NUMA_BALANCING=y
-# CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set
-CONFIG_CGROUPS=y
-# CONFIG_CGROUP_DEBUG is not set
-CONFIG_CGROUP_FREEZER=y
-CONFIG_CGROUP_PIDS=y
-CONFIG_CGROUP_DEVICE=y
-CONFIG_CPUSETS=y
-CONFIG_PROC_PID_CPUSET=y
-CONFIG_CGROUP_CPUACCT=y
-CONFIG_PAGE_COUNTER=y
-CONFIG_MEMCG=y
-CONFIG_MEMCG_DISABLED=y
-CONFIG_MEMCG_SWAP=y
-# CONFIG_MEMCG_SWAP_ENABLED is not set
-# CONFIG_MEMCG_KMEM is not set
-# CONFIG_CGROUP_HUGETLB is not set
-CONFIG_CGROUP_PERF=y
-CONFIG_CGROUP_SCHED=y
-CONFIG_FAIR_GROUP_SCHED=y
-CONFIG_CFS_BANDWIDTH=y
-# CONFIG_RT_GROUP_SCHED is not set
-CONFIG_BLK_CGROUP=y
-# CONFIG_DEBUG_BLK_CGROUP is not set
-CONFIG_CGROUP_WRITEBACK=y
-CONFIG_NAMESPACES=y
-CONFIG_UTS_NS=y
-CONFIG_IPC_NS=y
-CONFIG_USER_NS=y
-CONFIG_PID_NS=y
-CONFIG_NET_NS=y
-CONFIG_SCHED_AUTOGROUP=y
-# CONFIG_SYSFS_DEPRECATED is not set
-CONFIG_RELAY=y
-CONFIG_BLK_DEV_INITRD=y
-CONFIG_INITRAMFS_SOURCE=""
-CONFIG_RD_GZIP=y
-CONFIG_RD_BZIP2=y
-CONFIG_RD_LZMA=y
-CONFIG_RD_XZ=y
-CONFIG_RD_LZO=y
-CONFIG_RD_LZ4=y
-# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
-CONFIG_SYSCTL=y
-CONFIG_ANON_INODES=y
-CONFIG_HAVE_UID16=y
-CONFIG_SYSCTL_EXCEPTION_TRACE=y
-CONFIG_HAVE_PCSPKR_PLATFORM=y
-CONFIG_BPF=y
-CONFIG_EXPERT=y
-CONFIG_UID16=y
-CONFIG_MULTIUSER=y
-CONFIG_SGETMASK_SYSCALL=y
-CONFIG_SYSFS_SYSCALL=y
-# CONFIG_SYSCTL_SYSCALL is not set
-CONFIG_KALLSYMS=y
-CONFIG_KALLSYMS_ALL=y
-CONFIG_PRINTK=y
-CONFIG_BUG=y
-CONFIG_ELF_CORE=y
-CONFIG_PCSPKR_PLATFORM=y
-CONFIG_BASE_FULL=y
-CONFIG_FUTEX=y
-CONFIG_EPOLL=y
-CONFIG_SIGNALFD=y
-CONFIG_TIMERFD=y
-CONFIG_EVENTFD=y
-CONFIG_BPF_SYSCALL=y
-CONFIG_SHMEM=y
-CONFIG_AIO=y
-CONFIG_ADVISE_SYSCALLS=y
-# CONFIG_USERFAULTFD is not set
-CONFIG_PCI_QUIRKS=y
-CONFIG_MEMBARRIER=y
-# CONFIG_EMBEDDED is not set
-CONFIG_HAVE_PERF_EVENTS=y
-
-#
-# Kernel Performance Events And Counters
-#
-CONFIG_PERF_EVENTS=y
-# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
-CONFIG_VM_EVENT_COUNTERS=y
-# CONFIG_COMPAT_BRK is not set
-CONFIG_SLAB=y
-# CONFIG_SLUB is not set
-# CONFIG_SLOB is not set
-# CONFIG_SYSTEM_DATA_VERIFICATION is not set
-CONFIG_PROFILING=y
-CONFIG_OPROFILE=m
-# CONFIG_OPROFILE_EVENT_MULTIPLEX is not set
-CONFIG_HAVE_OPROFILE=y
-CONFIG_OPROFILE_NMI_TIMER=y
-CONFIG_KPROBES=y
-CONFIG_JUMP_LABEL=y
-# CONFIG_STATIC_KEYS_SELFTEST is not set
-CONFIG_OPTPROBES=y
-# CONFIG_UPROBES is not set
-# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
-CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
-CONFIG_ARCH_USE_BUILTIN_BSWAP=y
-CONFIG_KRETPROBES=y
-CONFIG_USER_RETURN_NOTIFIER=y
-CONFIG_HAVE_IOREMAP_PROT=y
-CONFIG_HAVE_KPROBES=y
-CONFIG_HAVE_KRETPROBES=y
-CONFIG_HAVE_OPTPROBES=y
-CONFIG_HAVE_KPROBES_ON_FTRACE=y
-CONFIG_HAVE_ARCH_TRACEHOOK=y
-CONFIG_HAVE_DMA_ATTRS=y
-CONFIG_HAVE_DMA_CONTIGUOUS=y
-CONFIG_GENERIC_SMP_IDLE_THREAD=y
-CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
-CONFIG_HAVE_CLK=y
-CONFIG_HAVE_DMA_API_DEBUG=y
-CONFIG_HAVE_HW_BREAKPOINT=y
-CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
-CONFIG_HAVE_USER_RETURN_NOTIFIER=y
-CONFIG_HAVE_PERF_EVENTS_NMI=y
-CONFIG_HAVE_PERF_REGS=y
-CONFIG_HAVE_PERF_USER_STACK_DUMP=y
-CONFIG_HAVE_ARCH_JUMP_LABEL=y
-CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
-CONFIG_HAVE_CMPXCHG_LOCAL=y
-CONFIG_HAVE_CMPXCHG_DOUBLE=y
-CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
-CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
-CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-CONFIG_SECCOMP_FILTER=y
-CONFIG_HAVE_CC_STACKPROTECTOR=y
-CONFIG_CC_STACKPROTECTOR=y
-# CONFIG_CC_STACKPROTECTOR_NONE is not set
-# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
-CONFIG_CC_STACKPROTECTOR_STRONG=y
-CONFIG_HAVE_CONTEXT_TRACKING=y
-CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
-CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
-CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
-CONFIG_HAVE_ARCH_HUGE_VMAP=y
-CONFIG_HAVE_ARCH_SOFT_DIRTY=y
-CONFIG_MODULES_USE_ELF_RELA=y
-CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
-CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
-CONFIG_HAVE_COPY_THREAD_TLS=y
-CONFIG_OLD_SIGSUSPEND3=y
-CONFIG_COMPAT_OLD_SIGACTION=y
-
-#
-# GCOV-based kernel profiling
-#
-CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
-# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
-CONFIG_SLABINFO=y
-CONFIG_RT_MUTEXES=y
-CONFIG_BASE_SMALL=0
-CONFIG_MODULES=y
-CONFIG_MODULE_FORCE_LOAD=y
-CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_FORCE_UNLOAD=y
-CONFIG_MODVERSIONS=y
-# CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
-# CONFIG_MODULE_COMPRESS is not set
-CONFIG_MODULES_TREE_LOOKUP=y
-CONFIG_BLOCK=y
-CONFIG_BLK_DEV_BSG=y
-CONFIG_BLK_DEV_BSGLIB=y
-CONFIG_BLK_DEV_INTEGRITY=y
-CONFIG_BLK_DEV_THROTTLING=y
-# CONFIG_BLK_CMDLINE_PARSER is not set
-
-#
-# Partition Types
-#
-CONFIG_PARTITION_ADVANCED=y
-CONFIG_ACORN_PARTITION=y
-# CONFIG_ACORN_PARTITION_CUMANA is not set
-# CONFIG_ACORN_PARTITION_EESOX is not set
-CONFIG_ACORN_PARTITION_ICS=y
-# CONFIG_ACORN_PARTITION_ADFS is not set
-# CONFIG_ACORN_PARTITION_POWERTEC is not set
-CONFIG_ACORN_PARTITION_RISCIX=y
-# CONFIG_AIX_PARTITION is not set
-CONFIG_OSF_PARTITION=y
-CONFIG_AMIGA_PARTITION=y
-CONFIG_ATARI_PARTITION=y
-CONFIG_MAC_PARTITION=y
-CONFIG_MSDOS_PARTITION=y
-CONFIG_BSD_DISKLABEL=y
-CONFIG_MINIX_SUBPARTITION=y
-CONFIG_SOLARIS_X86_PARTITION=y
-CONFIG_UNIXWARE_DISKLABEL=y
-CONFIG_LDM_PARTITION=y
-# CONFIG_LDM_DEBUG is not set
-CONFIG_SGI_PARTITION=y
-CONFIG_ULTRIX_PARTITION=y
-CONFIG_SUN_PARTITION=y
-CONFIG_KARMA_PARTITION=y
-CONFIG_EFI_PARTITION=y
-# CONFIG_SYSV68_PARTITION is not set
-# CONFIG_CMDLINE_PARTITION is not set
-CONFIG_BLOCK_COMPAT=y
-
-#
-# IO Schedulers
-#
-CONFIG_IOSCHED_NOOP=y
-CONFIG_IOSCHED_DEADLINE=y
-CONFIG_IOSCHED_CFQ=y
-CONFIG_CFQ_GROUP_IOSCHED=y
-# CONFIG_DEFAULT_DEADLINE is not set
-CONFIG_DEFAULT_CFQ=y
-# CONFIG_DEFAULT_NOOP is not set
-CONFIG_DEFAULT_IOSCHED="cfq"
-CONFIG_PREEMPT_NOTIFIERS=y
-CONFIG_PADATA=y
-CONFIG_ASN1=m
-CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
-CONFIG_INLINE_READ_UNLOCK=y
-CONFIG_INLINE_READ_UNLOCK_IRQ=y
-CONFIG_INLINE_WRITE_UNLOCK=y
-CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
-CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
-CONFIG_MUTEX_SPIN_ON_OWNER=y
-CONFIG_RWSEM_SPIN_ON_OWNER=y
-CONFIG_LOCK_SPIN_ON_OWNER=y
-CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
-CONFIG_QUEUED_SPINLOCKS=y
-CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
-CONFIG_QUEUED_RWLOCKS=y
-CONFIG_FREEZER=y
-
-#
-# Processor type and features
-#
-# CONFIG_ZONE_DMA is not set
-CONFIG_SMP=y
-CONFIG_X86_FEATURE_NAMES=y
-CONFIG_X86_X2APIC=y
-CONFIG_X86_MPPARSE=y
-# CONFIG_X86_EXTENDED_PLATFORM is not set
-CONFIG_X86_INTEL_LPSS=y
-CONFIG_X86_AMD_PLATFORM_DEVICE=y
-CONFIG_IOSF_MBI=m
-CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
-CONFIG_SCHED_OMIT_FRAME_POINTER=y
-CONFIG_HYPERVISOR_GUEST=y
-CONFIG_PARAVIRT=y
-# CONFIG_PARAVIRT_DEBUG is not set
-CONFIG_PARAVIRT_SPINLOCKS=y
-# CONFIG_XEN is not set
-CONFIG_KVM_GUEST=y
-# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
-CONFIG_PARAVIRT_CLOCK=y
-CONFIG_NO_BOOTMEM=y
-# CONFIG_MK8 is not set
-# CONFIG_MPSC is not set
-# CONFIG_MCORE2 is not set
-# CONFIG_MATOM is not set
-CONFIG_GENERIC_CPU=y
-CONFIG_X86_INTERNODE_CACHE_SHIFT=6
-CONFIG_X86_L1_CACHE_SHIFT=6
-CONFIG_X86_TSC=y
-CONFIG_X86_CMPXCHG64=y
-CONFIG_X86_CMOV=y
-CONFIG_X86_MINIMUM_CPU_FAMILY=64
-CONFIG_X86_DEBUGCTLMSR=y
-# CONFIG_PROCESSOR_SELECT is not set
-CONFIG_CPU_SUP_INTEL=y
-CONFIG_CPU_SUP_AMD=y
-CONFIG_CPU_SUP_CENTAUR=y
-CONFIG_HPET_TIMER=y
-CONFIG_HPET_EMULATE_RTC=y
-CONFIG_DMI=y
-CONFIG_GART_IOMMU=y
-CONFIG_CALGARY_IOMMU=y
-CONFIG_CALGARY_IOMMU_ENABLED_BY_DEFAULT=y
-CONFIG_SWIOTLB=y
-CONFIG_IOMMU_HELPER=y
-# CONFIG_MAXSMP is not set
-CONFIG_NR_CPUS=512
-CONFIG_SCHED_SMT=y
-CONFIG_SCHED_MC=y
-# CONFIG_PREEMPT_NONE is not set
-CONFIG_PREEMPT_VOLUNTARY=y
-# CONFIG_PREEMPT is not set
-CONFIG_X86_LOCAL_APIC=y
-CONFIG_X86_IO_APIC=y
-CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
-CONFIG_X86_MCE=y
-CONFIG_X86_MCE_INTEL=y
-CONFIG_X86_MCE_AMD=y
-CONFIG_X86_MCE_THRESHOLD=y
-CONFIG_X86_MCE_INJECT=m
-CONFIG_X86_THERMAL_VECTOR=y
-# CONFIG_VM86 is not set
-CONFIG_X86_VSYSCALL_EMULATION=y
-CONFIG_I8K=m
-CONFIG_MICROCODE=y
-CONFIG_MICROCODE_INTEL=y
-CONFIG_MICROCODE_AMD=y
-CONFIG_MICROCODE_OLD_INTERFACE=y
-CONFIG_X86_MSR=m
-CONFIG_X86_CPUID=m
-CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
-CONFIG_ARCH_DMA_ADDR_T_64BIT=y
-CONFIG_X86_DIRECT_GBPAGES=y
-CONFIG_NUMA=y
-CONFIG_AMD_NUMA=y
-CONFIG_X86_64_ACPI_NUMA=y
-CONFIG_NODES_SPAN_OTHER_NODES=y
-CONFIG_NUMA_EMU=y
-CONFIG_NODES_SHIFT=6
-CONFIG_ARCH_SPARSEMEM_ENABLE=y
-CONFIG_ARCH_SPARSEMEM_DEFAULT=y
-CONFIG_ARCH_SELECT_MEMORY_MODEL=y
-# CONFIG_ARCH_MEMORY_PROBE is not set
-CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
-CONFIG_SELECT_MEMORY_MODEL=y
-CONFIG_SPARSEMEM_MANUAL=y
-CONFIG_SPARSEMEM=y
-CONFIG_NEED_MULTIPLE_NODES=y
-CONFIG_HAVE_MEMORY_PRESENT=y
-CONFIG_SPARSEMEM_EXTREME=y
-CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
-CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
-CONFIG_SPARSEMEM_VMEMMAP=y
-CONFIG_HAVE_MEMBLOCK=y
-CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
-CONFIG_ARCH_DISCARD_MEMBLOCK=y
-CONFIG_MEMORY_ISOLATION=y
-# CONFIG_MOVABLE_NODE is not set
-CONFIG_HAVE_BOOTMEM_INFO_NODE=y
-CONFIG_MEMORY_HOTPLUG=y
-CONFIG_MEMORY_HOTPLUG_SPARSE=y
-CONFIG_MEMORY_HOTREMOVE=y
-CONFIG_SPLIT_PTLOCK_CPUS=4
-CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
-CONFIG_MEMORY_BALLOON=y
-CONFIG_BALLOON_COMPACTION=y
-CONFIG_COMPACTION=y
-CONFIG_MIGRATION=y
-CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
-CONFIG_PHYS_ADDR_T_64BIT=y
-CONFIG_ZONE_DMA_FLAG=0
-CONFIG_VIRT_TO_BUS=y
-CONFIG_MMU_NOTIFIER=y
-CONFIG_KSM=y
-CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
-CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
-CONFIG_MEMORY_FAILURE=y
-CONFIG_TRANSPARENT_HUGEPAGE=y
-# CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS is not set
-CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
-# CONFIG_CLEANCACHE is not set
-CONFIG_FRONTSWAP=y
-# CONFIG_CMA is not set
-CONFIG_ZSWAP=y
-CONFIG_ZPOOL=y
-CONFIG_ZBUD=y
-CONFIG_ZSMALLOC=m
-# CONFIG_PGTABLE_MAPPING is not set
-CONFIG_GENERIC_EARLY_IOREMAP=y
-CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
-# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
-# CONFIG_IDLE_PAGE_TRACKING is not set
-CONFIG_ZONE_DEVICE=y
-CONFIG_FRAME_VECTOR=y
-CONFIG_X86_PMEM_LEGACY_DEVICE=y
-CONFIG_X86_PMEM_LEGACY=m
-# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
-CONFIG_X86_RESERVE_LOW=64
-CONFIG_MTRR=y
-CONFIG_MTRR_SANITIZER=y
-CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
-CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
-CONFIG_X86_PAT=y
-CONFIG_ARCH_USES_PG_UNCACHED=y
-CONFIG_ARCH_RANDOM=y
-CONFIG_X86_SMAP=y
-CONFIG_X86_INTEL_MPX=y
-CONFIG_EFI=y
-CONFIG_EFI_STUB=y
-CONFIG_EFI_MIXED=y
-CONFIG_SECCOMP=y
-# CONFIG_HZ_100 is not set
-CONFIG_HZ_250=y
-# CONFIG_HZ_300 is not set
-# CONFIG_HZ_1000 is not set
-CONFIG_HZ=250
-CONFIG_SCHED_HRTICK=y
-# CONFIG_KEXEC_FILE is not set
-CONFIG_CRASH_DUMP=y
-CONFIG_PHYSICAL_START=0x1000000
-CONFIG_RELOCATABLE=y
-CONFIG_RANDOMIZE_BASE=y
-CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000
-CONFIG_X86_NEED_RELOCS=y
-CONFIG_PHYSICAL_ALIGN=0x1000000
-CONFIG_HOTPLUG_CPU=y
-# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
-# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
-CONFIG_LEGACY_VSYSCALL_EMULATE=y
-# CONFIG_LEGACY_VSYSCALL_NONE is not set
-# CONFIG_CMDLINE_BOOL is not set
-CONFIG_MODIFY_LDT_SYSCALL=y
-CONFIG_DEFAULT_MODIFY_LDT_SYSCALL=y
-CONFIG_HAVE_LIVEPATCH=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
-CONFIG_USE_PERCPU_NUMA_NODE_ID=y
-
-#
-# Power management and ACPI options
-#
-CONFIG_SUSPEND=y
-CONFIG_SUSPEND_FREEZER=y
-# CONFIG_SUSPEND_SKIP_SYNC is not set
-CONFIG_PM_SLEEP=y
-CONFIG_PM_SLEEP_SMP=y
-# CONFIG_PM_AUTOSLEEP is not set
-# CONFIG_PM_WAKELOCKS is not set
-CONFIG_PM=y
-CONFIG_PM_DEBUG=y
-CONFIG_PM_ADVANCED_DEBUG=y
-# CONFIG_PM_TEST_SUSPEND is not set
-CONFIG_PM_SLEEP_DEBUG=y
-# CONFIG_DPM_WATCHDOG is not set
-# CONFIG_PM_TRACE_RTC is not set
-CONFIG_PM_CLK=y
-# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
-CONFIG_ACPI=y
-CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
-CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
-CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
-# CONFIG_ACPI_DEBUGGER is not set
-CONFIG_ACPI_SLEEP=y
-# CONFIG_ACPI_PROCFS_POWER is not set
-CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
-# CONFIG_ACPI_EC_DEBUGFS is not set
-CONFIG_ACPI_AC=m
-CONFIG_ACPI_BATTERY=m
-CONFIG_ACPI_BUTTON=m
-CONFIG_ACPI_VIDEO=m
-CONFIG_ACPI_FAN=m
-CONFIG_ACPI_DOCK=y
-CONFIG_ACPI_CPU_FREQ_PSS=y
-CONFIG_ACPI_PROCESSOR_IDLE=y
-CONFIG_ACPI_PROCESSOR=m
-CONFIG_ACPI_IPMI=m
-CONFIG_ACPI_HOTPLUG_CPU=y
-CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
-CONFIG_ACPI_THERMAL=m
-CONFIG_ACPI_NUMA=y
-# CONFIG_ACPI_CUSTOM_DSDT is not set
-CONFIG_ACPI_INITRD_TABLE_OVERRIDE=y
-# CONFIG_ACPI_DEBUG is not set
-CONFIG_ACPI_PCI_SLOT=y
-CONFIG_X86_PM_TIMER=y
-CONFIG_ACPI_CONTAINER=y
-CONFIG_ACPI_HOTPLUG_MEMORY=y
-CONFIG_ACPI_HOTPLUG_IOAPIC=y
-CONFIG_ACPI_SBS=m
-CONFIG_ACPI_HED=y
-CONFIG_ACPI_BGRT=y
-# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
-CONFIG_ACPI_NFIT=m
-CONFIG_HAVE_ACPI_APEI=y
-CONFIG_HAVE_ACPI_APEI_NMI=y
-CONFIG_ACPI_APEI=y
-CONFIG_ACPI_APEI_GHES=y
-CONFIG_ACPI_APEI_PCIEAER=y
-CONFIG_ACPI_APEI_MEMORY_FAILURE=y
-# CONFIG_ACPI_APEI_ERST_DEBUG is not set
-CONFIG_ACPI_EXTLOG=y
-# CONFIG_PMIC_OPREGION is not set
-CONFIG_SFI=y
-
-#
-# CPU Frequency scaling
-#
-CONFIG_CPU_FREQ=y
-CONFIG_CPU_FREQ_GOV_COMMON=y
-CONFIG_CPU_FREQ_STAT=m
-# CONFIG_CPU_FREQ_STAT_DETAILS is not set
-# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
-# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
-# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set
-CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
-# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
-CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
-CONFIG_CPU_FREQ_GOV_POWERSAVE=m
-CONFIG_CPU_FREQ_GOV_USERSPACE=m
-CONFIG_CPU_FREQ_GOV_ONDEMAND=y
-CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
-
-#
-# CPU frequency scaling drivers
-#
-CONFIG_X86_INTEL_PSTATE=y
-CONFIG_X86_PCC_CPUFREQ=m
-CONFIG_X86_ACPI_CPUFREQ=m
-CONFIG_X86_ACPI_CPUFREQ_CPB=y
-CONFIG_X86_POWERNOW_K8=m
-CONFIG_X86_AMD_FREQ_SENSITIVITY=m
-CONFIG_X86_SPEEDSTEP_CENTRINO=m
-CONFIG_X86_P4_CLOCKMOD=m
-
-#
-# shared options
-#
-CONFIG_X86_SPEEDSTEP_LIB=m
-
-#
-# CPU Idle
-#
-CONFIG_CPU_IDLE=y
-CONFIG_CPU_IDLE_GOV_LADDER=y
-CONFIG_CPU_IDLE_GOV_MENU=y
-# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
-CONFIG_INTEL_IDLE=y
-
-#
-# Memory power savings
-#
-CONFIG_I7300_IDLE_IOAT_CHANNEL=y
-CONFIG_I7300_IDLE=m
-
-#
-# Bus options (PCI etc.)
-#
-CONFIG_PCI=y
-CONFIG_PCI_DIRECT=y
-CONFIG_PCI_MMCONFIG=y
-CONFIG_PCI_DOMAINS=y
-# CONFIG_PCI_CNB20LE_QUIRK is not set
-CONFIG_PCIEPORTBUS=y
-CONFIG_HOTPLUG_PCI_PCIE=y
-CONFIG_PCIEAER=y
-# CONFIG_PCIE_ECRC is not set
-CONFIG_PCIEAER_INJECT=m
-CONFIG_PCIEASPM=y
-# CONFIG_PCIEASPM_DEBUG is not set
-CONFIG_PCIEASPM_DEFAULT=y
-# CONFIG_PCIEASPM_POWERSAVE is not set
-# CONFIG_PCIEASPM_PERFORMANCE is not set
-CONFIG_PCIE_PME=y
-CONFIG_PCI_BUS_ADDR_T_64BIT=y
-CONFIG_PCI_MSI=y
-CONFIG_PCI_MSI_IRQ_DOMAIN=y
-# CONFIG_PCI_DEBUG is not set
-CONFIG_PCI_REALLOC_ENABLE_AUTO=y
-CONFIG_PCI_STUB=m
-CONFIG_HT_IRQ=y
-CONFIG_PCI_ATS=y
-CONFIG_PCI_IOV=y
-CONFIG_PCI_PRI=y
-CONFIG_PCI_PASID=y
-CONFIG_PCI_LABEL=y
-
-#
-# PCI host controller drivers
-#
-CONFIG_ISA_DMA_API=y
-CONFIG_AMD_NB=y
-CONFIG_PCCARD=m
-CONFIG_PCMCIA=m
-CONFIG_PCMCIA_LOAD_CIS=y
-CONFIG_CARDBUS=y
-
-#
-# PC-card bridges
-#
-CONFIG_YENTA=m
-CONFIG_YENTA_O2=y
-CONFIG_YENTA_RICOH=y
-CONFIG_YENTA_TI=y
-CONFIG_YENTA_ENE_TUNE=y
-CONFIG_YENTA_TOSHIBA=y
-CONFIG_PD6729=m
-CONFIG_I82092=m
-CONFIG_PCCARD_NONSTATIC=y
-CONFIG_HOTPLUG_PCI=y
-CONFIG_HOTPLUG_PCI_ACPI=y
-CONFIG_HOTPLUG_PCI_ACPI_IBM=m
-CONFIG_HOTPLUG_PCI_CPCI=y
-CONFIG_HOTPLUG_PCI_CPCI_ZT5550=m
-CONFIG_HOTPLUG_PCI_CPCI_GENERIC=m
-CONFIG_HOTPLUG_PCI_SHPC=m
-# CONFIG_RAPIDIO is not set
-CONFIG_X86_SYSFB=y
-
-#
-# Executable file formats / Emulations
-#
-CONFIG_BINFMT_ELF=y
-CONFIG_COMPAT_BINFMT_ELF=y
-CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
-CONFIG_BINFMT_SCRIPT=y
-# CONFIG_HAVE_AOUT is not set
-CONFIG_BINFMT_MISC=m
-CONFIG_COREDUMP=y
-CONFIG_IA32_EMULATION=y
-CONFIG_IA32_AOUT=y
-# CONFIG_X86_X32 is not set
-CONFIG_COMPAT=y
-CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
-CONFIG_SYSVIPC_COMPAT=y
-CONFIG_KEYS_COMPAT=y
-CONFIG_X86_DEV_DMA_OPS=y
-CONFIG_PMC_ATOM=y
-CONFIG_NET=y
-CONFIG_COMPAT_NETLINK_MESSAGES=y
-CONFIG_NET_INGRESS=y
-
-#
-# Networking options
-#
-CONFIG_PACKET=y
-CONFIG_PACKET_DIAG=m
-CONFIG_UNIX=y
-CONFIG_UNIX_DIAG=m
-CONFIG_XFRM=y
-CONFIG_XFRM_ALGO=m
-CONFIG_XFRM_USER=m
-CONFIG_XFRM_SUB_POLICY=y
-CONFIG_XFRM_MIGRATE=y
-# CONFIG_XFRM_STATISTICS is not set
-CONFIG_XFRM_IPCOMP=m
-CONFIG_NET_KEY=m
-CONFIG_NET_KEY_MIGRATE=y
-CONFIG_INET=y
-CONFIG_IP_MULTICAST=y
-CONFIG_IP_ADVANCED_ROUTER=y
-CONFIG_IP_FIB_TRIE_STATS=y
-CONFIG_IP_MULTIPLE_TABLES=y
-CONFIG_IP_ROUTE_MULTIPATH=y
-CONFIG_IP_ROUTE_VERBOSE=y
-CONFIG_IP_ROUTE_CLASSID=y
-# CONFIG_IP_PNP is not set
-CONFIG_NET_IPIP=m
-CONFIG_NET_IPGRE_DEMUX=m
-CONFIG_NET_IP_TUNNEL=m
-CONFIG_NET_IPGRE=m
-CONFIG_NET_IPGRE_BROADCAST=y
-CONFIG_IP_MROUTE=y
-CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
-CONFIG_IP_PIMSM_V1=y
-CONFIG_IP_PIMSM_V2=y
-CONFIG_SYN_COOKIES=y
-CONFIG_NET_IPVTI=m
-CONFIG_NET_UDP_TUNNEL=m
-CONFIG_NET_FOU=m
-CONFIG_NET_FOU_IP_TUNNELS=y
-CONFIG_INET_AH=m
-CONFIG_INET_ESP=m
-CONFIG_INET_IPCOMP=m
-CONFIG_INET_XFRM_TUNNEL=m
-CONFIG_INET_TUNNEL=m
-CONFIG_INET_XFRM_MODE_TRANSPORT=m
-CONFIG_INET_XFRM_MODE_TUNNEL=m
-CONFIG_INET_XFRM_MODE_BEET=m
-CONFIG_INET_LRO=m
-CONFIG_INET_DIAG=m
-CONFIG_INET_TCP_DIAG=m
-CONFIG_INET_UDP_DIAG=m
-CONFIG_TCP_CONG_ADVANCED=y
-CONFIG_TCP_CONG_BIC=m
-CONFIG_TCP_CONG_CUBIC=y
-CONFIG_TCP_CONG_WESTWOOD=m
-CONFIG_TCP_CONG_HTCP=m
-CONFIG_TCP_CONG_HSTCP=m
-CONFIG_TCP_CONG_HYBLA=m
-CONFIG_TCP_CONG_VEGAS=m
-CONFIG_TCP_CONG_SCALABLE=m
-CONFIG_TCP_CONG_LP=m
-CONFIG_TCP_CONG_VENO=m
-CONFIG_TCP_CONG_YEAH=m
-CONFIG_TCP_CONG_ILLINOIS=m
-CONFIG_TCP_CONG_DCTCP=m
-CONFIG_TCP_CONG_CDG=m
-CONFIG_DEFAULT_CUBIC=y
-# CONFIG_DEFAULT_RENO is not set
-CONFIG_DEFAULT_TCP_CONG="cubic"
-CONFIG_TCP_MD5SIG=y
-CONFIG_IPV6=y
-CONFIG_IPV6_ROUTER_PREF=y
-CONFIG_IPV6_ROUTE_INFO=y
-CONFIG_IPV6_OPTIMISTIC_DAD=y
-CONFIG_INET6_AH=m
-CONFIG_INET6_ESP=m
-CONFIG_INET6_IPCOMP=m
-CONFIG_IPV6_MIP6=y
-# CONFIG_IPV6_ILA is not set
-CONFIG_INET6_XFRM_TUNNEL=m
-CONFIG_INET6_TUNNEL=m
-CONFIG_INET6_XFRM_MODE_TRANSPORT=m
-CONFIG_INET6_XFRM_MODE_TUNNEL=m
-CONFIG_INET6_XFRM_MODE_BEET=m
-CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
-CONFIG_IPV6_VTI=m
-CONFIG_IPV6_SIT=m
-CONFIG_IPV6_SIT_6RD=y
-CONFIG_IPV6_NDISC_NODETYPE=y
-CONFIG_IPV6_TUNNEL=m
-CONFIG_IPV6_GRE=m
-CONFIG_IPV6_MULTIPLE_TABLES=y
-CONFIG_IPV6_SUBTREES=y
-CONFIG_IPV6_MROUTE=y
-CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
-CONFIG_IPV6_PIMSM_V2=y
-# CONFIG_NETLABEL is not set
-CONFIG_NETWORK_SECMARK=y
-CONFIG_NET_PTP_CLASSIFY=y
-# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
-CONFIG_NETFILTER=y
-# CONFIG_NETFILTER_DEBUG is not set
-CONFIG_NETFILTER_ADVANCED=y
-CONFIG_BRIDGE_NETFILTER=m
-
-#
-# Core Netfilter Configuration
-#
-CONFIG_NETFILTER_INGRESS=y
-CONFIG_NETFILTER_NETLINK=m
-CONFIG_NETFILTER_NETLINK_ACCT=m
-CONFIG_NETFILTER_NETLINK_QUEUE=m
-CONFIG_NETFILTER_NETLINK_LOG=m
-CONFIG_NF_CONNTRACK=m
-CONFIG_NF_LOG_COMMON=m
-CONFIG_NF_CONNTRACK_MARK=y
-CONFIG_NF_CONNTRACK_SECMARK=y
-CONFIG_NF_CONNTRACK_ZONES=y
-CONFIG_NF_CONNTRACK_PROCFS=y
-CONFIG_NF_CONNTRACK_EVENTS=y
-CONFIG_NF_CONNTRACK_TIMEOUT=y
-CONFIG_NF_CONNTRACK_TIMESTAMP=y
-CONFIG_NF_CONNTRACK_LABELS=y
-CONFIG_NF_CT_PROTO_DCCP=m
-CONFIG_NF_CT_PROTO_GRE=m
-CONFIG_NF_CT_PROTO_SCTP=m
-CONFIG_NF_CT_PROTO_UDPLITE=m
-CONFIG_NF_CONNTRACK_AMANDA=m
-CONFIG_NF_CONNTRACK_FTP=m
-CONFIG_NF_CONNTRACK_H323=m
-CONFIG_NF_CONNTRACK_IRC=m
-CONFIG_NF_CONNTRACK_BROADCAST=m
-CONFIG_NF_CONNTRACK_NETBIOS_NS=m
-CONFIG_NF_CONNTRACK_SNMP=m
-CONFIG_NF_CONNTRACK_PPTP=m
-CONFIG_NF_CONNTRACK_SANE=m
-CONFIG_NF_CONNTRACK_SIP=m
-CONFIG_NF_CONNTRACK_TFTP=m
-CONFIG_NF_CT_NETLINK=m
-CONFIG_NF_CT_NETLINK_TIMEOUT=m
-CONFIG_NF_CT_NETLINK_HELPER=m
-CONFIG_NETFILTER_NETLINK_GLUE_CT=y
-CONFIG_NF_NAT=m
-CONFIG_NF_NAT_NEEDED=y
-CONFIG_NF_NAT_PROTO_DCCP=m
-CONFIG_NF_NAT_PROTO_UDPLITE=m
-CONFIG_NF_NAT_PROTO_SCTP=m
-CONFIG_NF_NAT_AMANDA=m
-CONFIG_NF_NAT_FTP=m
-CONFIG_NF_NAT_IRC=m
-CONFIG_NF_NAT_SIP=m
-CONFIG_NF_NAT_TFTP=m
-CONFIG_NF_NAT_REDIRECT=m
-CONFIG_NETFILTER_SYNPROXY=m
-CONFIG_NF_TABLES=m
-CONFIG_NF_TABLES_INET=m
-CONFIG_NF_TABLES_NETDEV=m
-CONFIG_NFT_EXTHDR=m
-CONFIG_NFT_META=m
-CONFIG_NFT_CT=m
-CONFIG_NFT_RBTREE=m
-CONFIG_NFT_HASH=m
-CONFIG_NFT_COUNTER=m
-CONFIG_NFT_LOG=m
-CONFIG_NFT_LIMIT=m
-CONFIG_NFT_MASQ=m
-CONFIG_NFT_REDIR=m
-CONFIG_NFT_NAT=m
-CONFIG_NFT_QUEUE=m
-CONFIG_NFT_REJECT=m
-CONFIG_NFT_REJECT_INET=m
-CONFIG_NFT_COMPAT=m
-CONFIG_NETFILTER_XTABLES=m
-
-#
-# Xtables combined modules
-#
-CONFIG_NETFILTER_XT_MARK=m
-CONFIG_NETFILTER_XT_CONNMARK=m
-CONFIG_NETFILTER_XT_SET=m
-
-#
-# Xtables targets
-#
-CONFIG_NETFILTER_XT_TARGET_AUDIT=m
-CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
-CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
-CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
-CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
-CONFIG_NETFILTER_XT_TARGET_CT=m
-CONFIG_NETFILTER_XT_TARGET_DSCP=m
-CONFIG_NETFILTER_XT_TARGET_HL=m
-CONFIG_NETFILTER_XT_TARGET_HMARK=m
-CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
-CONFIG_NETFILTER_XT_TARGET_LED=m
-CONFIG_NETFILTER_XT_TARGET_LOG=m
-CONFIG_NETFILTER_XT_TARGET_MARK=m
-CONFIG_NETFILTER_XT_NAT=m
-CONFIG_NETFILTER_XT_TARGET_NETMAP=m
-CONFIG_NETFILTER_XT_TARGET_NFLOG=m
-CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
-# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
-CONFIG_NETFILTER_XT_TARGET_RATEEST=m
-CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
-CONFIG_NETFILTER_XT_TARGET_TEE=m
-CONFIG_NETFILTER_XT_TARGET_TPROXY=m
-CONFIG_NETFILTER_XT_TARGET_TRACE=m
-CONFIG_NETFILTER_XT_TARGET_SECMARK=m
-CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
-CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
-
-#
-# Xtables matches
-#
-CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
-CONFIG_NETFILTER_XT_MATCH_BPF=m
-CONFIG_NETFILTER_XT_MATCH_CGROUP=m
-CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
-CONFIG_NETFILTER_XT_MATCH_COMMENT=m
-CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
-CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
-CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
-CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
-CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
-CONFIG_NETFILTER_XT_MATCH_CPU=m
-CONFIG_NETFILTER_XT_MATCH_DCCP=m
-CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
-CONFIG_NETFILTER_XT_MATCH_DSCP=m
-CONFIG_NETFILTER_XT_MATCH_ECN=m
-CONFIG_NETFILTER_XT_MATCH_ESP=m
-# CONFIG_NETFILTER_XT_MATCH_GRADM is not set
-CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
-CONFIG_NETFILTER_XT_MATCH_HELPER=m
-CONFIG_NETFILTER_XT_MATCH_HL=m
-CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
-CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
-CONFIG_NETFILTER_XT_MATCH_IPVS=m
-CONFIG_NETFILTER_XT_MATCH_L2TP=m
-CONFIG_NETFILTER_XT_MATCH_LENGTH=m
-CONFIG_NETFILTER_XT_MATCH_LIMIT=m
-CONFIG_NETFILTER_XT_MATCH_MAC=m
-CONFIG_NETFILTER_XT_MATCH_MARK=m
-CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
-CONFIG_NETFILTER_XT_MATCH_NFACCT=m
-CONFIG_NETFILTER_XT_MATCH_OSF=m
-CONFIG_NETFILTER_XT_MATCH_OWNER=m
-CONFIG_NETFILTER_XT_MATCH_POLICY=m
-CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
-CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
-CONFIG_NETFILTER_XT_MATCH_QUOTA=m
-CONFIG_NETFILTER_XT_MATCH_RATEEST=m
-CONFIG_NETFILTER_XT_MATCH_REALM=m
-CONFIG_NETFILTER_XT_MATCH_RECENT=m
-CONFIG_NETFILTER_XT_MATCH_SCTP=m
-CONFIG_NETFILTER_XT_MATCH_SOCKET=m
-CONFIG_NETFILTER_XT_MATCH_STATE=m
-CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
-CONFIG_NETFILTER_XT_MATCH_STRING=m
-CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
-CONFIG_NETFILTER_XT_MATCH_TIME=m
-CONFIG_NETFILTER_XT_MATCH_U32=m
-CONFIG_IP_SET=m
-CONFIG_IP_SET_MAX=256
-CONFIG_IP_SET_BITMAP_IP=m
-CONFIG_IP_SET_BITMAP_IPMAC=m
-CONFIG_IP_SET_BITMAP_PORT=m
-CONFIG_IP_SET_HASH_IP=m
-CONFIG_IP_SET_HASH_IPMARK=m
-CONFIG_IP_SET_HASH_IPPORT=m
-CONFIG_IP_SET_HASH_IPPORTIP=m
-CONFIG_IP_SET_HASH_IPPORTNET=m
-CONFIG_IP_SET_HASH_MAC=m
-CONFIG_IP_SET_HASH_NETPORTNET=m
-CONFIG_IP_SET_HASH_NET=m
-CONFIG_IP_SET_HASH_NETNET=m
-CONFIG_IP_SET_HASH_NETPORT=m
-CONFIG_IP_SET_HASH_NETIFACE=m
-CONFIG_IP_SET_LIST_SET=m
-CONFIG_IP_VS=m
-CONFIG_IP_VS_IPV6=y
-# CONFIG_IP_VS_DEBUG is not set
-CONFIG_IP_VS_TAB_BITS=12
-
-#
-# IPVS transport protocol load balancing support
-#
-CONFIG_IP_VS_PROTO_TCP=y
-CONFIG_IP_VS_PROTO_UDP=y
-CONFIG_IP_VS_PROTO_AH_ESP=y
-CONFIG_IP_VS_PROTO_ESP=y
-CONFIG_IP_VS_PROTO_AH=y
-CONFIG_IP_VS_PROTO_SCTP=y
-
-#
-# IPVS scheduler
-#
-CONFIG_IP_VS_RR=m
-CONFIG_IP_VS_WRR=m
-CONFIG_IP_VS_LC=m
-CONFIG_IP_VS_WLC=m
-CONFIG_IP_VS_FO=m
-CONFIG_IP_VS_OVF=m
-CONFIG_IP_VS_LBLC=m
-CONFIG_IP_VS_LBLCR=m
-CONFIG_IP_VS_DH=m
-CONFIG_IP_VS_SH=m
-CONFIG_IP_VS_SED=m
-CONFIG_IP_VS_NQ=m
-
-#
-# IPVS SH scheduler
-#
-CONFIG_IP_VS_SH_TAB_BITS=8
-
-#
-# IPVS application helper
-#
-CONFIG_IP_VS_FTP=m
-CONFIG_IP_VS_NFCT=y
-CONFIG_IP_VS_PE_SIP=m
-
-#
-# IP: Netfilter Configuration
-#
-CONFIG_NF_DEFRAG_IPV4=m
-CONFIG_NF_CONNTRACK_IPV4=m
-CONFIG_NF_CONNTRACK_PROC_COMPAT=y
-CONFIG_NF_TABLES_IPV4=m
-CONFIG_NFT_CHAIN_ROUTE_IPV4=m
-CONFIG_NFT_REJECT_IPV4=m
-CONFIG_NFT_DUP_IPV4=m
-CONFIG_NF_TABLES_ARP=m
-CONFIG_NF_DUP_IPV4=m
-CONFIG_NF_LOG_ARP=m
-CONFIG_NF_LOG_IPV4=m
-CONFIG_NF_REJECT_IPV4=m
-CONFIG_NF_NAT_IPV4=m
-CONFIG_NFT_CHAIN_NAT_IPV4=m
-CONFIG_NF_NAT_MASQUERADE_IPV4=m
-CONFIG_NFT_MASQ_IPV4=m
-CONFIG_NFT_REDIR_IPV4=m
-CONFIG_NF_NAT_SNMP_BASIC=m
-CONFIG_NF_NAT_PROTO_GRE=m
-CONFIG_NF_NAT_PPTP=m
-CONFIG_NF_NAT_H323=m
-CONFIG_IP_NF_IPTABLES=m
-CONFIG_IP_NF_MATCH_AH=m
-CONFIG_IP_NF_MATCH_ECN=m
-CONFIG_IP_NF_MATCH_RPFILTER=m
-CONFIG_IP_NF_MATCH_TTL=m
-CONFIG_IP_NF_FILTER=m
-CONFIG_IP_NF_TARGET_REJECT=m
-CONFIG_IP_NF_TARGET_SYNPROXY=m
-CONFIG_IP_NF_NAT=m
-CONFIG_IP_NF_TARGET_MASQUERADE=m
-CONFIG_IP_NF_TARGET_NETMAP=m
-CONFIG_IP_NF_TARGET_REDIRECT=m
-CONFIG_IP_NF_MANGLE=m
-CONFIG_IP_NF_TARGET_CLUSTERIP=m
-CONFIG_IP_NF_TARGET_ECN=m
-CONFIG_IP_NF_TARGET_TTL=m
-CONFIG_IP_NF_RAW=m
-CONFIG_IP_NF_SECURITY=m
-CONFIG_IP_NF_ARPTABLES=m
-CONFIG_IP_NF_ARPFILTER=m
-CONFIG_IP_NF_ARP_MANGLE=m
-
-#
-# IPv6: Netfilter Configuration
-#
-CONFIG_NF_DEFRAG_IPV6=m
-CONFIG_NF_CONNTRACK_IPV6=m
-CONFIG_NF_TABLES_IPV6=m
-CONFIG_NFT_CHAIN_ROUTE_IPV6=m
-CONFIG_NFT_REJECT_IPV6=m
-CONFIG_NFT_DUP_IPV6=m
-CONFIG_NF_DUP_IPV6=m
-CONFIG_NF_REJECT_IPV6=m
-CONFIG_NF_LOG_IPV6=m
-CONFIG_NF_NAT_IPV6=m
-CONFIG_NFT_CHAIN_NAT_IPV6=m
-CONFIG_NF_NAT_MASQUERADE_IPV6=m
-CONFIG_NFT_MASQ_IPV6=m
-CONFIG_NFT_REDIR_IPV6=m
-CONFIG_IP6_NF_IPTABLES=m
-CONFIG_IP6_NF_MATCH_AH=m
-CONFIG_IP6_NF_MATCH_EUI64=m
-CONFIG_IP6_NF_MATCH_FRAG=m
-CONFIG_IP6_NF_MATCH_OPTS=m
-CONFIG_IP6_NF_MATCH_HL=m
-CONFIG_IP6_NF_MATCH_IPV6HEADER=m
-CONFIG_IP6_NF_MATCH_MH=m
-CONFIG_IP6_NF_MATCH_RPFILTER=m
-CONFIG_IP6_NF_MATCH_RT=m
-CONFIG_IP6_NF_TARGET_HL=m
-CONFIG_IP6_NF_FILTER=m
-CONFIG_IP6_NF_TARGET_REJECT=m
-CONFIG_IP6_NF_TARGET_SYNPROXY=m
-CONFIG_IP6_NF_MANGLE=m
-CONFIG_IP6_NF_RAW=m
-CONFIG_IP6_NF_SECURITY=m
-CONFIG_IP6_NF_NAT=m
-CONFIG_IP6_NF_TARGET_MASQUERADE=m
-CONFIG_IP6_NF_TARGET_NPT=m
-
-#
-# DECnet: Netfilter Configuration
-#
-CONFIG_DECNET_NF_GRABULATOR=m
-CONFIG_NF_TABLES_BRIDGE=m
-CONFIG_NFT_BRIDGE_META=m
-CONFIG_NFT_BRIDGE_REJECT=m
-CONFIG_NF_LOG_BRIDGE=m
-CONFIG_BRIDGE_NF_EBTABLES=m
-CONFIG_BRIDGE_EBT_BROUTE=m
-CONFIG_BRIDGE_EBT_T_FILTER=m
-CONFIG_BRIDGE_EBT_T_NAT=m
-CONFIG_BRIDGE_EBT_802_3=m
-CONFIG_BRIDGE_EBT_AMONG=m
-CONFIG_BRIDGE_EBT_ARP=m
-CONFIG_BRIDGE_EBT_IP=m
-CONFIG_BRIDGE_EBT_IP6=m
-CONFIG_BRIDGE_EBT_LIMIT=m
-CONFIG_BRIDGE_EBT_MARK=m
-CONFIG_BRIDGE_EBT_PKTTYPE=m
-CONFIG_BRIDGE_EBT_STP=m
-CONFIG_BRIDGE_EBT_VLAN=m
-CONFIG_BRIDGE_EBT_ARPREPLY=m
-CONFIG_BRIDGE_EBT_DNAT=m
-CONFIG_BRIDGE_EBT_MARK_T=m
-CONFIG_BRIDGE_EBT_REDIRECT=m
-CONFIG_BRIDGE_EBT_SNAT=m
-CONFIG_BRIDGE_EBT_LOG=m
-CONFIG_BRIDGE_EBT_NFLOG=m
-CONFIG_IP_DCCP=m
-CONFIG_INET_DCCP_DIAG=m
-
-#
-# DCCP CCIDs Configuration
-#
-# CONFIG_IP_DCCP_CCID2_DEBUG is not set
-CONFIG_IP_DCCP_CCID3=y
-# CONFIG_IP_DCCP_CCID3_DEBUG is not set
-CONFIG_IP_DCCP_TFRC_LIB=y
-
-#
-# DCCP Kernel Hacking
-#
-# CONFIG_IP_DCCP_DEBUG is not set
-CONFIG_NET_DCCPPROBE=m
-CONFIG_IP_SCTP=m
-CONFIG_NET_SCTPPROBE=m
-# CONFIG_SCTP_DBG_OBJCNT is not set
-CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
-# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
-# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
-CONFIG_SCTP_COOKIE_HMAC_MD5=y
-CONFIG_SCTP_COOKIE_HMAC_SHA1=y
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-# CONFIG_RDS_DEBUG is not set
-CONFIG_TIPC=m
-CONFIG_TIPC_MEDIA_IB=y
-CONFIG_TIPC_MEDIA_UDP=y
-CONFIG_ATM=m
-CONFIG_ATM_CLIP=m
-# CONFIG_ATM_CLIP_NO_ICMP is not set
-CONFIG_ATM_LANE=m
-CONFIG_ATM_MPOA=m
-CONFIG_ATM_BR2684=m
-# CONFIG_ATM_BR2684_IPFILTER is not set
-CONFIG_L2TP=m
-CONFIG_L2TP_V3=y
-CONFIG_L2TP_IP=m
-CONFIG_L2TP_ETH=m
-CONFIG_STP=m
-CONFIG_GARP=m
-CONFIG_MRP=m
-CONFIG_BRIDGE=m
-CONFIG_BRIDGE_IGMP_SNOOPING=y
-CONFIG_BRIDGE_VLAN_FILTERING=y
-CONFIG_HAVE_NET_DSA=y
-CONFIG_VLAN_8021Q=m
-CONFIG_VLAN_8021Q_GVRP=y
-CONFIG_VLAN_8021Q_MVRP=y
-CONFIG_DECNET=m
-# CONFIG_DECNET_ROUTER is not set
-CONFIG_LLC=m
-CONFIG_LLC2=m
-CONFIG_IPX=m
-# CONFIG_IPX_INTERN is not set
-CONFIG_ATALK=m
-CONFIG_DEV_APPLETALK=m
-CONFIG_IPDDP=m
-CONFIG_IPDDP_ENCAP=y
-# CONFIG_X25 is not set
-CONFIG_LAPB=m
-CONFIG_PHONET=m
-CONFIG_6LOWPAN=m
-CONFIG_6LOWPAN_NHC=m
-CONFIG_6LOWPAN_NHC_DEST=m
-CONFIG_6LOWPAN_NHC_FRAGMENT=m
-CONFIG_6LOWPAN_NHC_HOP=m
-CONFIG_6LOWPAN_NHC_IPV6=m
-CONFIG_6LOWPAN_NHC_MOBILITY=m
-CONFIG_6LOWPAN_NHC_ROUTING=m
-CONFIG_6LOWPAN_NHC_UDP=m
-CONFIG_IEEE802154=m
-# CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set
-CONFIG_IEEE802154_SOCKET=m
-CONFIG_IEEE802154_6LOWPAN=m
-# CONFIG_MAC802154 is not set
-CONFIG_NET_SCHED=y
-
-#
-# Queueing/Scheduling
-#
-CONFIG_NET_SCH_CBQ=m
-CONFIG_NET_SCH_HTB=m
-CONFIG_NET_SCH_HFSC=m
-CONFIG_NET_SCH_ATM=m
-CONFIG_NET_SCH_PRIO=m
-CONFIG_NET_SCH_MULTIQ=m
-CONFIG_NET_SCH_RED=m
-CONFIG_NET_SCH_SFB=m
-CONFIG_NET_SCH_SFQ=m
-CONFIG_NET_SCH_TEQL=m
-CONFIG_NET_SCH_TBF=m
-CONFIG_NET_SCH_GRED=m
-CONFIG_NET_SCH_DSMARK=m
-CONFIG_NET_SCH_NETEM=m
-CONFIG_NET_SCH_DRR=m
-CONFIG_NET_SCH_MQPRIO=m
-CONFIG_NET_SCH_CHOKE=m
-CONFIG_NET_SCH_QFQ=m
-CONFIG_NET_SCH_CODEL=m
-CONFIG_NET_SCH_FQ_CODEL=m
-CONFIG_NET_SCH_FQ=m
-CONFIG_NET_SCH_HHF=m
-CONFIG_NET_SCH_PIE=m
-CONFIG_NET_SCH_INGRESS=m
-CONFIG_NET_SCH_PLUG=m
-
-#
-# Classification
-#
-CONFIG_NET_CLS=y
-CONFIG_NET_CLS_BASIC=m
-CONFIG_NET_CLS_TCINDEX=m
-CONFIG_NET_CLS_ROUTE4=m
-CONFIG_NET_CLS_FW=m
-CONFIG_NET_CLS_U32=m
-CONFIG_CLS_U32_PERF=y
-CONFIG_CLS_U32_MARK=y
-CONFIG_NET_CLS_RSVP=m
-CONFIG_NET_CLS_RSVP6=m
-CONFIG_NET_CLS_FLOW=m
-CONFIG_NET_CLS_CGROUP=m
-CONFIG_NET_CLS_BPF=m
-CONFIG_NET_CLS_FLOWER=m
-CONFIG_NET_EMATCH=y
-CONFIG_NET_EMATCH_STACK=32
-CONFIG_NET_EMATCH_CMP=m
-CONFIG_NET_EMATCH_NBYTE=m
-CONFIG_NET_EMATCH_U32=m
-CONFIG_NET_EMATCH_META=m
-CONFIG_NET_EMATCH_TEXT=m
-CONFIG_NET_EMATCH_CANID=m
-CONFIG_NET_EMATCH_IPSET=m
-CONFIG_NET_CLS_ACT=y
-CONFIG_NET_ACT_POLICE=m
-CONFIG_NET_ACT_GACT=m
-CONFIG_GACT_PROB=y
-CONFIG_NET_ACT_MIRRED=m
-CONFIG_NET_ACT_IPT=m
-CONFIG_NET_ACT_NAT=m
-CONFIG_NET_ACT_PEDIT=m
-CONFIG_NET_ACT_SIMP=m
-CONFIG_NET_ACT_SKBEDIT=m
-CONFIG_NET_ACT_CSUM=m
-CONFIG_NET_ACT_VLAN=m
-CONFIG_NET_ACT_BPF=m
-CONFIG_NET_ACT_CONNMARK=m
-CONFIG_NET_CLS_IND=y
-CONFIG_NET_SCH_FIFO=y
-CONFIG_DCB=y
-CONFIG_DNS_RESOLVER=m
-CONFIG_BATMAN_ADV=m
-CONFIG_BATMAN_ADV_BLA=y
-CONFIG_BATMAN_ADV_DAT=y
-CONFIG_BATMAN_ADV_NC=y
-CONFIG_BATMAN_ADV_MCAST=y
-CONFIG_OPENVSWITCH=m
-CONFIG_OPENVSWITCH_GRE=m
-CONFIG_OPENVSWITCH_VXLAN=m
-CONFIG_OPENVSWITCH_GENEVE=m
-CONFIG_VSOCKETS=m
-CONFIG_VMWARE_VMCI_VSOCKETS=m
-CONFIG_NETLINK_MMAP=y
-CONFIG_NETLINK_DIAG=m
-CONFIG_MPLS=y
-CONFIG_NET_MPLS_GSO=y
-CONFIG_MPLS_ROUTING=m
-CONFIG_MPLS_IPTUNNEL=m
-# CONFIG_HSR is not set
-# CONFIG_NET_SWITCHDEV is not set
-CONFIG_NET_L3_MASTER_DEV=y
-CONFIG_RPS=y
-CONFIG_RFS_ACCEL=y
-CONFIG_XPS=y
-CONFIG_CGROUP_NET_PRIO=y
-CONFIG_CGROUP_NET_CLASSID=y
-CONFIG_NET_RX_BUSY_POLL=y
-CONFIG_BQL=y
-CONFIG_BPF_JIT=y
-CONFIG_NET_FLOW_LIMIT=y
-
-#
-# Network testing
-#
-CONFIG_NET_PKTGEN=m
-# CONFIG_NET_TCPPROBE is not set
-CONFIG_HAMRADIO=y
-
-#
-# Packet Radio protocols
-#
-CONFIG_AX25=m
-# CONFIG_AX25_DAMA_SLAVE is not set
-CONFIG_NETROM=m
-CONFIG_ROSE=m
-
-#
-# AX.25 network device drivers
-#
-CONFIG_MKISS=m
-CONFIG_6PACK=m
-CONFIG_BPQETHER=m
-CONFIG_BAYCOM_SER_FDX=m
-CONFIG_BAYCOM_SER_HDX=m
-CONFIG_BAYCOM_PAR=m
-CONFIG_YAM=m
-CONFIG_CAN=m
-CONFIG_CAN_RAW=m
-CONFIG_CAN_BCM=m
-CONFIG_CAN_GW=m
-
-#
-# CAN Device Drivers
-#
-CONFIG_CAN_VCAN=m
-CONFIG_CAN_SLCAN=m
-CONFIG_CAN_DEV=m
-CONFIG_CAN_CALC_BITTIMING=y
-# CONFIG_CAN_LEDS is not set
-CONFIG_CAN_SJA1000=m
-CONFIG_CAN_SJA1000_ISA=m
-# CONFIG_CAN_SJA1000_PLATFORM is not set
-CONFIG_CAN_EMS_PCMCIA=m
-CONFIG_CAN_EMS_PCI=m
-CONFIG_CAN_PEAK_PCMCIA=m
-CONFIG_CAN_PEAK_PCI=m
-CONFIG_CAN_PEAK_PCIEC=y
-CONFIG_CAN_KVASER_PCI=m
-CONFIG_CAN_PLX_PCI=m
-# CONFIG_CAN_C_CAN is not set
-# CONFIG_CAN_M_CAN is not set
-# CONFIG_CAN_CC770 is not set
-
-#
-# CAN SPI interfaces
-#
-# CONFIG_CAN_MCP251X is not set
-
-#
-# CAN USB interfaces
-#
-CONFIG_CAN_EMS_USB=m
-CONFIG_CAN_ESD_USB2=m
-CONFIG_CAN_GS_USB=m
-CONFIG_CAN_KVASER_USB=m
-CONFIG_CAN_PEAK_USB=m
-CONFIG_CAN_8DEV_USB=m
-CONFIG_CAN_SOFTING=m
-CONFIG_CAN_SOFTING_CS=m
-# CONFIG_CAN_DEBUG_DEVICES is not set
-CONFIG_IRDA=m
-
-#
-# IrDA protocols
-#
-CONFIG_IRLAN=m
-CONFIG_IRNET=m
-CONFIG_IRCOMM=m
-# CONFIG_IRDA_ULTRA is not set
-
-#
-# IrDA options
-#
-CONFIG_IRDA_CACHE_LAST_LSAP=y
-CONFIG_IRDA_FAST_RR=y
-# CONFIG_IRDA_DEBUG is not set
-
-#
-# Infrared-port device drivers
-#
-
-#
-# SIR device drivers
-#
-CONFIG_IRTTY_SIR=m
-
-#
-# Dongle support
-#
-CONFIG_DONGLE=y
-CONFIG_ESI_DONGLE=m
-CONFIG_ACTISYS_DONGLE=m
-CONFIG_TEKRAM_DONGLE=m
-CONFIG_TOIM3232_DONGLE=m
-CONFIG_LITELINK_DONGLE=m
-CONFIG_MA600_DONGLE=m
-CONFIG_GIRBIL_DONGLE=m
-CONFIG_MCP2120_DONGLE=m
-CONFIG_OLD_BELKIN_DONGLE=m
-CONFIG_ACT200L_DONGLE=m
-CONFIG_KINGSUN_DONGLE=m
-CONFIG_KSDAZZLE_DONGLE=m
-CONFIG_KS959_DONGLE=m
-
-#
-# FIR device drivers
-#
-CONFIG_USB_IRDA=m
-CONFIG_SIGMATEL_FIR=m
-CONFIG_NSC_FIR=m
-CONFIG_WINBOND_FIR=m
-CONFIG_SMC_IRCC_FIR=m
-CONFIG_ALI_FIR=m
-CONFIG_VLSI_FIR=m
-CONFIG_VIA_FIR=m
-CONFIG_MCS_FIR=m
-CONFIG_BT=m
-CONFIG_BT_BREDR=y
-CONFIG_BT_RFCOMM=m
-CONFIG_BT_RFCOMM_TTY=y
-CONFIG_BT_BNEP=m
-CONFIG_BT_BNEP_MC_FILTER=y
-CONFIG_BT_BNEP_PROTO_FILTER=y
-CONFIG_BT_CMTP=m
-CONFIG_BT_HIDP=m
-CONFIG_BT_HS=y
-CONFIG_BT_LE=y
-CONFIG_BT_6LOWPAN=m
-# CONFIG_BT_SELFTEST is not set
-
-#
-# Bluetooth device drivers
-#
-CONFIG_BT_INTEL=m
-CONFIG_BT_BCM=m
-CONFIG_BT_RTL=m
-CONFIG_BT_QCA=m
-CONFIG_BT_HCIBTUSB=m
-CONFIG_BT_HCIBTUSB_BCM=y
-CONFIG_BT_HCIBTUSB_RTL=y
-CONFIG_BT_HCIBTSDIO=m
-CONFIG_BT_HCIUART=m
-CONFIG_BT_HCIUART_H4=y
-CONFIG_BT_HCIUART_BCSP=y
-CONFIG_BT_HCIUART_ATH3K=y
-CONFIG_BT_HCIUART_LL=y
-CONFIG_BT_HCIUART_3WIRE=y
-CONFIG_BT_HCIUART_INTEL=y
-CONFIG_BT_HCIUART_BCM=y
-CONFIG_BT_HCIUART_QCA=y
-CONFIG_BT_HCIBCM203X=m
-CONFIG_BT_HCIBPA10X=m
-CONFIG_BT_HCIBFUSB=m
-CONFIG_BT_HCIDTL1=m
-CONFIG_BT_HCIBT3C=m
-CONFIG_BT_HCIBLUECARD=m
-# CONFIG_BT_HCIBTUART is not set
-CONFIG_BT_HCIVHCI=m
-CONFIG_BT_MRVL=m
-CONFIG_BT_MRVL_SDIO=m
-CONFIG_BT_ATH3K=m
-CONFIG_AF_RXRPC=m
-# CONFIG_AF_RXRPC_DEBUG is not set
-CONFIG_RXKAD=m
-CONFIG_FIB_RULES=y
-CONFIG_WIRELESS=y
-CONFIG_WIRELESS_EXT=y
-CONFIG_WEXT_CORE=y
-CONFIG_WEXT_PROC=y
-CONFIG_WEXT_SPY=y
-CONFIG_WEXT_PRIV=y
-CONFIG_CFG80211=m
-# CONFIG_NL80211_TESTMODE is not set
-# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
-# CONFIG_CFG80211_REG_DEBUG is not set
-# CONFIG_CFG80211_CERTIFICATION_ONUS is not set
-CONFIG_CFG80211_DEFAULT_PS=y
-# CONFIG_CFG80211_INTERNAL_REGDB is not set
-CONFIG_CFG80211_CRDA_SUPPORT=y
-CONFIG_CFG80211_WEXT=y
-CONFIG_CFG80211_WEXT_EXPORT=y
-CONFIG_LIB80211=m
-CONFIG_LIB80211_CRYPT_WEP=m
-CONFIG_LIB80211_CRYPT_CCMP=m
-CONFIG_LIB80211_CRYPT_TKIP=m
-# CONFIG_LIB80211_DEBUG is not set
-CONFIG_MAC80211=m
-CONFIG_MAC80211_HAS_RC=y
-CONFIG_MAC80211_RC_MINSTREL=y
-CONFIG_MAC80211_RC_MINSTREL_HT=y
-# CONFIG_MAC80211_RC_MINSTREL_VHT is not set
-CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
-CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
-CONFIG_MAC80211_MESH=y
-CONFIG_MAC80211_LEDS=y
-# CONFIG_MAC80211_MESSAGE_TRACING is not set
-# CONFIG_MAC80211_DEBUG_MENU is not set
-CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
-CONFIG_WIMAX=m
-CONFIG_WIMAX_DEBUG_LEVEL=8
-CONFIG_RFKILL=m
-CONFIG_RFKILL_LEDS=y
-CONFIG_RFKILL_INPUT=y
-# CONFIG_RFKILL_GPIO is not set
-CONFIG_NET_9P=m
-CONFIG_NET_9P_VIRTIO=m
-CONFIG_NET_9P_RDMA=m
-# CONFIG_NET_9P_DEBUG is not set
-# CONFIG_CAIF is not set
-CONFIG_CEPH_LIB=m
-# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
-# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
-CONFIG_NFC=m
-CONFIG_NFC_DIGITAL=m
-# CONFIG_NFC_NCI is not set
-CONFIG_NFC_HCI=m
-# CONFIG_NFC_SHDLC is not set
-
-#
-# Near Field Communication (NFC) devices
-#
-CONFIG_NFC_PN533=m
-# CONFIG_NFC_TRF7970A is not set
-CONFIG_NFC_MEI_PHY=m
-CONFIG_NFC_SIM=m
-CONFIG_NFC_PORT100=m
-CONFIG_NFC_PN544=m
-CONFIG_NFC_PN544_MEI=m
-# CONFIG_NFC_MICROREAD_MEI is not set
-# CONFIG_NFC_ST21NFCA is not set
-CONFIG_LWTUNNEL=y
-CONFIG_HAVE_BPF_JIT=y
-
-#
-# Device Drivers
-#
-
-#
-# Generic Driver Options
-#
-# CONFIG_UEVENT_HELPER is not set
-CONFIG_DEVTMPFS=y
-# CONFIG_DEVTMPFS_MOUNT is not set
-CONFIG_STANDALONE=y
-CONFIG_PREVENT_FIRMWARE_BUILD=y
-CONFIG_FW_LOADER=y
-# CONFIG_FIRMWARE_IN_KERNEL is not set
-CONFIG_EXTRA_FIRMWARE=""
-CONFIG_FW_LOADER_USER_HELPER=y
-# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
-CONFIG_WANT_DEV_COREDUMP=y
-CONFIG_ALLOW_DEV_COREDUMP=y
-CONFIG_DEV_COREDUMP=y
-# CONFIG_DEBUG_DRIVER is not set
-# CONFIG_DEBUG_DEVRES is not set
-# CONFIG_SYS_HYPERVISOR is not set
-# CONFIG_GENERIC_CPU_DEVICES is not set
-CONFIG_GENERIC_CPU_AUTOPROBE=y
-CONFIG_REGMAP=y
-CONFIG_REGMAP_I2C=m
-CONFIG_REGMAP_SPI=m
-CONFIG_DMA_SHARED_BUFFER=y
-# CONFIG_FENCE_TRACE is not set
-
-#
-# Bus devices
-#
-CONFIG_CONNECTOR=y
-CONFIG_PROC_EVENTS=y
-CONFIG_MTD=m
-# CONFIG_MTD_TESTS is not set
-CONFIG_MTD_REDBOOT_PARTS=m
-CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1
-# CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED is not set
-# CONFIG_MTD_REDBOOT_PARTS_READONLY is not set
-# CONFIG_MTD_CMDLINE_PARTS is not set
-CONFIG_MTD_AR7_PARTS=m
-
-#
-# User Modules And Translation Layers
-#
-CONFIG_MTD_BLKDEVS=m
-CONFIG_MTD_BLOCK=m
-CONFIG_MTD_BLOCK_RO=m
-CONFIG_FTL=m
-CONFIG_NFTL=m
-CONFIG_NFTL_RW=y
-CONFIG_INFTL=m
-CONFIG_RFD_FTL=m
-CONFIG_SSFDC=m
-# CONFIG_SM_FTL is not set
-CONFIG_MTD_OOPS=m
-CONFIG_MTD_SWAP=m
-# CONFIG_MTD_PARTITIONED_MASTER is not set
-
-#
-# RAM/ROM/Flash chip drivers
-#
-CONFIG_MTD_CFI=m
-CONFIG_MTD_JEDECPROBE=m
-CONFIG_MTD_GEN_PROBE=m
-# CONFIG_MTD_CFI_ADV_OPTIONS is not set
-CONFIG_MTD_MAP_BANK_WIDTH_1=y
-CONFIG_MTD_MAP_BANK_WIDTH_2=y
-CONFIG_MTD_MAP_BANK_WIDTH_4=y
-# CONFIG_MTD_MAP_BANK_WIDTH_8 is not set
-# CONFIG_MTD_MAP_BANK_WIDTH_16 is not set
-# CONFIG_MTD_MAP_BANK_WIDTH_32 is not set
-CONFIG_MTD_CFI_I1=y
-CONFIG_MTD_CFI_I2=y
-# CONFIG_MTD_CFI_I4 is not set
-# CONFIG_MTD_CFI_I8 is not set
-CONFIG_MTD_CFI_INTELEXT=m
-CONFIG_MTD_CFI_AMDSTD=m
-CONFIG_MTD_CFI_STAA=m
-CONFIG_MTD_CFI_UTIL=m
-CONFIG_MTD_RAM=m
-CONFIG_MTD_ROM=m
-CONFIG_MTD_ABSENT=m
-
-#
-# Mapping drivers for chip access
-#
-CONFIG_MTD_COMPLEX_MAPPINGS=y
-CONFIG_MTD_PHYSMAP=m
-# CONFIG_MTD_PHYSMAP_COMPAT is not set
-CONFIG_MTD_SBC_GXX=m
-# CONFIG_MTD_AMD76XROM is not set
-# CONFIG_MTD_ICHXROM is not set
-# CONFIG_MTD_ESB2ROM is not set
-# CONFIG_MTD_CK804XROM is not set
-# CONFIG_MTD_SCB2_FLASH is not set
-CONFIG_MTD_NETtel=m
-# CONFIG_MTD_L440GX is not set
-CONFIG_MTD_PCI=m
-CONFIG_MTD_PCMCIA=m
-# CONFIG_MTD_PCMCIA_ANONYMOUS is not set
-# CONFIG_MTD_GPIO_ADDR is not set
-CONFIG_MTD_INTEL_VR_NOR=m
-CONFIG_MTD_PLATRAM=m
-# CONFIG_MTD_LATCH_ADDR is not set
-
-#
-# Self-contained MTD device drivers
-#
-# CONFIG_MTD_PMC551 is not set
-CONFIG_MTD_DATAFLASH=m
-# CONFIG_MTD_DATAFLASH_WRITE_VERIFY is not set
-# CONFIG_MTD_DATAFLASH_OTP is not set
-CONFIG_MTD_M25P80=m
-CONFIG_MTD_SST25L=m
-CONFIG_MTD_SLRAM=m
-CONFIG_MTD_PHRAM=m
-CONFIG_MTD_MTDRAM=m
-CONFIG_MTDRAM_TOTAL_SIZE=4096
-CONFIG_MTDRAM_ERASE_SIZE=128
-CONFIG_MTD_BLOCK2MTD=m
-
-#
-# Disk-On-Chip Device Drivers
-#
-# CONFIG_MTD_DOCG3 is not set
-CONFIG_MTD_NAND_ECC=m
-# CONFIG_MTD_NAND_ECC_SMC is not set
-CONFIG_MTD_NAND=m
-CONFIG_MTD_NAND_BCH=m
-CONFIG_MTD_NAND_ECC_BCH=y
-CONFIG_MTD_SM_COMMON=m
-# CONFIG_MTD_NAND_DENALI_PCI is not set
-# CONFIG_MTD_NAND_DENALI_DT is not set
-# CONFIG_MTD_NAND_GPIO is not set
-# CONFIG_MTD_NAND_OMAP_BCH_BUILD is not set
-CONFIG_MTD_NAND_IDS=m
-CONFIG_MTD_NAND_RICOH=m
-CONFIG_MTD_NAND_DISKONCHIP=m
-# CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADVANCED is not set
-CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADDRESS=0
-# CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE is not set
-# CONFIG_MTD_NAND_DOCG4 is not set
-CONFIG_MTD_NAND_CAFE=m
-CONFIG_MTD_NAND_NANDSIM=m
-# CONFIG_MTD_NAND_PLATFORM is not set
-# CONFIG_MTD_NAND_HISI504 is not set
-CONFIG_MTD_ONENAND=m
-CONFIG_MTD_ONENAND_VERIFY_WRITE=y
-# CONFIG_MTD_ONENAND_GENERIC is not set
-# CONFIG_MTD_ONENAND_OTP is not set
-CONFIG_MTD_ONENAND_2X_PROGRAM=y
-
-#
-# LPDDR & LPDDR2 PCM memory drivers
-#
-CONFIG_MTD_LPDDR=m
-CONFIG_MTD_QINFO_PROBE=m
-CONFIG_MTD_SPI_NOR=m
-CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y
-CONFIG_MTD_UBI=m
-CONFIG_MTD_UBI_WL_THRESHOLD=4096
-CONFIG_MTD_UBI_BEB_LIMIT=20
-# CONFIG_MTD_UBI_FASTMAP is not set
-# CONFIG_MTD_UBI_GLUEBI is not set
-CONFIG_MTD_UBI_BLOCK=y
-# CONFIG_OF is not set
-CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
-CONFIG_PARPORT=m
-CONFIG_PARPORT_PC=m
-CONFIG_PARPORT_SERIAL=m
-# CONFIG_PARPORT_PC_FIFO is not set
-# CONFIG_PARPORT_PC_SUPERIO is not set
-CONFIG_PARPORT_PC_PCMCIA=m
-# CONFIG_PARPORT_GSC is not set
-# CONFIG_PARPORT_AX88796 is not set
-CONFIG_PARPORT_1284=y
-CONFIG_PARPORT_NOT_PC=y
-CONFIG_PNP=y
-# CONFIG_PNP_DEBUG_MESSAGES is not set
-
-#
-# Protocols
-#
-CONFIG_PNPACPI=y
-CONFIG_BLK_DEV=y
-CONFIG_BLK_DEV_NULL_BLK=m
-CONFIG_BLK_DEV_FD=m
-# CONFIG_PARIDE is not set
-CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
-CONFIG_ZRAM=m
-CONFIG_ZRAM_LZ4_COMPRESS=y
-CONFIG_BLK_CPQ_CISS_DA=m
-CONFIG_CISS_SCSI_TAPE=y
-CONFIG_BLK_DEV_DAC960=m
-CONFIG_BLK_DEV_UMEM=m
-# CONFIG_BLK_DEV_COW_COMMON is not set
-CONFIG_BLK_DEV_LOOP=m
-CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
-# CONFIG_BLK_DEV_CRYPTOLOOP is not set
-CONFIG_BLK_DEV_DRBD=m
-# CONFIG_DRBD_FAULT_INJECTION is not set
-CONFIG_BLK_DEV_NBD=m
-CONFIG_BLK_DEV_SKD=m
-CONFIG_BLK_DEV_OSD=m
-CONFIG_BLK_DEV_SX8=m
-CONFIG_BLK_DEV_RAM=m
-CONFIG_BLK_DEV_RAM_COUNT=16
-CONFIG_BLK_DEV_RAM_SIZE=16384
-# CONFIG_BLK_DEV_RAM_DAX is not set
-CONFIG_CDROM_PKTCDVD=m
-CONFIG_CDROM_PKTCDVD_BUFFERS=8
-# CONFIG_CDROM_PKTCDVD_WCACHE is not set
-CONFIG_ATA_OVER_ETH=m
-CONFIG_VIRTIO_BLK=m
-# CONFIG_BLK_DEV_HD is not set
-CONFIG_BLK_DEV_RBD=m
-CONFIG_BLK_DEV_RSXX=m
-CONFIG_BLK_DEV_NVME=m
-
-#
-# Misc devices
-#
-CONFIG_SENSORS_LIS3LV02D=m
-CONFIG_AD525X_DPOT=m
-CONFIG_AD525X_DPOT_I2C=m
-CONFIG_AD525X_DPOT_SPI=m
-# CONFIG_DUMMY_IRQ is not set
-CONFIG_IBM_ASM=m
-CONFIG_PHANTOM=m
-CONFIG_SGI_IOC4=m
-CONFIG_TIFM_CORE=m
-CONFIG_TIFM_7XX1=m
-CONFIG_ICS932S401=m
-CONFIG_ENCLOSURE_SERVICES=m
-CONFIG_HP_ILO=m
-CONFIG_APDS9802ALS=m
-CONFIG_ISL29003=m
-CONFIG_ISL29020=m
-CONFIG_SENSORS_TSL2550=m
-CONFIG_SENSORS_BH1780=m
-CONFIG_SENSORS_BH1770=m
-CONFIG_SENSORS_APDS990X=m
-CONFIG_HMC6352=m
-CONFIG_DS1682=m
-CONFIG_TI_DAC7512=m
-CONFIG_VMWARE_BALLOON=m
-# CONFIG_BMP085_I2C is not set
-# CONFIG_BMP085_SPI is not set
-# CONFIG_USB_SWITCH_FSA9480 is not set
-# CONFIG_LATTICE_ECP3_CONFIG is not set
-# CONFIG_SRAM is not set
-CONFIG_C2PORT=m
-CONFIG_C2PORT_DURAMAR_2150=m
-
-#
-# EEPROM support
-#
-CONFIG_EEPROM_AT24=m
-CONFIG_EEPROM_AT25=m
-CONFIG_EEPROM_LEGACY=m
-CONFIG_EEPROM_MAX6875=m
-CONFIG_EEPROM_93CX6=m
-# CONFIG_EEPROM_93XX46 is not set
-CONFIG_CB710_CORE=m
-# CONFIG_CB710_DEBUG is not set
-CONFIG_CB710_DEBUG_ASSUMPTIONS=y
-
-#
-# Texas Instruments shared transport line discipline
-#
-# CONFIG_TI_ST is not set
-CONFIG_SENSORS_LIS3_I2C=m
-
-#
-# Altera FPGA firmware download module
-#
-CONFIG_ALTERA_STAPL=m
-CONFIG_INTEL_MEI=m
-CONFIG_INTEL_MEI_ME=m
-# CONFIG_INTEL_MEI_TXE is not set
-CONFIG_VMWARE_VMCI=m
-
-#
-# Intel MIC Bus Driver
-#
-CONFIG_INTEL_MIC_BUS=m
-
-#
-# SCIF Bus Driver
-#
-CONFIG_SCIF_BUS=m
-
-#
-# Intel MIC Host Driver
-#
-CONFIG_INTEL_MIC_HOST=m
-
-#
-# Intel MIC Card Driver
-#
-# CONFIG_INTEL_MIC_CARD is not set
-
-#
-# SCIF Driver
-#
-CONFIG_SCIF=m
-
-#
-# Intel MIC Coprocessor State Management (COSM) Drivers
-#
-CONFIG_MIC_COSM=m
-# CONFIG_GENWQE is not set
-# CONFIG_ECHO is not set
-# CONFIG_CXL_BASE is not set
-# CONFIG_CXL_KERNEL_API is not set
-# CONFIG_CXL_EEH is not set
-CONFIG_HAVE_IDE=y
-# CONFIG_IDE is not set
-
-#
-# SCSI device support
-#
-CONFIG_SCSI_MOD=m
-CONFIG_RAID_ATTRS=m
-CONFIG_SCSI=m
-CONFIG_SCSI_DMA=y
-CONFIG_SCSI_NETLINK=y
-# CONFIG_SCSI_MQ_DEFAULT is not set
-# CONFIG_SCSI_PROC_FS is not set
-
-#
-# SCSI support type (disk, tape, CD-ROM)
-#
-CONFIG_BLK_DEV_SD=m
-CONFIG_CHR_DEV_ST=m
-CONFIG_CHR_DEV_OSST=m
-CONFIG_BLK_DEV_SR=m
-CONFIG_BLK_DEV_SR_VENDOR=y
-CONFIG_CHR_DEV_SG=m
-CONFIG_CHR_DEV_SCH=m
-CONFIG_SCSI_ENCLOSURE=m
-CONFIG_SCSI_CONSTANTS=y
-CONFIG_SCSI_LOGGING=y
-CONFIG_SCSI_SCAN_ASYNC=y
-
-#
-# SCSI Transports
-#
-CONFIG_SCSI_SPI_ATTRS=m
-CONFIG_SCSI_FC_ATTRS=m
-CONFIG_SCSI_ISCSI_ATTRS=m
-CONFIG_SCSI_SAS_ATTRS=m
-CONFIG_SCSI_SAS_LIBSAS=m
-CONFIG_SCSI_SAS_ATA=y
-CONFIG_SCSI_SAS_HOST_SMP=y
-CONFIG_SCSI_SRP_ATTRS=m
-CONFIG_SCSI_LOWLEVEL=y
-CONFIG_ISCSI_TCP=m
-CONFIG_ISCSI_BOOT_SYSFS=m
-CONFIG_SCSI_CXGB3_ISCSI=m
-CONFIG_SCSI_CXGB4_ISCSI=m
-CONFIG_SCSI_BNX2_ISCSI=m
-CONFIG_SCSI_BNX2X_FCOE=m
-CONFIG_BE2ISCSI=m
-CONFIG_BLK_DEV_3W_XXXX_RAID=m
-CONFIG_SCSI_HPSA=m
-CONFIG_SCSI_3W_9XXX=m
-CONFIG_SCSI_3W_SAS=m
-CONFIG_SCSI_ACARD=m
-CONFIG_SCSI_AACRAID=m
-CONFIG_SCSI_AIC7XXX=m
-CONFIG_AIC7XXX_CMDS_PER_DEVICE=8
-CONFIG_AIC7XXX_RESET_DELAY_MS=15000
-CONFIG_AIC7XXX_DEBUG_ENABLE=y
-CONFIG_AIC7XXX_DEBUG_MASK=0
-CONFIG_AIC7XXX_REG_PRETTY_PRINT=y
-CONFIG_SCSI_AIC79XX=m
-CONFIG_AIC79XX_CMDS_PER_DEVICE=32
-CONFIG_AIC79XX_RESET_DELAY_MS=15000
-CONFIG_AIC79XX_DEBUG_ENABLE=y
-CONFIG_AIC79XX_DEBUG_MASK=0
-CONFIG_AIC79XX_REG_PRETTY_PRINT=y
-CONFIG_SCSI_AIC94XX=m
-# CONFIG_AIC94XX_DEBUG is not set
-CONFIG_SCSI_MVSAS=m
-# CONFIG_SCSI_MVSAS_DEBUG is not set
-# CONFIG_SCSI_MVSAS_TASKLET is not set
-CONFIG_SCSI_MVUMI=m
-CONFIG_SCSI_DPT_I2O=m
-CONFIG_SCSI_ADVANSYS=m
-CONFIG_SCSI_ARCMSR=m
-CONFIG_SCSI_ESAS2R=m
-CONFIG_MEGARAID_NEWGEN=y
-CONFIG_MEGARAID_MM=m
-CONFIG_MEGARAID_MAILBOX=m
-CONFIG_MEGARAID_LEGACY=m
-CONFIG_MEGARAID_SAS=m
-CONFIG_SCSI_MPT3SAS=m
-CONFIG_SCSI_MPT2SAS_MAX_SGE=128
-CONFIG_SCSI_MPT3SAS_MAX_SGE=128
-CONFIG_SCSI_MPT2SAS=m
-CONFIG_SCSI_UFSHCD=m
-CONFIG_SCSI_UFSHCD_PCI=m
-# CONFIG_SCSI_UFSHCD_PLATFORM is not set
-CONFIG_SCSI_HPTIOP=m
-CONFIG_SCSI_BUSLOGIC=m
-# CONFIG_SCSI_FLASHPOINT is not set
-CONFIG_VMWARE_PVSCSI=m
-CONFIG_HYPERV_STORAGE=m
-CONFIG_LIBFC=m
-CONFIG_LIBFCOE=m
-CONFIG_FCOE=m
-CONFIG_FCOE_FNIC=m
-CONFIG_SCSI_SNIC=m
-CONFIG_SCSI_DMX3191D=m
-CONFIG_SCSI_EATA=m
-CONFIG_SCSI_EATA_TAGGED_QUEUE=y
-CONFIG_SCSI_EATA_LINKED_COMMANDS=y
-CONFIG_SCSI_EATA_MAX_TAGS=16
-CONFIG_SCSI_FUTURE_DOMAIN=m
-CONFIG_SCSI_GDTH=m
-CONFIG_SCSI_ISCI=m
-CONFIG_SCSI_IPS=m
-CONFIG_SCSI_INITIO=m
-CONFIG_SCSI_INIA100=m
-# CONFIG_SCSI_PPA is not set
-# CONFIG_SCSI_IMM is not set
-CONFIG_SCSI_STEX=m
-CONFIG_SCSI_SYM53C8XX_2=m
-CONFIG_SCSI_SYM53C8XX_DMA_ADDRESSING_MODE=1
-CONFIG_SCSI_SYM53C8XX_DEFAULT_TAGS=16
-CONFIG_SCSI_SYM53C8XX_MAX_TAGS=64
-CONFIG_SCSI_SYM53C8XX_MMIO=y
-CONFIG_SCSI_IPR=m
-# CONFIG_SCSI_IPR_TRACE is not set
-# CONFIG_SCSI_IPR_DUMP is not set
-CONFIG_SCSI_QLOGIC_1280=m
-CONFIG_SCSI_QLA_FC=m
-CONFIG_TCM_QLA2XXX=m
-CONFIG_SCSI_QLA_ISCSI=m
-CONFIG_SCSI_LPFC=m
-CONFIG_SCSI_DC395x=m
-CONFIG_SCSI_AM53C974=m
-CONFIG_SCSI_WD719X=m
-CONFIG_SCSI_DEBUG=m
-CONFIG_SCSI_PMCRAID=m
-CONFIG_SCSI_PM8001=m
-CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=m
-CONFIG_SCSI_CHELSIO_FCOE=m
-CONFIG_SCSI_LOWLEVEL_PCMCIA=y
-CONFIG_PCMCIA_AHA152X=m
-CONFIG_PCMCIA_FDOMAIN=m
-CONFIG_PCMCIA_QLOGIC=m
-CONFIG_PCMCIA_SYM53C500=m
-CONFIG_SCSI_DH=y
-CONFIG_SCSI_DH_RDAC=m
-CONFIG_SCSI_DH_HP_SW=m
-CONFIG_SCSI_DH_EMC=m
-CONFIG_SCSI_DH_ALUA=m
-CONFIG_SCSI_OSD_INITIATOR=m
-CONFIG_SCSI_OSD_ULD=m
-CONFIG_SCSI_OSD_DPRINT_SENSE=1
-# CONFIG_SCSI_OSD_DEBUG is not set
-CONFIG_ATA=m
-# CONFIG_ATA_NONSTANDARD is not set
-CONFIG_ATA_VERBOSE_ERROR=y
-CONFIG_ATA_ACPI=y
-CONFIG_SATA_ZPODD=y
-CONFIG_SATA_PMP=y
-
-#
-# Controllers with non-SFF native interface
-#
-CONFIG_SATA_AHCI=m
-# CONFIG_SATA_AHCI_PLATFORM is not set
-# CONFIG_SATA_INIC162X is not set
-CONFIG_SATA_ACARD_AHCI=m
-CONFIG_SATA_SIL24=m
-CONFIG_ATA_SFF=y
-
-#
-# SFF controllers with custom DMA interface
-#
-CONFIG_PDC_ADMA=m
-CONFIG_SATA_QSTOR=m
-CONFIG_SATA_SX4=m
-CONFIG_ATA_BMDMA=y
-
-#
-# SATA SFF controllers with BMDMA
-#
-CONFIG_ATA_PIIX=m
-CONFIG_SATA_MV=m
-CONFIG_SATA_NV=m
-CONFIG_SATA_PROMISE=m
-CONFIG_SATA_SIL=m
-CONFIG_SATA_SIS=m
-CONFIG_SATA_SVW=m
-CONFIG_SATA_ULI=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
-
-#
-# PATA SFF controllers with BMDMA
-#
-CONFIG_PATA_ALI=m
-CONFIG_PATA_AMD=m
-CONFIG_PATA_ARTOP=m
-CONFIG_PATA_ATIIXP=m
-CONFIG_PATA_ATP867X=m
-CONFIG_PATA_CMD64X=m
-# CONFIG_PATA_CYPRESS is not set
-CONFIG_PATA_EFAR=m
-CONFIG_PATA_HPT366=m
-CONFIG_PATA_HPT37X=m
-# CONFIG_PATA_HPT3X2N is not set
-# CONFIG_PATA_HPT3X3 is not set
-CONFIG_PATA_IT8213=m
-CONFIG_PATA_IT821X=m
-CONFIG_PATA_JMICRON=m
-CONFIG_PATA_MARVELL=m
-CONFIG_PATA_NETCELL=m
-CONFIG_PATA_NINJA32=m
-CONFIG_PATA_NS87415=m
-CONFIG_PATA_OLDPIIX=m
-# CONFIG_PATA_OPTIDMA is not set
-CONFIG_PATA_PDC2027X=m
-CONFIG_PATA_PDC_OLD=m
-# CONFIG_PATA_RADISYS is not set
-CONFIG_PATA_RDC=m
-CONFIG_PATA_SCH=m
-CONFIG_PATA_SERVERWORKS=m
-CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=m
-CONFIG_PATA_TOSHIBA=m
-CONFIG_PATA_TRIFLEX=m
-CONFIG_PATA_VIA=m
-# CONFIG_PATA_WINBOND is not set
-
-#
-# PIO-only SFF controllers
-#
-# CONFIG_PATA_CMD640_PCI is not set
-CONFIG_PATA_MPIIX=m
-CONFIG_PATA_NS87410=m
-# CONFIG_PATA_OPTI is not set
-CONFIG_PATA_PCMCIA=m
-# CONFIG_PATA_PLATFORM is not set
-CONFIG_PATA_RZ1000=m
-
-#
-# Generic fallback / legacy drivers
-#
-# CONFIG_PATA_ACPI is not set
-CONFIG_ATA_GENERIC=m
-# CONFIG_PATA_LEGACY is not set
-CONFIG_MD=y
-CONFIG_BLK_DEV_MD=m
-CONFIG_MD_LINEAR=m
-CONFIG_MD_RAID0=m
-CONFIG_MD_RAID1=m
-CONFIG_MD_RAID10=m
-CONFIG_MD_RAID456=m
-CONFIG_MD_MULTIPATH=m
-CONFIG_MD_FAULTY=m
-# CONFIG_MD_CLUSTER is not set
-CONFIG_BCACHE=m
-# CONFIG_BCACHE_DEBUG is not set
-CONFIG_BLK_DEV_DM_BUILTIN=y
-CONFIG_BLK_DEV_DM=m
-# CONFIG_DM_MQ_DEFAULT is not set
-# CONFIG_DM_DEBUG is not set
-CONFIG_DM_BUFIO=m
-CONFIG_DM_BIO_PRISON=m
-CONFIG_DM_PERSISTENT_DATA=m
-# CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set
-CONFIG_DM_CRYPT=m
-CONFIG_DM_SNAPSHOT=m
-CONFIG_DM_THIN_PROVISIONING=m
-CONFIG_DM_CACHE=m
-CONFIG_DM_CACHE_MQ=m
-CONFIG_DM_CACHE_SMQ=m
-CONFIG_DM_CACHE_CLEANER=m
-CONFIG_DM_ERA=m
-CONFIG_DM_MIRROR=m
-CONFIG_DM_LOG_USERSPACE=m
-CONFIG_DM_RAID=m
-CONFIG_DM_ZERO=m
-CONFIG_DM_MULTIPATH=m
-CONFIG_DM_MULTIPATH_QL=m
-CONFIG_DM_MULTIPATH_ST=m
-CONFIG_DM_DELAY=m
-CONFIG_DM_UEVENT=y
-CONFIG_DM_FLAKEY=m
-CONFIG_DM_VERITY=m
-CONFIG_DM_SWITCH=m
-CONFIG_DM_LOG_WRITES=m
-CONFIG_TARGET_CORE=m
-CONFIG_TCM_IBLOCK=m
-CONFIG_TCM_FILEIO=m
-CONFIG_TCM_PSCSI=m
-CONFIG_TCM_USER2=m
-CONFIG_LOOPBACK_TARGET=m
-CONFIG_TCM_FC=m
-CONFIG_ISCSI_TARGET=m
-CONFIG_SBP_TARGET=m
-CONFIG_FUSION=y
-CONFIG_FUSION_SPI=m
-CONFIG_FUSION_FC=m
-CONFIG_FUSION_SAS=m
-CONFIG_FUSION_MAX_SGE=128
-CONFIG_FUSION_CTL=m
-CONFIG_FUSION_LAN=m
-# CONFIG_FUSION_LOGGING is not set
-
-#
-# IEEE 1394 (FireWire) support
-#
-CONFIG_FIREWIRE=m
-CONFIG_FIREWIRE_OHCI=m
-CONFIG_FIREWIRE_SBP2=m
-CONFIG_FIREWIRE_NET=m
-CONFIG_FIREWIRE_NOSY=m
-CONFIG_MACINTOSH_DRIVERS=y
-CONFIG_MAC_EMUMOUSEBTN=y
-CONFIG_NETDEVICES=y
-CONFIG_MII=m
-CONFIG_NET_CORE=y
-CONFIG_BONDING=m
-CONFIG_DUMMY=m
-CONFIG_EQUALIZER=m
-CONFIG_NET_FC=y
-CONFIG_IFB=m
-CONFIG_NET_TEAM=m
-CONFIG_NET_TEAM_MODE_BROADCAST=m
-CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
-CONFIG_NET_TEAM_MODE_RANDOM=m
-CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
-CONFIG_NET_TEAM_MODE_LOADBALANCE=m
-CONFIG_MACVLAN=m
-CONFIG_MACVTAP=m
-CONFIG_IPVLAN=m
-CONFIG_VXLAN=m
-CONFIG_GENEVE=m
-CONFIG_NETCONSOLE=m
-CONFIG_NETCONSOLE_DYNAMIC=y
-CONFIG_NETPOLL=y
-CONFIG_NET_POLL_CONTROLLER=y
-CONFIG_TUN=m
-# CONFIG_TUN_VNET_CROSS_LE is not set
-CONFIG_VETH=m
-CONFIG_VIRTIO_NET=m
-CONFIG_NLMON=m
-CONFIG_NET_VRF=m
-CONFIG_SUNGEM_PHY=m
-CONFIG_ARCNET=m
-CONFIG_ARCNET_1201=m
-CONFIG_ARCNET_1051=m
-CONFIG_ARCNET_RAW=m
-CONFIG_ARCNET_CAP=m
-CONFIG_ARCNET_COM90xx=m
-CONFIG_ARCNET_COM90xxIO=m
-CONFIG_ARCNET_RIM_I=m
-CONFIG_ARCNET_COM20020=m
-CONFIG_ARCNET_COM20020_PCI=m
-CONFIG_ARCNET_COM20020_CS=m
-CONFIG_ATM_DRIVERS=y
-CONFIG_ATM_DUMMY=m
-CONFIG_ATM_TCP=m
-CONFIG_ATM_LANAI=m
-CONFIG_ATM_ENI=m
-# CONFIG_ATM_ENI_DEBUG is not set
-# CONFIG_ATM_ENI_TUNE_BURST is not set
-CONFIG_ATM_FIRESTREAM=m
-CONFIG_ATM_ZATM=m
-# CONFIG_ATM_ZATM_DEBUG is not set
-CONFIG_ATM_NICSTAR=m
-CONFIG_ATM_NICSTAR_USE_SUNI=y
-CONFIG_ATM_NICSTAR_USE_IDT77105=y
-CONFIG_ATM_IDT77252=m
-# CONFIG_ATM_IDT77252_DEBUG is not set
-# CONFIG_ATM_IDT77252_RCV_ALL is not set
-CONFIG_ATM_IDT77252_USE_SUNI=y
-CONFIG_ATM_AMBASSADOR=m
-# CONFIG_ATM_AMBASSADOR_DEBUG is not set
-CONFIG_ATM_HORIZON=m
-# CONFIG_ATM_HORIZON_DEBUG is not set
-CONFIG_ATM_IA=m
-# CONFIG_ATM_IA_DEBUG is not set
-CONFIG_ATM_FORE200E=m
-# CONFIG_ATM_FORE200E_USE_TASKLET is not set
-CONFIG_ATM_FORE200E_TX_RETRY=16
-CONFIG_ATM_FORE200E_DEBUG=0
-CONFIG_ATM_HE=m
-CONFIG_ATM_HE_USE_SUNI=y
-CONFIG_ATM_SOLOS=m
-
-#
-# CAIF transport drivers
-#
-CONFIG_VHOST_NET=m
-CONFIG_VHOST_SCSI=m
-CONFIG_VHOST_RING=m
-CONFIG_VHOST=m
-# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
-
-#
-# Distributed Switch Architecture drivers
-#
-# CONFIG_NET_DSA_MV88E6XXX is not set
-# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
-CONFIG_ETHERNET=y
-CONFIG_MDIO=m
-CONFIG_NET_VENDOR_3COM=y
-CONFIG_PCMCIA_3C574=m
-CONFIG_PCMCIA_3C589=m
-CONFIG_VORTEX=m
-CONFIG_TYPHOON=m
-CONFIG_NET_VENDOR_ADAPTEC=y
-CONFIG_ADAPTEC_STARFIRE=m
-CONFIG_NET_VENDOR_AGERE=y
-CONFIG_ET131X=m
-CONFIG_NET_VENDOR_ALTEON=y
-CONFIG_ACENIC=m
-# CONFIG_ACENIC_OMIT_TIGON_I is not set
-# CONFIG_ALTERA_TSE is not set
-CONFIG_NET_VENDOR_AMD=y
-CONFIG_AMD8111_ETH=m
-CONFIG_PCNET32=m
-CONFIG_PCMCIA_NMCLAN=m
-# CONFIG_NET_VENDOR_ARC is not set
-CONFIG_NET_VENDOR_ATHEROS=y
-CONFIG_ATL2=m
-CONFIG_ATL1=m
-CONFIG_ATL1E=m
-CONFIG_ATL1C=m
-CONFIG_ALX=m
-# CONFIG_NET_VENDOR_AURORA is not set
-CONFIG_NET_CADENCE=y
-# CONFIG_MACB is not set
-CONFIG_NET_VENDOR_BROADCOM=y
-CONFIG_B44=m
-CONFIG_B44_PCI_AUTOSELECT=y
-CONFIG_B44_PCICORE_AUTOSELECT=y
-CONFIG_B44_PCI=y
-# CONFIG_BCMGENET is not set
-CONFIG_BNX2=m
-CONFIG_CNIC=m
-CONFIG_TIGON3=m
-CONFIG_BNX2X=m
-CONFIG_BNX2X_SRIOV=y
-CONFIG_BNX2X_VXLAN=y
-CONFIG_BNXT=m
-CONFIG_BNXT_SRIOV=y
-CONFIG_NET_VENDOR_BROCADE=y
-CONFIG_BNA=m
-CONFIG_NET_VENDOR_CAVIUM=y
-# CONFIG_THUNDER_NIC_PF is not set
-# CONFIG_THUNDER_NIC_VF is not set
-# CONFIG_THUNDER_NIC_BGX is not set
-CONFIG_LIQUIDIO=m
-CONFIG_NET_VENDOR_CHELSIO=y
-CONFIG_CHELSIO_T1=m
-CONFIG_CHELSIO_T1_1G=y
-CONFIG_CHELSIO_T3=m
-CONFIG_CHELSIO_T4=m
-CONFIG_CHELSIO_T4_DCB=y
-# CONFIG_CHELSIO_T4_FCOE is not set
-CONFIG_CHELSIO_T4VF=m
-CONFIG_NET_VENDOR_CISCO=y
-CONFIG_ENIC=m
-# CONFIG_CX_ECAT is not set
-# CONFIG_DNET is not set
-CONFIG_NET_VENDOR_DEC=y
-CONFIG_NET_TULIP=y
-CONFIG_DE2104X=m
-CONFIG_DE2104X_DSL=0
-CONFIG_TULIP=m
-# CONFIG_TULIP_MWI is not set
-# CONFIG_TULIP_MMIO is not set
-CONFIG_TULIP_NAPI=y
-CONFIG_TULIP_NAPI_HW_MITIGATION=y
-# CONFIG_DE4X5 is not set
-CONFIG_WINBOND_840=m
-CONFIG_DM9102=m
-CONFIG_ULI526X=m
-CONFIG_PCMCIA_XIRCOM=m
-CONFIG_NET_VENDOR_DLINK=y
-CONFIG_DL2K=m
-CONFIG_SUNDANCE=m
-# CONFIG_SUNDANCE_MMIO is not set
-CONFIG_NET_VENDOR_EMULEX=y
-CONFIG_BE2NET=m
-CONFIG_BE2NET_HWMON=y
-CONFIG_BE2NET_VXLAN=y
-CONFIG_NET_VENDOR_EZCHIP=y
-CONFIG_NET_VENDOR_EXAR=y
-CONFIG_S2IO=m
-CONFIG_VXGE=m
-# CONFIG_VXGE_DEBUG_TRACE_ALL is not set
-CONFIG_NET_VENDOR_FUJITSU=y
-CONFIG_PCMCIA_FMVJ18X=m
-CONFIG_NET_VENDOR_HP=y
-CONFIG_HP100=m
-CONFIG_NET_VENDOR_INTEL=y
-CONFIG_E100=m
-CONFIG_E1000=m
-CONFIG_E1000E=m
-CONFIG_IGB=m
-CONFIG_IGB_HWMON=y
-CONFIG_IGB_DCA=y
-CONFIG_IGBVF=m
-CONFIG_IXGB=m
-CONFIG_IXGBE=m
-CONFIG_IXGBE_VXLAN=y
-CONFIG_IXGBE_HWMON=y
-CONFIG_IXGBE_DCA=y
-CONFIG_IXGBE_DCB=y
-CONFIG_IXGBEVF=m
-CONFIG_I40E=m
-CONFIG_I40E_VXLAN=y
-CONFIG_I40E_DCB=y
-CONFIG_I40E_FCOE=y
-CONFIG_I40EVF=m
-# CONFIG_FM10K is not set
-CONFIG_NET_VENDOR_I825XX=y
-CONFIG_JME=m
-CONFIG_NET_VENDOR_MARVELL=y
-# CONFIG_MVMDIO is not set
-CONFIG_SKGE=m
-CONFIG_SKGE_GENESIS=y
-CONFIG_SKY2=m
-CONFIG_NET_VENDOR_MELLANOX=y
-CONFIG_MLX4_EN=m
-CONFIG_MLX4_EN_DCB=y
-CONFIG_MLX4_EN_VXLAN=y
-CONFIG_MLX4_CORE=m
-CONFIG_MLX4_DEBUG=y
-CONFIG_MLX5_CORE=m
-CONFIG_MLX5_CORE_EN=y
-# CONFIG_MLXSW_CORE is not set
-CONFIG_NET_VENDOR_MICREL=y
-# CONFIG_KS8842 is not set
-# CONFIG_KS8851 is not set
-# CONFIG_KS8851_MLL is not set
-CONFIG_KSZ884X_PCI=m
-CONFIG_NET_VENDOR_MICROCHIP=y
-# CONFIG_ENC28J60 is not set
-# CONFIG_ENCX24J600 is not set
-CONFIG_NET_VENDOR_MYRI=y
-CONFIG_MYRI10GE=m
-CONFIG_MYRI10GE_DCA=y
-CONFIG_FEALNX=m
-CONFIG_NET_VENDOR_NATSEMI=y
-CONFIG_NATSEMI=m
-CONFIG_NS83820=m
-CONFIG_NET_VENDOR_8390=y
-CONFIG_PCMCIA_AXNET=m
-CONFIG_NE2K_PCI=m
-CONFIG_PCMCIA_PCNET=m
-CONFIG_NET_VENDOR_NVIDIA=y
-CONFIG_FORCEDETH=m
-CONFIG_NET_VENDOR_OKI=y
-# CONFIG_ETHOC is not set
-CONFIG_NET_PACKET_ENGINE=y
-CONFIG_HAMACHI=m
-CONFIG_YELLOWFIN=m
-CONFIG_NET_VENDOR_QLOGIC=y
-CONFIG_QLA3XXX=m
-CONFIG_QLCNIC=m
-CONFIG_QLCNIC_SRIOV=y
-CONFIG_QLCNIC_DCB=y
-CONFIG_QLCNIC_VXLAN=y
-CONFIG_QLCNIC_HWMON=y
-CONFIG_QLGE=m
-CONFIG_NETXEN_NIC=m
-CONFIG_QED=m
-CONFIG_QEDE=m
-CONFIG_NET_VENDOR_QUALCOMM=y
-CONFIG_NET_VENDOR_REALTEK=y
-# CONFIG_ATP is not set
-CONFIG_8139CP=m
-CONFIG_8139TOO=m
-# CONFIG_8139TOO_PIO is not set
-CONFIG_8139TOO_TUNE_TWISTER=y
-CONFIG_8139TOO_8129=y
-# CONFIG_8139_OLD_RX_RESET is not set
-CONFIG_R8169=m
-CONFIG_NET_VENDOR_RENESAS=y
-CONFIG_NET_VENDOR_RDC=y
-CONFIG_R6040=m
-CONFIG_NET_VENDOR_ROCKER=y
-CONFIG_NET_VENDOR_SAMSUNG=y
-# CONFIG_SXGBE_ETH is not set
-# CONFIG_NET_VENDOR_SEEQ is not set
-CONFIG_NET_VENDOR_SILAN=y
-CONFIG_SC92031=m
-CONFIG_NET_VENDOR_SIS=y
-CONFIG_SIS900=m
-CONFIG_SIS190=m
-CONFIG_SFC=m
-CONFIG_SFC_MTD=y
-CONFIG_SFC_MCDI_MON=y
-CONFIG_SFC_SRIOV=y
-CONFIG_SFC_MCDI_LOGGING=y
-CONFIG_NET_VENDOR_SMSC=y
-CONFIG_PCMCIA_SMC91C92=m
-CONFIG_EPIC100=m
-# CONFIG_SMSC911X is not set
-CONFIG_SMSC9420=m
-CONFIG_NET_VENDOR_STMICRO=y
-# CONFIG_STMMAC_ETH is not set
-CONFIG_NET_VENDOR_SUN=y
-CONFIG_HAPPYMEAL=m
-CONFIG_SUNGEM=m
-CONFIG_CASSINI=m
-CONFIG_NIU=m
-CONFIG_NET_VENDOR_SYNOPSYS=y
-CONFIG_NET_VENDOR_TEHUTI=y
-CONFIG_TEHUTI=m
-CONFIG_NET_VENDOR_TI=y
-# CONFIG_TI_CPSW_ALE is not set
-CONFIG_TLAN=m
-CONFIG_NET_VENDOR_VIA=y
-CONFIG_VIA_RHINE=m
-# CONFIG_VIA_RHINE_MMIO is not set
-CONFIG_VIA_VELOCITY=m
-CONFIG_NET_VENDOR_WIZNET=y
-# CONFIG_WIZNET_W5100 is not set
-# CONFIG_WIZNET_W5300 is not set
-CONFIG_NET_VENDOR_XIRCOM=y
-CONFIG_PCMCIA_XIRC2PS=m
-CONFIG_FDDI=y
-CONFIG_DEFXX=m
-# CONFIG_DEFXX_MMIO is not set
-CONFIG_SKFP=m
-CONFIG_HIPPI=y
-CONFIG_ROADRUNNER=m
-# CONFIG_ROADRUNNER_LARGE_RINGS is not set
-CONFIG_NET_SB1000=m
-CONFIG_PHYLIB=m
-
-#
-# MII PHY device drivers
-#
-CONFIG_AQUANTIA_PHY=m
-CONFIG_AT803X_PHY=m
-CONFIG_AMD_PHY=m
-CONFIG_MARVELL_PHY=m
-CONFIG_DAVICOM_PHY=m
-CONFIG_QSEMI_PHY=m
-CONFIG_LXT_PHY=m
-CONFIG_CICADA_PHY=m
-CONFIG_VITESSE_PHY=m
-CONFIG_TERANETICS_PHY=m
-CONFIG_SMSC_PHY=m
-CONFIG_BCM_NET_PHYLIB=m
-CONFIG_BROADCOM_PHY=m
-# CONFIG_BCM7XXX_PHY is not set
-CONFIG_BCM87XX_PHY=m
-CONFIG_ICPLUS_PHY=m
-CONFIG_REALTEK_PHY=m
-CONFIG_NATIONAL_PHY=m
-CONFIG_STE10XP=m
-CONFIG_LSI_ET1011C_PHY=m
-CONFIG_MICREL_PHY=m
-CONFIG_DP83848_PHY=m
-CONFIG_DP83867_PHY=m
-CONFIG_MICROCHIP_PHY=m
-# CONFIG_FIXED_PHY is not set
-# CONFIG_MDIO_BITBANG is not set
-# CONFIG_MDIO_OCTEON is not set
-# CONFIG_MDIO_BCM_UNIMAC is not set
-# CONFIG_MICREL_KS8995MA is not set
-CONFIG_PLIP=m
-CONFIG_PPP=m
-CONFIG_PPP_BSDCOMP=m
-CONFIG_PPP_DEFLATE=m
-CONFIG_PPP_FILTER=y
-CONFIG_PPP_MPPE=m
-CONFIG_PPP_MULTILINK=y
-CONFIG_PPPOATM=m
-CONFIG_PPPOE=m
-CONFIG_PPTP=m
-CONFIG_PPPOL2TP=m
-CONFIG_PPP_ASYNC=m
-CONFIG_PPP_SYNC_TTY=m
-CONFIG_SLIP=m
-CONFIG_SLHC=m
-CONFIG_SLIP_COMPRESSED=y
-CONFIG_SLIP_SMART=y
-CONFIG_SLIP_MODE_SLIP6=y
-
-#
-# Host-side USB support is needed for USB Network Adapter support
-#
-CONFIG_USB_NET_DRIVERS=m
-CONFIG_USB_CATC=m
-CONFIG_USB_KAWETH=m
-CONFIG_USB_PEGASUS=m
-CONFIG_USB_RTL8150=m
-CONFIG_USB_RTL8152=m
-CONFIG_USB_LAN78XX=m
-CONFIG_USB_USBNET=m
-CONFIG_USB_NET_AX8817X=m
-CONFIG_USB_NET_AX88179_178A=m
-CONFIG_USB_NET_CDCETHER=m
-CONFIG_USB_NET_CDC_EEM=m
-CONFIG_USB_NET_CDC_NCM=m
-CONFIG_USB_NET_HUAWEI_CDC_NCM=m
-CONFIG_USB_NET_CDC_MBIM=m
-CONFIG_USB_NET_DM9601=m
-CONFIG_USB_NET_SR9700=m
-CONFIG_USB_NET_SR9800=m
-CONFIG_USB_NET_SMSC75XX=m
-CONFIG_USB_NET_SMSC95XX=m
-CONFIG_USB_NET_GL620A=m
-CONFIG_USB_NET_NET1080=m
-CONFIG_USB_NET_PLUSB=m
-CONFIG_USB_NET_MCS7830=m
-CONFIG_USB_NET_RNDIS_HOST=m
-CONFIG_USB_NET_CDC_SUBSET=m
-CONFIG_USB_ALI_M5632=y
-CONFIG_USB_AN2720=y
-CONFIG_USB_BELKIN=y
-CONFIG_USB_ARMLINUX=y
-CONFIG_USB_EPSON2888=y
-CONFIG_USB_KC2190=y
-CONFIG_USB_NET_ZAURUS=m
-CONFIG_USB_NET_CX82310_ETH=m
-CONFIG_USB_NET_KALMIA=m
-CONFIG_USB_NET_QMI_WWAN=m
-CONFIG_USB_HSO=m
-CONFIG_USB_NET_INT51X1=m
-CONFIG_USB_CDC_PHONET=m
-CONFIG_USB_IPHETH=m
-CONFIG_USB_SIERRA_NET=m
-CONFIG_USB_VL600=m
-CONFIG_USB_NET_CH9200=m
-CONFIG_WLAN=y
-CONFIG_PCMCIA_RAYCS=m
-CONFIG_LIBERTAS_THINFIRM=m
-# CONFIG_LIBERTAS_THINFIRM_DEBUG is not set
-CONFIG_LIBERTAS_THINFIRM_USB=m
-CONFIG_AIRO=m
-CONFIG_ATMEL=m
-CONFIG_PCI_ATMEL=m
-CONFIG_PCMCIA_ATMEL=m
-CONFIG_AT76C50X_USB=m
-CONFIG_AIRO_CS=m
-CONFIG_PCMCIA_WL3501=m
-# CONFIG_PRISM54 is not set
-CONFIG_USB_ZD1201=m
-CONFIG_USB_NET_RNDIS_WLAN=m
-CONFIG_ADM8211=m
-CONFIG_RTL8180=m
-CONFIG_RTL8187=m
-CONFIG_RTL8187_LEDS=y
-CONFIG_MAC80211_HWSIM=m
-CONFIG_MWL8K=m
-CONFIG_ATH_COMMON=m
-CONFIG_ATH_CARDS=m
-# CONFIG_ATH_DEBUG is not set
-CONFIG_ATH5K=m
-# CONFIG_ATH5K_DEBUG is not set
-CONFIG_ATH5K_PCI=y
-CONFIG_ATH9K_HW=m
-CONFIG_ATH9K_COMMON=m
-CONFIG_ATH9K_BTCOEX_SUPPORT=y
-CONFIG_ATH9K=m
-CONFIG_ATH9K_PCI=y
-# CONFIG_ATH9K_AHB is not set
-# CONFIG_ATH9K_DYNACK is not set
-# CONFIG_ATH9K_WOW is not set
-CONFIG_ATH9K_RFKILL=y
-# CONFIG_ATH9K_CHANNEL_CONTEXT is not set
-CONFIG_ATH9K_PCOEM=y
-CONFIG_ATH9K_HTC=m
-CONFIG_CARL9170=m
-CONFIG_CARL9170_LEDS=y
-CONFIG_CARL9170_WPC=y
-# CONFIG_CARL9170_HWRNG is not set
-CONFIG_ATH6KL=m
-CONFIG_ATH6KL_SDIO=m
-CONFIG_ATH6KL_USB=m
-# CONFIG_ATH6KL_DEBUG is not set
-CONFIG_AR5523=m
-CONFIG_WIL6210=m
-CONFIG_WIL6210_ISR_COR=y
-CONFIG_ATH10K=m
-CONFIG_ATH10K_PCI=m
-# CONFIG_ATH10K_DEBUG is not set
-# CONFIG_WCN36XX is not set
-CONFIG_B43=m
-CONFIG_B43_BCMA=y
-CONFIG_B43_SSB=y
-CONFIG_B43_BUSES_BCMA_AND_SSB=y
-# CONFIG_B43_BUSES_BCMA is not set
-# CONFIG_B43_BUSES_SSB is not set
-CONFIG_B43_PCI_AUTOSELECT=y
-CONFIG_B43_PCICORE_AUTOSELECT=y
-CONFIG_B43_SDIO=y
-CONFIG_B43_BCMA_PIO=y
-CONFIG_B43_PIO=y
-CONFIG_B43_PHY_G=y
-CONFIG_B43_PHY_N=y
-CONFIG_B43_PHY_LP=y
-CONFIG_B43_PHY_HT=y
-CONFIG_B43_LEDS=y
-CONFIG_B43_HWRNG=y
-# CONFIG_B43_DEBUG is not set
-CONFIG_B43LEGACY=m
-CONFIG_B43LEGACY_PCI_AUTOSELECT=y
-CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y
-CONFIG_B43LEGACY_LEDS=y
-CONFIG_B43LEGACY_HWRNG=y
-CONFIG_B43LEGACY_DEBUG=y
-CONFIG_B43LEGACY_DMA=y
-CONFIG_B43LEGACY_PIO=y
-CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
-# CONFIG_B43LEGACY_DMA_MODE is not set
-# CONFIG_B43LEGACY_PIO_MODE is not set
-CONFIG_BRCMUTIL=m
-CONFIG_BRCMSMAC=m
-CONFIG_BRCMFMAC=m
-CONFIG_BRCMFMAC_PROTO_BCDC=y
-CONFIG_BRCMFMAC_PROTO_MSGBUF=y
-CONFIG_BRCMFMAC_SDIO=y
-CONFIG_BRCMFMAC_USB=y
-CONFIG_BRCMFMAC_PCIE=y
-# CONFIG_BRCM_TRACING is not set
-# CONFIG_BRCMDBG is not set
-CONFIG_HOSTAP=m
-CONFIG_HOSTAP_FIRMWARE=y
-# CONFIG_HOSTAP_FIRMWARE_NVRAM is not set
-CONFIG_HOSTAP_PLX=m
-CONFIG_HOSTAP_PCI=m
-CONFIG_HOSTAP_CS=m
-# CONFIG_IPW2100 is not set
-CONFIG_IPW2200=m
-CONFIG_IPW2200_MONITOR=y
-CONFIG_IPW2200_RADIOTAP=y
-CONFIG_IPW2200_PROMISCUOUS=y
-CONFIG_IPW2200_QOS=y
-# CONFIG_IPW2200_DEBUG is not set
-CONFIG_LIBIPW=m
-# CONFIG_LIBIPW_DEBUG is not set
-CONFIG_IWLWIFI=m
-CONFIG_IWLWIFI_LEDS=y
-CONFIG_IWLDVM=m
-CONFIG_IWLMVM=m
-CONFIG_IWLWIFI_OPMODE_MODULAR=y
-# CONFIG_IWLWIFI_BCAST_FILTERING is not set
-# CONFIG_IWLWIFI_UAPSD is not set
-
-#
-# Debugging Options
-#
-# CONFIG_IWLWIFI_DEBUG is not set
-CONFIG_IWLEGACY=m
-CONFIG_IWL4965=m
-CONFIG_IWL3945=m
-
-#
-# iwl3945 / iwl4965 Debugging Options
-#
-# CONFIG_IWLEGACY_DEBUG is not set
-CONFIG_LIBERTAS=m
-CONFIG_LIBERTAS_USB=m
-CONFIG_LIBERTAS_CS=m
-CONFIG_LIBERTAS_SDIO=m
-# CONFIG_LIBERTAS_SPI is not set
-# CONFIG_LIBERTAS_DEBUG is not set
-CONFIG_LIBERTAS_MESH=y
-CONFIG_HERMES=m
-# CONFIG_HERMES_PRISM is not set
-CONFIG_HERMES_CACHE_FW_ON_INIT=y
-CONFIG_PLX_HERMES=m
-CONFIG_TMD_HERMES=m
-CONFIG_NORTEL_HERMES=m
-CONFIG_PCMCIA_HERMES=m
-CONFIG_PCMCIA_SPECTRUM=m
-CONFIG_ORINOCO_USB=m
-CONFIG_P54_COMMON=m
-CONFIG_P54_USB=m
-CONFIG_P54_PCI=m
-# CONFIG_P54_SPI is not set
-CONFIG_P54_LEDS=y
-CONFIG_RT2X00=m
-CONFIG_RT2400PCI=m
-CONFIG_RT2500PCI=m
-CONFIG_RT61PCI=m
-CONFIG_RT2800PCI=m
-CONFIG_RT2800PCI_RT33XX=y
-CONFIG_RT2800PCI_RT35XX=y
-CONFIG_RT2800PCI_RT53XX=y
-CONFIG_RT2800PCI_RT3290=y
-CONFIG_RT2500USB=m
-CONFIG_RT73USB=m
-CONFIG_RT2800USB=m
-CONFIG_RT2800USB_RT33XX=y
-CONFIG_RT2800USB_RT35XX=y
-CONFIG_RT2800USB_RT3573=y
-CONFIG_RT2800USB_RT53XX=y
-CONFIG_RT2800USB_RT55XX=y
-# CONFIG_RT2800USB_UNKNOWN is not set
-CONFIG_RT2800_LIB=m
-CONFIG_RT2800_LIB_MMIO=m
-CONFIG_RT2X00_LIB_MMIO=m
-CONFIG_RT2X00_LIB_PCI=m
-CONFIG_RT2X00_LIB_USB=m
-CONFIG_RT2X00_LIB=m
-CONFIG_RT2X00_LIB_FIRMWARE=y
-CONFIG_RT2X00_LIB_CRYPTO=y
-CONFIG_RT2X00_LIB_LEDS=y
-# CONFIG_RT2X00_DEBUG is not set
-CONFIG_WL_MEDIATEK=y
-CONFIG_MT7601U=m
-CONFIG_RTL_CARDS=m
-CONFIG_RTL8192CE=m
-CONFIG_RTL8192SE=m
-CONFIG_RTL8192DE=m
-CONFIG_RTL8723AE=m
-CONFIG_RTL8723BE=m
-CONFIG_RTL8188EE=m
-CONFIG_RTL8192EE=m
-CONFIG_RTL8821AE=m
-CONFIG_RTL8192CU=m
-CONFIG_RTLWIFI=m
-CONFIG_RTLWIFI_PCI=m
-CONFIG_RTLWIFI_USB=m
-# CONFIG_RTLWIFI_DEBUG is not set
-CONFIG_RTL8192C_COMMON=m
-CONFIG_RTL8723_COMMON=m
-CONFIG_RTLBTCOEXIST=m
-# CONFIG_RTL8XXXU is not set
-# CONFIG_WL_TI is not set
-CONFIG_ZD1211RW=m
-# CONFIG_ZD1211RW_DEBUG is not set
-CONFIG_MWIFIEX=m
-CONFIG_MWIFIEX_SDIO=m
-CONFIG_MWIFIEX_PCIE=m
-CONFIG_MWIFIEX_USB=m
-# CONFIG_CW1200 is not set
-CONFIG_RSI_91X=m
-CONFIG_RSI_DEBUGFS=y
-# CONFIG_RSI_SDIO is not set
-CONFIG_RSI_USB=m
-
-#
-# WiMAX Wireless Broadband devices
-#
-CONFIG_WIMAX_I2400M=m
-CONFIG_WIMAX_I2400M_USB=m
-CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8
-CONFIG_WAN=y
-CONFIG_LANMEDIA=m
-CONFIG_HDLC=m
-CONFIG_HDLC_RAW=m
-CONFIG_HDLC_RAW_ETH=m
-CONFIG_HDLC_CISCO=m
-CONFIG_HDLC_FR=m
-CONFIG_HDLC_PPP=m
-# CONFIG_HDLC_X25 is not set
-CONFIG_PCI200SYN=m
-CONFIG_WANXL=m
-# CONFIG_PC300TOO is not set
-CONFIG_FARSYNC=m
-CONFIG_DSCC4=m
-CONFIG_DSCC4_PCISYNC=y
-CONFIG_DSCC4_PCI_RST=y
-CONFIG_DLCI=m
-CONFIG_DLCI_MAX=8
-# CONFIG_SBNI is not set
-CONFIG_IEEE802154_DRIVERS=m
-CONFIG_VMXNET3=m
-CONFIG_FUJITSU_ES=m
-CONFIG_HYPERV_NET=m
-CONFIG_ISDN=y
-# CONFIG_ISDN_I4L is not set
-CONFIG_ISDN_CAPI=m
-CONFIG_CAPI_TRACE=y
-CONFIG_ISDN_CAPI_CAPI20=m
-CONFIG_ISDN_CAPI_MIDDLEWARE=y
-
-#
-# CAPI hardware drivers
-#
-CONFIG_CAPI_AVM=y
-CONFIG_ISDN_DRV_AVMB1_B1PCI=m
-CONFIG_ISDN_DRV_AVMB1_B1PCIV4=y
-CONFIG_ISDN_DRV_AVMB1_B1PCMCIA=m
-CONFIG_ISDN_DRV_AVMB1_AVM_CS=m
-CONFIG_ISDN_DRV_AVMB1_T1PCI=m
-CONFIG_ISDN_DRV_AVMB1_C4=m
-CONFIG_CAPI_EICON=y
-CONFIG_ISDN_DIVAS=m
-CONFIG_ISDN_DIVAS_BRIPCI=y
-CONFIG_ISDN_DIVAS_PRIPCI=y
-CONFIG_ISDN_DIVAS_DIVACAPI=m
-CONFIG_ISDN_DIVAS_USERIDI=m
-CONFIG_ISDN_DIVAS_MAINT=m
-CONFIG_ISDN_DRV_GIGASET=m
-CONFIG_GIGASET_CAPI=y
-# CONFIG_GIGASET_DUMMYLL is not set
-CONFIG_GIGASET_BASE=m
-CONFIG_GIGASET_M105=m
-CONFIG_GIGASET_M101=m
-# CONFIG_GIGASET_DEBUG is not set
-CONFIG_HYSDN=m
-CONFIG_HYSDN_CAPI=y
-CONFIG_MISDN=m
-CONFIG_MISDN_DSP=m
-CONFIG_MISDN_L1OIP=m
-
-#
-# mISDN hardware drivers
-#
-CONFIG_MISDN_HFCPCI=m
-CONFIG_MISDN_HFCMULTI=m
-CONFIG_MISDN_HFCUSB=m
-CONFIG_MISDN_AVMFRITZ=m
-CONFIG_MISDN_SPEEDFAX=m
-CONFIG_MISDN_INFINEON=m
-CONFIG_MISDN_W6692=m
-# CONFIG_MISDN_NETJET is not set
-CONFIG_MISDN_IPAC=m
-CONFIG_MISDN_ISAR=m
-# CONFIG_NVM is not set
-
-#
-# Input device support
-#
-CONFIG_INPUT=y
-CONFIG_INPUT_LEDS=y
-CONFIG_INPUT_FF_MEMLESS=m
-CONFIG_INPUT_POLLDEV=m
-CONFIG_INPUT_SPARSEKMAP=m
-CONFIG_INPUT_MATRIXKMAP=m
-
-#
-# Userland interfaces
-#
-CONFIG_INPUT_MOUSEDEV=y
-CONFIG_INPUT_MOUSEDEV_PSAUX=y
-CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
-CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
-CONFIG_INPUT_JOYDEV=m
-CONFIG_INPUT_EVDEV=m
-# CONFIG_INPUT_EVBUG is not set
-
-#
-# Input Device Drivers
-#
-CONFIG_INPUT_KEYBOARD=y
-CONFIG_KEYBOARD_ADP5588=m
-# CONFIG_KEYBOARD_ADP5589 is not set
-CONFIG_KEYBOARD_ATKBD=y
-# CONFIG_KEYBOARD_QT1070 is not set
-CONFIG_KEYBOARD_QT2160=m
-CONFIG_KEYBOARD_LKKBD=m
-CONFIG_KEYBOARD_GPIO=m
-# CONFIG_KEYBOARD_GPIO_POLLED is not set
-# CONFIG_KEYBOARD_TCA6416 is not set
-# CONFIG_KEYBOARD_TCA8418 is not set
-# CONFIG_KEYBOARD_MATRIX is not set
-CONFIG_KEYBOARD_LM8323=m
-# CONFIG_KEYBOARD_LM8333 is not set
-CONFIG_KEYBOARD_MAX7359=m
-# CONFIG_KEYBOARD_MCS is not set
-# CONFIG_KEYBOARD_MPR121 is not set
-CONFIG_KEYBOARD_NEWTON=m
-CONFIG_KEYBOARD_OPENCORES=m
-# CONFIG_KEYBOARD_SAMSUNG is not set
-CONFIG_KEYBOARD_STOWAWAY=m
-CONFIG_KEYBOARD_SUNKBD=m
-CONFIG_KEYBOARD_XTKBD=m
-CONFIG_INPUT_MOUSE=y
-CONFIG_MOUSE_PS2=m
-CONFIG_MOUSE_PS2_ALPS=y
-CONFIG_MOUSE_PS2_LOGIPS2PP=y
-CONFIG_MOUSE_PS2_SYNAPTICS=y
-CONFIG_MOUSE_PS2_CYPRESS=y
-CONFIG_MOUSE_PS2_LIFEBOOK=y
-CONFIG_MOUSE_PS2_TRACKPOINT=y
-CONFIG_MOUSE_PS2_ELANTECH=y
-CONFIG_MOUSE_PS2_SENTELIC=y
-# CONFIG_MOUSE_PS2_TOUCHKIT is not set
-CONFIG_MOUSE_PS2_FOCALTECH=y
-CONFIG_MOUSE_PS2_VMMOUSE=y
-CONFIG_MOUSE_SERIAL=m
-CONFIG_MOUSE_APPLETOUCH=m
-CONFIG_MOUSE_BCM5974=m
-CONFIG_MOUSE_CYAPA=m
-CONFIG_MOUSE_ELAN_I2C=m
-CONFIG_MOUSE_ELAN_I2C_I2C=y
-CONFIG_MOUSE_ELAN_I2C_SMBUS=y
-CONFIG_MOUSE_VSXXXAA=m
-# CONFIG_MOUSE_GPIO is not set
-CONFIG_MOUSE_SYNAPTICS_I2C=m
-CONFIG_MOUSE_SYNAPTICS_USB=m
-CONFIG_INPUT_JOYSTICK=y
-CONFIG_JOYSTICK_ANALOG=m
-CONFIG_JOYSTICK_A3D=m
-CONFIG_JOYSTICK_ADI=m
-CONFIG_JOYSTICK_COBRA=m
-CONFIG_JOYSTICK_GF2K=m
-CONFIG_JOYSTICK_GRIP=m
-CONFIG_JOYSTICK_GRIP_MP=m
-CONFIG_JOYSTICK_GUILLEMOT=m
-CONFIG_JOYSTICK_INTERACT=m
-CONFIG_JOYSTICK_SIDEWINDER=m
-CONFIG_JOYSTICK_TMDC=m
-CONFIG_JOYSTICK_IFORCE=m
-CONFIG_JOYSTICK_IFORCE_USB=y
-CONFIG_JOYSTICK_IFORCE_232=y
-CONFIG_JOYSTICK_WARRIOR=m
-CONFIG_JOYSTICK_MAGELLAN=m
-CONFIG_JOYSTICK_SPACEORB=m
-CONFIG_JOYSTICK_SPACEBALL=m
-CONFIG_JOYSTICK_STINGER=m
-CONFIG_JOYSTICK_TWIDJOY=m
-CONFIG_JOYSTICK_ZHENHUA=m
-CONFIG_JOYSTICK_DB9=m
-CONFIG_JOYSTICK_GAMECON=m
-CONFIG_JOYSTICK_TURBOGRAFX=m
-# CONFIG_JOYSTICK_AS5011 is not set
-CONFIG_JOYSTICK_JOYDUMP=m
-CONFIG_JOYSTICK_XPAD=m
-CONFIG_JOYSTICK_XPAD_FF=y
-CONFIG_JOYSTICK_XPAD_LEDS=y
-CONFIG_JOYSTICK_WALKERA0701=m
-CONFIG_INPUT_TABLET=y
-CONFIG_TABLET_USB_ACECAD=m
-CONFIG_TABLET_USB_AIPTEK=m
-CONFIG_TABLET_USB_GTCO=m
-CONFIG_TABLET_USB_HANWANG=m
-CONFIG_TABLET_USB_KBTAB=m
-CONFIG_TABLET_SERIAL_WACOM4=m
-CONFIG_INPUT_TOUCHSCREEN=y
-CONFIG_TOUCHSCREEN_PROPERTIES=y
-CONFIG_TOUCHSCREEN_ADS7846=m
-CONFIG_TOUCHSCREEN_AD7877=m
-CONFIG_TOUCHSCREEN_AD7879=m
-CONFIG_TOUCHSCREEN_AD7879_I2C=m
-# CONFIG_TOUCHSCREEN_AD7879_SPI is not set
-CONFIG_TOUCHSCREEN_ATMEL_MXT=m
-# CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set
-# CONFIG_TOUCHSCREEN_BU21013 is not set
-# CONFIG_TOUCHSCREEN_CY8CTMG110 is not set
-# CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set
-# CONFIG_TOUCHSCREEN_CYTTSP4_CORE is not set
-CONFIG_TOUCHSCREEN_DYNAPRO=m
-CONFIG_TOUCHSCREEN_HAMPSHIRE=m
-CONFIG_TOUCHSCREEN_EETI=m
-# CONFIG_TOUCHSCREEN_FT6236 is not set
-CONFIG_TOUCHSCREEN_FUJITSU=m
-# CONFIG_TOUCHSCREEN_GOODIX is not set
-# CONFIG_TOUCHSCREEN_ILI210X is not set
-CONFIG_TOUCHSCREEN_GUNZE=m
-# CONFIG_TOUCHSCREEN_ELAN is not set
-CONFIG_TOUCHSCREEN_ELO=m
-CONFIG_TOUCHSCREEN_WACOM_W8001=m
-# CONFIG_TOUCHSCREEN_WACOM_I2C is not set
-# CONFIG_TOUCHSCREEN_MAX11801 is not set
-CONFIG_TOUCHSCREEN_MCS5000=m
-# CONFIG_TOUCHSCREEN_MMS114 is not set
-CONFIG_TOUCHSCREEN_MTOUCH=m
-CONFIG_TOUCHSCREEN_INEXIO=m
-CONFIG_TOUCHSCREEN_MK712=m
-CONFIG_TOUCHSCREEN_PENMOUNT=m
-# CONFIG_TOUCHSCREEN_EDT_FT5X06 is not set
-CONFIG_TOUCHSCREEN_TOUCHRIGHT=m
-CONFIG_TOUCHSCREEN_TOUCHWIN=m
-# CONFIG_TOUCHSCREEN_PIXCIR is not set
-# CONFIG_TOUCHSCREEN_WDT87XX_I2C is not set
-CONFIG_TOUCHSCREEN_WM97XX=m
-CONFIG_TOUCHSCREEN_WM9705=y
-CONFIG_TOUCHSCREEN_WM9712=y
-CONFIG_TOUCHSCREEN_WM9713=y
-CONFIG_TOUCHSCREEN_USB_COMPOSITE=m
-CONFIG_TOUCHSCREEN_USB_EGALAX=y
-CONFIG_TOUCHSCREEN_USB_PANJIT=y
-CONFIG_TOUCHSCREEN_USB_3M=y
-CONFIG_TOUCHSCREEN_USB_ITM=y
-CONFIG_TOUCHSCREEN_USB_ETURBO=y
-CONFIG_TOUCHSCREEN_USB_GUNZE=y
-CONFIG_TOUCHSCREEN_USB_DMC_TSC10=y
-CONFIG_TOUCHSCREEN_USB_IRTOUCH=y
-CONFIG_TOUCHSCREEN_USB_IDEALTEK=y
-CONFIG_TOUCHSCREEN_USB_GENERAL_TOUCH=y
-CONFIG_TOUCHSCREEN_USB_GOTOP=y
-CONFIG_TOUCHSCREEN_USB_JASTEC=y
-CONFIG_TOUCHSCREEN_USB_ELO=y
-CONFIG_TOUCHSCREEN_USB_E2I=y
-CONFIG_TOUCHSCREEN_USB_ZYTRONIC=y
-CONFIG_TOUCHSCREEN_USB_ETT_TC45USB=y
-CONFIG_TOUCHSCREEN_USB_NEXIO=y
-CONFIG_TOUCHSCREEN_USB_EASYTOUCH=y
-CONFIG_TOUCHSCREEN_TOUCHIT213=m
-CONFIG_TOUCHSCREEN_TSC_SERIO=m
-# CONFIG_TOUCHSCREEN_TSC2004 is not set
-# CONFIG_TOUCHSCREEN_TSC2005 is not set
-CONFIG_TOUCHSCREEN_TSC2007=m
-# CONFIG_TOUCHSCREEN_ST1232 is not set
-CONFIG_TOUCHSCREEN_SUR40=m
-# CONFIG_TOUCHSCREEN_SX8654 is not set
-CONFIG_TOUCHSCREEN_TPS6507X=m
-# CONFIG_TOUCHSCREEN_ZFORCE is not set
-# CONFIG_TOUCHSCREEN_ROHM_BU21023 is not set
-CONFIG_INPUT_MISC=y
-# CONFIG_INPUT_AD714X is not set
-# CONFIG_INPUT_BMA150 is not set
-# CONFIG_INPUT_E3X0_BUTTON is not set
-CONFIG_INPUT_PCSPKR=m
-# CONFIG_INPUT_MMA8450 is not set
-# CONFIG_INPUT_MPU3050 is not set
-CONFIG_INPUT_APANEL=m
-# CONFIG_INPUT_GP2A is not set
-# CONFIG_INPUT_GPIO_BEEPER is not set
-# CONFIG_INPUT_GPIO_TILT_POLLED is not set
-CONFIG_INPUT_ATLAS_BTNS=m
-CONFIG_INPUT_ATI_REMOTE2=m
-CONFIG_INPUT_KEYSPAN_REMOTE=m
-# CONFIG_INPUT_KXTJ9 is not set
-CONFIG_INPUT_POWERMATE=m
-CONFIG_INPUT_YEALINK=m
-CONFIG_INPUT_CM109=m
-CONFIG_INPUT_UINPUT=m
-# CONFIG_INPUT_PCF8574 is not set
-# CONFIG_INPUT_GPIO_ROTARY_ENCODER is not set
-# CONFIG_INPUT_ADXL34X is not set
-# CONFIG_INPUT_IMS_PCU is not set
-# CONFIG_INPUT_CMA3000 is not set
-CONFIG_INPUT_IDEAPAD_SLIDEBAR=m
-CONFIG_INPUT_SOC_BUTTON_ARRAY=m
-# CONFIG_INPUT_DRV260X_HAPTICS is not set
-# CONFIG_INPUT_DRV2665_HAPTICS is not set
-# CONFIG_INPUT_DRV2667_HAPTICS is not set
-
-#
-# Hardware I/O ports
-#
-CONFIG_SERIO=y
-CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
-CONFIG_SERIO_I8042=y
-CONFIG_SERIO_SERPORT=m
-CONFIG_SERIO_CT82C710=m
-CONFIG_SERIO_PARKBD=m
-CONFIG_SERIO_PCIPS2=m
-CONFIG_SERIO_LIBPS2=y
-CONFIG_SERIO_RAW=m
-CONFIG_SERIO_ALTERA_PS2=m
-# CONFIG_SERIO_PS2MULT is not set
-# CONFIG_SERIO_ARC_PS2 is not set
-CONFIG_HYPERV_KEYBOARD=m
-# CONFIG_USERIO is not set
-CONFIG_GAMEPORT=m
-CONFIG_GAMEPORT_NS558=m
-CONFIG_GAMEPORT_L4=m
-CONFIG_GAMEPORT_EMU10K1=m
-CONFIG_GAMEPORT_FM801=m
-
-#
-# Character devices
-#
-CONFIG_TTY=y
-CONFIG_VT=y
-CONFIG_CONSOLE_TRANSLATIONS=y
-CONFIG_VT_CONSOLE=y
-CONFIG_VT_CONSOLE_SLEEP=y
-CONFIG_HW_CONSOLE=y
-CONFIG_VT_HW_CONSOLE_BINDING=y
-CONFIG_UNIX98_PTYS=y
-CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
-# CONFIG_LEGACY_PTYS is not set
-CONFIG_SERIAL_NONSTANDARD=y
-CONFIG_ROCKETPORT=m
-CONFIG_CYCLADES=m
-# CONFIG_CYZ_INTR is not set
-CONFIG_MOXA_INTELLIO=m
-CONFIG_MOXA_SMARTIO=m
-CONFIG_SYNCLINK=m
-CONFIG_SYNCLINKMP=m
-CONFIG_SYNCLINK_GT=m
-CONFIG_NOZOMI=m
-CONFIG_ISI=m
-CONFIG_N_HDLC=m
-CONFIG_N_GSM=m
-# CONFIG_TRACE_SINK is not set
-CONFIG_DEVMEM=y
-
-#
-# Serial drivers
-#
-CONFIG_SERIAL_EARLYCON=y
-CONFIG_SERIAL_8250=y
-# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
-CONFIG_SERIAL_8250_PNP=y
-CONFIG_SERIAL_8250_CONSOLE=y
-CONFIG_SERIAL_8250_DMA=y
-CONFIG_SERIAL_8250_PCI=y
-CONFIG_SERIAL_8250_CS=m
-CONFIG_SERIAL_8250_NR_UARTS=32
-CONFIG_SERIAL_8250_RUNTIME_UARTS=4
-CONFIG_SERIAL_8250_EXTENDED=y
-CONFIG_SERIAL_8250_MANY_PORTS=y
-CONFIG_SERIAL_8250_SHARE_IRQ=y
-# CONFIG_SERIAL_8250_DETECT_IRQ is not set
-CONFIG_SERIAL_8250_RSA=y
-# CONFIG_SERIAL_8250_FSL is not set
-CONFIG_SERIAL_8250_DW=y
-# CONFIG_SERIAL_8250_RT288X is not set
-CONFIG_SERIAL_8250_FINTEK=m
-# CONFIG_SERIAL_8250_MID is not set
-
-#
-# Non-8250 serial port support
-#
-# CONFIG_SERIAL_MAX3100 is not set
-# CONFIG_SERIAL_MAX310X is not set
-# CONFIG_SERIAL_UARTLITE is not set
-CONFIG_SERIAL_CORE=y
-CONFIG_SERIAL_CORE_CONSOLE=y
-CONFIG_SERIAL_JSM=m
-# CONFIG_SERIAL_SCCNXP is not set
-# CONFIG_SERIAL_SC16IS7XX is not set
-# CONFIG_SERIAL_ALTERA_JTAGUART is not set
-# CONFIG_SERIAL_ALTERA_UART is not set
-# CONFIG_SERIAL_IFX6X60 is not set
-# CONFIG_SERIAL_ARC is not set
-CONFIG_SERIAL_RP2=m
-CONFIG_SERIAL_RP2_NR_UARTS=32
-# CONFIG_SERIAL_FSL_LPUART is not set
-CONFIG_TTY_PRINTK=m
-CONFIG_PRINTER=m
-# CONFIG_LP_CONSOLE is not set
-CONFIG_PPDEV=m
-CONFIG_HVC_DRIVER=y
-CONFIG_VIRTIO_CONSOLE=m
-CONFIG_IPMI_HANDLER=m
-# CONFIG_IPMI_PANIC_EVENT is not set
-CONFIG_IPMI_DEVICE_INTERFACE=m
-CONFIG_IPMI_SI=m
-# CONFIG_IPMI_SI_PROBE_DEFAULTS is not set
-# CONFIG_IPMI_SSIF is not set
-CONFIG_IPMI_WATCHDOG=m
-CONFIG_IPMI_POWEROFF=m
-CONFIG_HW_RANDOM=m
-# CONFIG_HW_RANDOM_TIMERIOMEM is not set
-CONFIG_HW_RANDOM_INTEL=m
-CONFIG_HW_RANDOM_AMD=m
-CONFIG_HW_RANDOM_VIA=m
-CONFIG_HW_RANDOM_VIRTIO=m
-CONFIG_HW_RANDOM_TPM=m
-CONFIG_NVRAM=m
-CONFIG_R3964=m
-CONFIG_APPLICOM=m
-
-#
-# PCMCIA character devices
-#
-CONFIG_SYNCLINK_CS=m
-CONFIG_CARDMAN_4000=m
-CONFIG_CARDMAN_4040=m
-CONFIG_IPWIRELESS=m
-CONFIG_MWAVE=m
-CONFIG_RAW_DRIVER=m
-CONFIG_MAX_RAW_DEVS=256
-CONFIG_HPET=y
-CONFIG_HPET_MMAP=y
-CONFIG_HPET_MMAP_DEFAULT=y
-CONFIG_HANGCHECK_TIMER=m
-CONFIG_TCG_TPM=m
-CONFIG_TCG_TIS=m
-CONFIG_TCG_TIS_I2C_ATMEL=m
-CONFIG_TCG_TIS_I2C_INFINEON=m
-CONFIG_TCG_TIS_I2C_NUVOTON=m
-CONFIG_TCG_NSC=m
-CONFIG_TCG_ATMEL=m
-CONFIG_TCG_INFINEON=m
-CONFIG_TCG_CRB=m
-CONFIG_TCG_TIS_ST33ZP24=m
-CONFIG_TCG_TIS_ST33ZP24_I2C=m
-# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
-CONFIG_TELCLOCK=m
-# CONFIG_XILLYBUS is not set
-
-#
-# I2C support
-#
-CONFIG_I2C=y
-CONFIG_ACPI_I2C_OPREGION=y
-CONFIG_I2C_BOARDINFO=y
-CONFIG_I2C_COMPAT=y
-CONFIG_I2C_CHARDEV=m
-CONFIG_I2C_MUX=m
-
-#
-# Multiplexer I2C Chip support
-#
-# CONFIG_I2C_MUX_GPIO is not set
-# CONFIG_I2C_MUX_PCA9541 is not set
-# CONFIG_I2C_MUX_PCA954x is not set
-# CONFIG_I2C_MUX_PINCTRL is not set
-# CONFIG_I2C_MUX_REG is not set
-CONFIG_I2C_HELPER_AUTO=y
-CONFIG_I2C_SMBUS=m
-CONFIG_I2C_ALGOBIT=m
-CONFIG_I2C_ALGOPCA=m
-
-#
-# I2C Hardware Bus support
-#
-
-#
-# PC SMBus host controller drivers
-#
-CONFIG_I2C_ALI1535=m
-CONFIG_I2C_ALI1563=m
-CONFIG_I2C_ALI15X3=m
-CONFIG_I2C_AMD756=m
-CONFIG_I2C_AMD756_S4882=m
-CONFIG_I2C_AMD8111=m
-CONFIG_I2C_I801=m
-CONFIG_I2C_ISCH=m
-CONFIG_I2C_ISMT=m
-CONFIG_I2C_PIIX4=m
-CONFIG_I2C_NFORCE2=m
-CONFIG_I2C_NFORCE2_S4985=m
-CONFIG_I2C_SIS5595=m
-CONFIG_I2C_SIS630=m
-CONFIG_I2C_SIS96X=m
-CONFIG_I2C_VIA=m
-CONFIG_I2C_VIAPRO=m
-
-#
-# ACPI drivers
-#
-CONFIG_I2C_SCMI=m
-
-#
-# I2C system bus drivers (mostly embedded / system-on-chip)
-#
-# CONFIG_I2C_CBUS_GPIO is not set
-CONFIG_I2C_DESIGNWARE_CORE=m
-CONFIG_I2C_DESIGNWARE_PLATFORM=m
-CONFIG_I2C_DESIGNWARE_PCI=m
-# CONFIG_I2C_EMEV2 is not set
-# CONFIG_I2C_GPIO is not set
-CONFIG_I2C_KEMPLD=m
-CONFIG_I2C_OCORES=m
-CONFIG_I2C_PCA_PLATFORM=m
-# CONFIG_I2C_PXA_PCI is not set
-CONFIG_I2C_SIMTEC=m
-# CONFIG_I2C_XILINX is not set
-
-#
-# External I2C/SMBus adapter drivers
-#
-CONFIG_I2C_DIOLAN_U2C=m
-CONFIG_I2C_PARPORT=m
-CONFIG_I2C_PARPORT_LIGHT=m
-CONFIG_I2C_ROBOTFUZZ_OSIF=m
-CONFIG_I2C_TAOS_EVM=m
-CONFIG_I2C_TINY_USB=m
-CONFIG_I2C_VIPERBOARD=m
-
-#
-# Other I2C/SMBus bus drivers
-#
-CONFIG_I2C_STUB=m
-# CONFIG_I2C_SLAVE is not set
-# CONFIG_I2C_DEBUG_CORE is not set
-# CONFIG_I2C_DEBUG_ALGO is not set
-# CONFIG_I2C_DEBUG_BUS is not set
-CONFIG_SPI=y
-# CONFIG_SPI_DEBUG is not set
-CONFIG_SPI_MASTER=y
-
-#
-# SPI Master Controller Drivers
-#
-# CONFIG_SPI_ALTERA is not set
-CONFIG_SPI_BITBANG=m
-CONFIG_SPI_BUTTERFLY=m
-# CONFIG_SPI_CADENCE is not set
-# CONFIG_SPI_GPIO is not set
-CONFIG_SPI_LM70_LLP=m
-# CONFIG_SPI_OC_TINY is not set
-# CONFIG_SPI_PXA2XX is not set
-# CONFIG_SPI_PXA2XX_PCI is not set
-# CONFIG_SPI_SC18IS602 is not set
-# CONFIG_SPI_XCOMM is not set
-# CONFIG_SPI_XILINX is not set
-# CONFIG_SPI_ZYNQMP_GQSPI is not set
-# CONFIG_SPI_DESIGNWARE is not set
-
-#
-# SPI Protocol Masters
-#
-# CONFIG_SPI_SPIDEV is not set
-# CONFIG_SPI_TLE62X0 is not set
-# CONFIG_SPMI is not set
-# CONFIG_HSI is not set
-
-#
-# PPS support
-#
-CONFIG_PPS=m
-# CONFIG_PPS_DEBUG is not set
-# CONFIG_NTP_PPS is not set
-
-#
-# PPS clients support
-#
-# CONFIG_PPS_CLIENT_KTIMER is not set
-CONFIG_PPS_CLIENT_LDISC=m
-CONFIG_PPS_CLIENT_PARPORT=m
-# CONFIG_PPS_CLIENT_GPIO is not set
-
-#
-# PPS generators support
-#
-
-#
-# PTP clock support
-#
-CONFIG_PTP_1588_CLOCK=m
-
-#
-# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
-#
-CONFIG_PINCTRL=y
-
-#
-# Pin controllers
-#
-CONFIG_PINMUX=y
-CONFIG_PINCONF=y
-CONFIG_GENERIC_PINCONF=y
-# CONFIG_DEBUG_PINCTRL is not set
-# CONFIG_PINCTRL_AMD is not set
-CONFIG_PINCTRL_BAYTRAIL=y
-CONFIG_PINCTRL_CHERRYVIEW=y
-CONFIG_PINCTRL_INTEL=y
-CONFIG_PINCTRL_BROXTON=y
-CONFIG_PINCTRL_SUNRISEPOINT=y
-CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
-CONFIG_GPIOLIB=y
-CONFIG_GPIO_DEVRES=y
-CONFIG_GPIO_ACPI=y
-CONFIG_GPIOLIB_IRQCHIP=y
-# CONFIG_DEBUG_GPIO is not set
-CONFIG_GPIO_SYSFS=y
-
-#
-# Memory mapped GPIO drivers
-#
-# CONFIG_GPIO_AMDPT is not set
-# CONFIG_GPIO_DWAPB is not set
-# CONFIG_GPIO_GENERIC_PLATFORM is not set
-# CONFIG_GPIO_ICH is not set
-# CONFIG_GPIO_LYNXPOINT is not set
-# CONFIG_GPIO_VX855 is not set
-# CONFIG_GPIO_ZX is not set
-
-#
-# Port-mapped I/O GPIO drivers
-#
-# CONFIG_GPIO_104_IDIO_16 is not set
-# CONFIG_GPIO_F7188X is not set
-# CONFIG_GPIO_IT87 is not set
-# CONFIG_GPIO_SCH is not set
-# CONFIG_GPIO_SCH311X is not set
-
-#
-# I2C GPIO expanders
-#
-# CONFIG_GPIO_ADP5588 is not set
-# CONFIG_GPIO_MAX7300 is not set
-# CONFIG_GPIO_MAX732X is not set
-# CONFIG_GPIO_PCA953X is not set
-# CONFIG_GPIO_PCF857X is not set
-# CONFIG_GPIO_SX150X is not set
-
-#
-# MFD GPIO expanders
-#
-CONFIG_GPIO_KEMPLD=m
-
-#
-# PCI GPIO expanders
-#
-# CONFIG_GPIO_AMD8111 is not set
-# CONFIG_GPIO_INTEL_MID is not set
-CONFIG_GPIO_ML_IOH=m
-# CONFIG_GPIO_RDC321X is not set
-
-#
-# SPI GPIO expanders
-#
-# CONFIG_GPIO_MAX7301 is not set
-# CONFIG_GPIO_MC33880 is not set
-
-#
-# SPI or I2C GPIO expanders
-#
-# CONFIG_GPIO_MCP23S08 is not set
-
-#
-# USB GPIO expanders
-#
-CONFIG_GPIO_VIPERBOARD=m
-CONFIG_W1=m
-CONFIG_W1_CON=y
-
-#
-# 1-wire Bus Masters
-#
-CONFIG_W1_MASTER_MATROX=m
-CONFIG_W1_MASTER_DS2490=m
-CONFIG_W1_MASTER_DS2482=m
-# CONFIG_W1_MASTER_DS1WM is not set
-# CONFIG_W1_MASTER_GPIO is not set
-
-#
-# 1-wire Slaves
-#
-CONFIG_W1_SLAVE_THERM=m
-CONFIG_W1_SLAVE_SMEM=m
-# CONFIG_W1_SLAVE_DS2408 is not set
-# CONFIG_W1_SLAVE_DS2413 is not set
-# CONFIG_W1_SLAVE_DS2406 is not set
-# CONFIG_W1_SLAVE_DS2423 is not set
-CONFIG_W1_SLAVE_DS2431=m
-CONFIG_W1_SLAVE_DS2433=m
-# CONFIG_W1_SLAVE_DS2433_CRC is not set
-# CONFIG_W1_SLAVE_DS2760 is not set
-# CONFIG_W1_SLAVE_DS2780 is not set
-# CONFIG_W1_SLAVE_DS2781 is not set
-# CONFIG_W1_SLAVE_DS28E04 is not set
-CONFIG_W1_SLAVE_BQ27000=m
-CONFIG_POWER_SUPPLY=y
-# CONFIG_POWER_SUPPLY_DEBUG is not set
-# CONFIG_PDA_POWER is not set
-# CONFIG_GENERIC_ADC_BATTERY is not set
-# CONFIG_TEST_POWER is not set
-# CONFIG_BATTERY_DS2780 is not set
-# CONFIG_BATTERY_DS2781 is not set
-# CONFIG_BATTERY_DS2782 is not set
-CONFIG_BATTERY_SBS=m
-# CONFIG_BATTERY_BQ27XXX is not set
-# CONFIG_BATTERY_MAX17040 is not set
-# CONFIG_BATTERY_MAX17042 is not set
-# CONFIG_CHARGER_MAX8903 is not set
-# CONFIG_CHARGER_LP8727 is not set
-# CONFIG_CHARGER_GPIO is not set
-# CONFIG_CHARGER_BQ2415X is not set
-# CONFIG_CHARGER_BQ24190 is not set
-# CONFIG_CHARGER_BQ24257 is not set
-# CONFIG_CHARGER_BQ24735 is not set
-# CONFIG_CHARGER_BQ25890 is not set
-# CONFIG_CHARGER_SMB347 is not set
-# CONFIG_BATTERY_GAUGE_LTC2941 is not set
-# CONFIG_CHARGER_RT9455 is not set
-# CONFIG_POWER_RESET is not set
-# CONFIG_POWER_AVS is not set
-CONFIG_HWMON=y
-CONFIG_HWMON_VID=m
-# CONFIG_HWMON_DEBUG_CHIP is not set
-
-#
-# Native drivers
-#
-CONFIG_SENSORS_ABITUGURU=m
-CONFIG_SENSORS_ABITUGURU3=m
-# CONFIG_SENSORS_AD7314 is not set
-CONFIG_SENSORS_AD7414=m
-CONFIG_SENSORS_AD7418=m
-CONFIG_SENSORS_ADM1021=m
-CONFIG_SENSORS_ADM1025=m
-CONFIG_SENSORS_ADM1026=m
-CONFIG_SENSORS_ADM1029=m
-CONFIG_SENSORS_ADM1031=m
-CONFIG_SENSORS_ADM9240=m
-# CONFIG_SENSORS_ADT7310 is not set
-# CONFIG_SENSORS_ADT7410 is not set
-CONFIG_SENSORS_ADT7411=m
-CONFIG_SENSORS_ADT7462=m
-CONFIG_SENSORS_ADT7470=m
-CONFIG_SENSORS_ADT7475=m
-CONFIG_SENSORS_ASC7621=m
-CONFIG_SENSORS_K8TEMP=m
-CONFIG_SENSORS_K10TEMP=m
-CONFIG_SENSORS_FAM15H_POWER=m
-CONFIG_SENSORS_APPLESMC=m
-CONFIG_SENSORS_ASB100=m
-CONFIG_SENSORS_ATXP1=m
-CONFIG_SENSORS_DS620=m
-CONFIG_SENSORS_DS1621=m
-CONFIG_SENSORS_DELL_SMM=m
-CONFIG_SENSORS_I5K_AMB=m
-CONFIG_SENSORS_F71805F=m
-CONFIG_SENSORS_F71882FG=m
-CONFIG_SENSORS_F75375S=m
-CONFIG_SENSORS_FSCHMD=m
-CONFIG_SENSORS_GL518SM=m
-CONFIG_SENSORS_GL520SM=m
-CONFIG_SENSORS_G760A=m
-# CONFIG_SENSORS_G762 is not set
-# CONFIG_SENSORS_GPIO_FAN is not set
-# CONFIG_SENSORS_HIH6130 is not set
-CONFIG_SENSORS_IBMAEM=m
-CONFIG_SENSORS_IBMPEX=m
-# CONFIG_SENSORS_IIO_HWMON is not set
-CONFIG_SENSORS_I5500=m
-CONFIG_SENSORS_CORETEMP=m
-CONFIG_SENSORS_IT87=m
-CONFIG_SENSORS_JC42=m
-# CONFIG_SENSORS_POWR1220 is not set
-CONFIG_SENSORS_LINEAGE=m
-# CONFIG_SENSORS_LTC2945 is not set
-CONFIG_SENSORS_LTC4151=m
-CONFIG_SENSORS_LTC4215=m
-# CONFIG_SENSORS_LTC4222 is not set
-CONFIG_SENSORS_LTC4245=m
-# CONFIG_SENSORS_LTC4260 is not set
-CONFIG_SENSORS_LTC4261=m
-CONFIG_SENSORS_MAX1111=m
-CONFIG_SENSORS_MAX16065=m
-CONFIG_SENSORS_MAX1619=m
-CONFIG_SENSORS_MAX1668=m
-# CONFIG_SENSORS_MAX197 is not set
-CONFIG_SENSORS_MAX6639=m
-CONFIG_SENSORS_MAX6642=m
-CONFIG_SENSORS_MAX6650=m
-# CONFIG_SENSORS_MAX6697 is not set
-# CONFIG_SENSORS_MAX31790 is not set
-# CONFIG_SENSORS_HTU21 is not set
-# CONFIG_SENSORS_MCP3021 is not set
-CONFIG_SENSORS_MENF21BMC_HWMON=m
-CONFIG_SENSORS_ADCXX=m
-CONFIG_SENSORS_LM63=m
-CONFIG_SENSORS_LM70=m
-CONFIG_SENSORS_LM73=m
-CONFIG_SENSORS_LM75=m
-CONFIG_SENSORS_LM77=m
-CONFIG_SENSORS_LM78=m
-CONFIG_SENSORS_LM80=m
-CONFIG_SENSORS_LM83=m
-CONFIG_SENSORS_LM85=m
-CONFIG_SENSORS_LM87=m
-CONFIG_SENSORS_LM90=m
-CONFIG_SENSORS_LM92=m
-CONFIG_SENSORS_LM93=m
-# CONFIG_SENSORS_LM95234 is not set
-CONFIG_SENSORS_LM95241=m
-CONFIG_SENSORS_LM95245=m
-CONFIG_SENSORS_PC87360=m
-CONFIG_SENSORS_PC87427=m
-CONFIG_SENSORS_NTC_THERMISTOR=m
-CONFIG_SENSORS_NCT6683=m
-CONFIG_SENSORS_NCT6775=m
-# CONFIG_SENSORS_NCT7802 is not set
-# CONFIG_SENSORS_NCT7904 is not set
-CONFIG_SENSORS_PCF8591=m
-# CONFIG_PMBUS is not set
-# CONFIG_SENSORS_SHT15 is not set
-CONFIG_SENSORS_SHT21=m
-# CONFIG_SENSORS_SHTC1 is not set
-CONFIG_SENSORS_SIS5595=m
-CONFIG_SENSORS_DME1737=m
-CONFIG_SENSORS_EMC1403=m
-CONFIG_SENSORS_EMC2103=m
-CONFIG_SENSORS_EMC6W201=m
-CONFIG_SENSORS_SMSC47M1=m
-CONFIG_SENSORS_SMSC47M192=m
-CONFIG_SENSORS_SMSC47B397=m
-CONFIG_SENSORS_SCH56XX_COMMON=m
-CONFIG_SENSORS_SCH5627=m
-CONFIG_SENSORS_SCH5636=m
-CONFIG_SENSORS_SMM665=m
-# CONFIG_SENSORS_ADC128D818 is not set
-CONFIG_SENSORS_ADS1015=m
-CONFIG_SENSORS_ADS7828=m
-CONFIG_SENSORS_ADS7871=m
-CONFIG_SENSORS_AMC6821=m
-# CONFIG_SENSORS_INA209 is not set
-# CONFIG_SENSORS_INA2XX is not set
-# CONFIG_SENSORS_TC74 is not set
-CONFIG_SENSORS_THMC50=m
-CONFIG_SENSORS_TMP102=m
-# CONFIG_SENSORS_TMP103 is not set
-CONFIG_SENSORS_TMP401=m
-CONFIG_SENSORS_TMP421=m
-CONFIG_SENSORS_VIA_CPUTEMP=m
-CONFIG_SENSORS_VIA686A=m
-CONFIG_SENSORS_VT1211=m
-CONFIG_SENSORS_VT8231=m
-CONFIG_SENSORS_W83781D=m
-CONFIG_SENSORS_W83791D=m
-CONFIG_SENSORS_W83792D=m
-CONFIG_SENSORS_W83793=m
-CONFIG_SENSORS_W83795=m
-# CONFIG_SENSORS_W83795_FANCTRL is not set
-CONFIG_SENSORS_W83L785TS=m
-CONFIG_SENSORS_W83L786NG=m
-CONFIG_SENSORS_W83627HF=m
-CONFIG_SENSORS_W83627EHF=m
-
-#
-# ACPI drivers
-#
-CONFIG_SENSORS_ACPI_POWER=m
-CONFIG_SENSORS_ATK0110=m
-CONFIG_THERMAL=y
-CONFIG_THERMAL_HWMON=y
-CONFIG_THERMAL_WRITABLE_TRIPS=y
-CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
-# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
-# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
-# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
-CONFIG_THERMAL_GOV_FAIR_SHARE=y
-CONFIG_THERMAL_GOV_STEP_WISE=y
-CONFIG_THERMAL_GOV_BANG_BANG=y
-CONFIG_THERMAL_GOV_USER_SPACE=y
-# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
-# CONFIG_THERMAL_EMULATION is not set
-CONFIG_INTEL_POWERCLAMP=m
-CONFIG_X86_PKG_TEMP_THERMAL=m
-CONFIG_INTEL_SOC_DTS_IOSF_CORE=m
-CONFIG_INTEL_SOC_DTS_THERMAL=m
-CONFIG_INT340X_THERMAL=m
-CONFIG_ACPI_THERMAL_REL=m
-CONFIG_INTEL_PCH_THERMAL=m
-CONFIG_WATCHDOG=y
-CONFIG_WATCHDOG_CORE=y
-# CONFIG_WATCHDOG_NOWAYOUT is not set
-
-#
-# Watchdog Device Drivers
-#
-CONFIG_SOFT_WATCHDOG=m
-CONFIG_MENF21BMC_WATCHDOG=m
-# CONFIG_XILINX_WATCHDOG is not set
-# CONFIG_CADENCE_WATCHDOG is not set
-# CONFIG_DW_WATCHDOG is not set
-# CONFIG_MAX63XX_WATCHDOG is not set
-CONFIG_ACQUIRE_WDT=m
-CONFIG_ADVANTECH_WDT=m
-CONFIG_ALIM1535_WDT=m
-CONFIG_ALIM7101_WDT=m
-CONFIG_F71808E_WDT=m
-CONFIG_SP5100_TCO=m
-CONFIG_SBC_FITPC2_WATCHDOG=m
-CONFIG_EUROTECH_WDT=m
-CONFIG_IB700_WDT=m
-CONFIG_IBMASR=m
-CONFIG_WAFER_WDT=m
-CONFIG_I6300ESB_WDT=m
-CONFIG_IE6XX_WDT=m
-CONFIG_ITCO_WDT=m
-CONFIG_ITCO_VENDOR_SUPPORT=y
-CONFIG_IT8712F_WDT=m
-CONFIG_IT87_WDT=m
-CONFIG_HP_WATCHDOG=m
-CONFIG_KEMPLD_WDT=m
-CONFIG_HPWDT_NMI_DECODING=y
-CONFIG_SC1200_WDT=m
-CONFIG_PC87413_WDT=m
-CONFIG_NV_TCO=m
-CONFIG_60XX_WDT=m
-CONFIG_CPU5_WDT=m
-CONFIG_SMSC_SCH311X_WDT=m
-CONFIG_SMSC37B787_WDT=m
-CONFIG_VIA_WDT=m
-CONFIG_W83627HF_WDT=m
-CONFIG_W83877F_WDT=m
-CONFIG_W83977F_WDT=m
-CONFIG_MACHZ_WDT=m
-CONFIG_SBC_EPX_C3_WATCHDOG=m
-# CONFIG_BCM7038_WDT is not set
-# CONFIG_MEN_A21_WDT is not set
-
-#
-# PCI-based Watchdog Cards
-#
-CONFIG_PCIPCWATCHDOG=m
-CONFIG_WDTPCI=m
-
-#
-# USB-based Watchdog Cards
-#
-CONFIG_USBPCWATCHDOG=m
-CONFIG_SSB_POSSIBLE=y
-
-#
-# Sonics Silicon Backplane
-#
-CONFIG_SSB=m
-CONFIG_SSB_SPROM=y
-CONFIG_SSB_BLOCKIO=y
-CONFIG_SSB_PCIHOST_POSSIBLE=y
-CONFIG_SSB_PCIHOST=y
-CONFIG_SSB_B43_PCI_BRIDGE=y
-CONFIG_SSB_PCMCIAHOST_POSSIBLE=y
-CONFIG_SSB_PCMCIAHOST=y
-CONFIG_SSB_SDIOHOST_POSSIBLE=y
-CONFIG_SSB_SDIOHOST=y
-# CONFIG_SSB_HOST_SOC is not set
-# CONFIG_SSB_SILENT is not set
-# CONFIG_SSB_DEBUG is not set
-CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
-CONFIG_SSB_DRIVER_PCICORE=y
-# CONFIG_SSB_DRIVER_GPIO is not set
-CONFIG_BCMA_POSSIBLE=y
-
-#
-# Broadcom specific AMBA
-#
-CONFIG_BCMA=m
-CONFIG_BCMA_BLOCKIO=y
-CONFIG_BCMA_HOST_PCI_POSSIBLE=y
-CONFIG_BCMA_HOST_PCI=y
-# CONFIG_BCMA_HOST_SOC is not set
-CONFIG_BCMA_DRIVER_PCI=y
-# CONFIG_BCMA_DRIVER_GMAC_CMN is not set
-# CONFIG_BCMA_DRIVER_GPIO is not set
-# CONFIG_BCMA_DEBUG is not set
-
-#
-# Multifunction device drivers
-#
-CONFIG_MFD_CORE=m
-# CONFIG_MFD_AS3711 is not set
-# CONFIG_PMIC_ADP5520 is not set
-# CONFIG_MFD_AAT2870_CORE is not set
-# CONFIG_MFD_BCM590XX is not set
-# CONFIG_MFD_AXP20X is not set
-# CONFIG_MFD_CROS_EC is not set
-# CONFIG_PMIC_DA903X is not set
-# CONFIG_MFD_DA9052_SPI is not set
-# CONFIG_MFD_DA9052_I2C is not set
-# CONFIG_MFD_DA9055 is not set
-# CONFIG_MFD_DA9062 is not set
-# CONFIG_MFD_DA9063 is not set
-# CONFIG_MFD_DA9150 is not set
-# CONFIG_MFD_DLN2 is not set
-# CONFIG_MFD_MC13XXX_SPI is not set
-# CONFIG_MFD_MC13XXX_I2C is not set
-# CONFIG_HTC_PASIC3 is not set
-# CONFIG_HTC_I2CPLD is not set
-# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set
-CONFIG_LPC_ICH=m
-CONFIG_LPC_SCH=m
-# CONFIG_INTEL_SOC_PMIC is not set
-CONFIG_MFD_INTEL_LPSS=m
-CONFIG_MFD_INTEL_LPSS_ACPI=m
-CONFIG_MFD_INTEL_LPSS_PCI=m
-# CONFIG_MFD_JANZ_CMODIO is not set
-CONFIG_MFD_KEMPLD=m
-# CONFIG_MFD_88PM800 is not set
-# CONFIG_MFD_88PM805 is not set
-# CONFIG_MFD_88PM860X is not set
-# CONFIG_MFD_MAX14577 is not set
-# CONFIG_MFD_MAX77693 is not set
-# CONFIG_MFD_MAX77843 is not set
-# CONFIG_MFD_MAX8907 is not set
-# CONFIG_MFD_MAX8925 is not set
-# CONFIG_MFD_MAX8997 is not set
-# CONFIG_MFD_MAX8998 is not set
-# CONFIG_MFD_MT6397 is not set
-CONFIG_MFD_MENF21BMC=m
-# CONFIG_EZX_PCAP is not set
-CONFIG_MFD_VIPERBOARD=m
-# CONFIG_MFD_RETU is not set
-# CONFIG_MFD_PCF50633 is not set
-# CONFIG_UCB1400_CORE is not set
-# CONFIG_MFD_RDC321X is not set
-CONFIG_MFD_RTSX_PCI=m
-# CONFIG_MFD_RT5033 is not set
-CONFIG_MFD_RTSX_USB=m
-# CONFIG_MFD_RC5T583 is not set
-# CONFIG_MFD_RN5T618 is not set
-# CONFIG_MFD_SEC_CORE is not set
-# CONFIG_MFD_SI476X_CORE is not set
-# CONFIG_MFD_SM501 is not set
-# CONFIG_MFD_SKY81452 is not set
-# CONFIG_MFD_SMSC is not set
-# CONFIG_ABX500_CORE is not set
-# CONFIG_MFD_SYSCON is not set
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
-# CONFIG_MFD_LP3943 is not set
-# CONFIG_MFD_LP8788 is not set
-# CONFIG_MFD_PALMAS is not set
-# CONFIG_TPS6105X is not set
-# CONFIG_TPS65010 is not set
-# CONFIG_TPS6507X is not set
-# CONFIG_MFD_TPS65090 is not set
-# CONFIG_MFD_TPS65217 is not set
-# CONFIG_MFD_TPS65218 is not set
-# CONFIG_MFD_TPS6586X is not set
-# CONFIG_MFD_TPS65910 is not set
-# CONFIG_MFD_TPS65912 is not set
-# CONFIG_MFD_TPS65912_I2C is not set
-# CONFIG_MFD_TPS65912_SPI is not set
-# CONFIG_MFD_TPS80031 is not set
-# CONFIG_TWL4030_CORE is not set
-# CONFIG_TWL6040_CORE is not set
-# CONFIG_MFD_WL1273_CORE is not set
-# CONFIG_MFD_LM3533 is not set
-# CONFIG_MFD_TMIO is not set
-# CONFIG_MFD_VX855 is not set
-# CONFIG_MFD_ARIZONA_I2C is not set
-# CONFIG_MFD_ARIZONA_SPI is not set
-# CONFIG_MFD_WM8400 is not set
-# CONFIG_MFD_WM831X_I2C is not set
-# CONFIG_MFD_WM831X_SPI is not set
-# CONFIG_MFD_WM8350_I2C is not set
-# CONFIG_MFD_WM8994 is not set
-# CONFIG_REGULATOR is not set
-CONFIG_MEDIA_SUPPORT=m
-
-#
-# Multimedia core support
-#
-CONFIG_MEDIA_CAMERA_SUPPORT=y
-CONFIG_MEDIA_ANALOG_TV_SUPPORT=y
-CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
-CONFIG_MEDIA_RADIO_SUPPORT=y
-CONFIG_MEDIA_SDR_SUPPORT=y
-CONFIG_MEDIA_RC_SUPPORT=y
-CONFIG_MEDIA_CONTROLLER=y
-CONFIG_VIDEO_DEV=m
-# CONFIG_VIDEO_V4L2_SUBDEV_API is not set
-CONFIG_VIDEO_V4L2=m
-# CONFIG_VIDEO_ADV_DEBUG is not set
-# CONFIG_VIDEO_FIXED_MINOR_RANGES is not set
-CONFIG_VIDEO_TUNER=m
-CONFIG_VIDEOBUF_GEN=m
-CONFIG_VIDEOBUF_DMA_SG=m
-CONFIG_VIDEOBUF_VMALLOC=m
-CONFIG_VIDEOBUF_DVB=m
-CONFIG_VIDEOBUF2_CORE=m
-CONFIG_VIDEOBUF2_MEMOPS=m
-CONFIG_VIDEOBUF2_DMA_CONTIG=m
-CONFIG_VIDEOBUF2_VMALLOC=m
-CONFIG_VIDEOBUF2_DMA_SG=m
-CONFIG_VIDEOBUF2_DVB=m
-CONFIG_DVB_CORE=m
-CONFIG_DVB_NET=y
-CONFIG_TTPCI_EEPROM=m
-CONFIG_DVB_MAX_ADAPTERS=8
-CONFIG_DVB_DYNAMIC_MINORS=y
-
-#
-# Media drivers
-#
-CONFIG_RC_CORE=m
-CONFIG_RC_MAP=m
-CONFIG_RC_DECODERS=y
-CONFIG_LIRC=m
-CONFIG_IR_LIRC_CODEC=m
-CONFIG_IR_NEC_DECODER=m
-CONFIG_IR_RC5_DECODER=m
-CONFIG_IR_RC6_DECODER=m
-CONFIG_IR_JVC_DECODER=m
-CONFIG_IR_SONY_DECODER=m
-CONFIG_IR_SANYO_DECODER=m
-CONFIG_IR_SHARP_DECODER=m
-CONFIG_IR_MCE_KBD_DECODER=m
-CONFIG_IR_XMP_DECODER=m
-CONFIG_RC_DEVICES=y
-CONFIG_RC_ATI_REMOTE=m
-CONFIG_IR_ENE=m
-# CONFIG_IR_HIX5HD2 is not set
-CONFIG_IR_IMON=m
-CONFIG_IR_MCEUSB=m
-CONFIG_IR_ITE_CIR=m
-CONFIG_IR_FINTEK=m
-CONFIG_IR_NUVOTON=m
-CONFIG_IR_REDRAT3=m
-CONFIG_IR_STREAMZAP=m
-CONFIG_IR_WINBOND_CIR=m
-CONFIG_IR_IGORPLUGUSB=m
-CONFIG_IR_IGUANA=m
-CONFIG_IR_TTUSBIR=m
-CONFIG_RC_LOOPBACK=m
-# CONFIG_IR_GPIO_CIR is not set
-CONFIG_MEDIA_USB_SUPPORT=y
-
-#
-# Webcam devices
-#
-CONFIG_USB_VIDEO_CLASS=m
-CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y
-CONFIG_USB_GSPCA=m
-CONFIG_USB_M5602=m
-CONFIG_USB_STV06XX=m
-CONFIG_USB_GL860=m
-CONFIG_USB_GSPCA_BENQ=m
-CONFIG_USB_GSPCA_CONEX=m
-CONFIG_USB_GSPCA_CPIA1=m
-CONFIG_USB_GSPCA_DTCS033=m
-CONFIG_USB_GSPCA_ETOMS=m
-CONFIG_USB_GSPCA_FINEPIX=m
-CONFIG_USB_GSPCA_JEILINJ=m
-CONFIG_USB_GSPCA_JL2005BCD=m
-CONFIG_USB_GSPCA_KINECT=m
-CONFIG_USB_GSPCA_KONICA=m
-CONFIG_USB_GSPCA_MARS=m
-CONFIG_USB_GSPCA_MR97310A=m
-CONFIG_USB_GSPCA_NW80X=m
-CONFIG_USB_GSPCA_OV519=m
-CONFIG_USB_GSPCA_OV534=m
-CONFIG_USB_GSPCA_OV534_9=m
-CONFIG_USB_GSPCA_PAC207=m
-CONFIG_USB_GSPCA_PAC7302=m
-CONFIG_USB_GSPCA_PAC7311=m
-CONFIG_USB_GSPCA_SE401=m
-CONFIG_USB_GSPCA_SN9C2028=m
-CONFIG_USB_GSPCA_SN9C20X=m
-CONFIG_USB_GSPCA_SONIXB=m
-CONFIG_USB_GSPCA_SONIXJ=m
-CONFIG_USB_GSPCA_SPCA500=m
-CONFIG_USB_GSPCA_SPCA501=m
-CONFIG_USB_GSPCA_SPCA505=m
-CONFIG_USB_GSPCA_SPCA506=m
-CONFIG_USB_GSPCA_SPCA508=m
-CONFIG_USB_GSPCA_SPCA561=m
-CONFIG_USB_GSPCA_SPCA1528=m
-CONFIG_USB_GSPCA_SQ905=m
-CONFIG_USB_GSPCA_SQ905C=m
-CONFIG_USB_GSPCA_SQ930X=m
-CONFIG_USB_GSPCA_STK014=m
-CONFIG_USB_GSPCA_STK1135=m
-CONFIG_USB_GSPCA_STV0680=m
-CONFIG_USB_GSPCA_SUNPLUS=m
-CONFIG_USB_GSPCA_T613=m
-CONFIG_USB_GSPCA_TOPRO=m
-CONFIG_USB_GSPCA_TOUPTEK=m
-CONFIG_USB_GSPCA_TV8532=m
-CONFIG_USB_GSPCA_VC032X=m
-CONFIG_USB_GSPCA_VICAM=m
-CONFIG_USB_GSPCA_XIRLINK_CIT=m
-CONFIG_USB_GSPCA_ZC3XX=m
-CONFIG_USB_PWC=m
-# CONFIG_USB_PWC_DEBUG is not set
-CONFIG_USB_PWC_INPUT_EVDEV=y
-CONFIG_VIDEO_CPIA2=m
-CONFIG_USB_ZR364XX=m
-CONFIG_USB_STKWEBCAM=m
-CONFIG_USB_S2255=m
-CONFIG_VIDEO_USBTV=m
-
-#
-# Analog TV USB devices
-#
-CONFIG_VIDEO_PVRUSB2=m
-CONFIG_VIDEO_PVRUSB2_SYSFS=y
-CONFIG_VIDEO_PVRUSB2_DVB=y
-# CONFIG_VIDEO_PVRUSB2_DEBUGIFC is not set
-CONFIG_VIDEO_HDPVR=m
-CONFIG_VIDEO_USBVISION=m
-CONFIG_VIDEO_STK1160_COMMON=m
-CONFIG_VIDEO_STK1160_AC97=y
-CONFIG_VIDEO_STK1160=m
-# CONFIG_VIDEO_GO7007 is not set
-
-#
-# Analog/digital TV USB devices
-#
-CONFIG_VIDEO_AU0828=m
-CONFIG_VIDEO_AU0828_V4L2=y
-CONFIG_VIDEO_AU0828_RC=y
-CONFIG_VIDEO_CX231XX=m
-CONFIG_VIDEO_CX231XX_RC=y
-CONFIG_VIDEO_CX231XX_ALSA=m
-CONFIG_VIDEO_CX231XX_DVB=m
-CONFIG_VIDEO_TM6000=m
-CONFIG_VIDEO_TM6000_ALSA=m
-CONFIG_VIDEO_TM6000_DVB=m
-
-#
-# Digital TV USB devices
-#
-CONFIG_DVB_USB=m
-# CONFIG_DVB_USB_DEBUG is not set
-CONFIG_DVB_USB_A800=m
-CONFIG_DVB_USB_DIBUSB_MB=m
-CONFIG_DVB_USB_DIBUSB_MB_FAULTY=y
-CONFIG_DVB_USB_DIBUSB_MC=m
-CONFIG_DVB_USB_DIB0700=m
-CONFIG_DVB_USB_UMT_010=m
-CONFIG_DVB_USB_CXUSB=m
-CONFIG_DVB_USB_M920X=m
-CONFIG_DVB_USB_DIGITV=m
-CONFIG_DVB_USB_VP7045=m
-CONFIG_DVB_USB_VP702X=m
-CONFIG_DVB_USB_GP8PSK=m
-CONFIG_DVB_USB_NOVA_T_USB2=m
-CONFIG_DVB_USB_TTUSB2=m
-CONFIG_DVB_USB_DTT200U=m
-CONFIG_DVB_USB_OPERA1=m
-CONFIG_DVB_USB_AF9005=m
-CONFIG_DVB_USB_AF9005_REMOTE=m
-CONFIG_DVB_USB_PCTV452E=m
-CONFIG_DVB_USB_DW2102=m
-CONFIG_DVB_USB_CINERGY_T2=m
-CONFIG_DVB_USB_DTV5100=m
-CONFIG_DVB_USB_FRIIO=m
-CONFIG_DVB_USB_AZ6027=m
-CONFIG_DVB_USB_TECHNISAT_USB2=m
-CONFIG_DVB_USB_V2=m
-CONFIG_DVB_USB_AF9015=m
-CONFIG_DVB_USB_AF9035=m
-CONFIG_DVB_USB_ANYSEE=m
-CONFIG_DVB_USB_AU6610=m
-CONFIG_DVB_USB_AZ6007=m
-CONFIG_DVB_USB_CE6230=m
-CONFIG_DVB_USB_EC168=m
-CONFIG_DVB_USB_GL861=m
-CONFIG_DVB_USB_LME2510=m
-CONFIG_DVB_USB_MXL111SF=m
-CONFIG_DVB_USB_RTL28XXU=m
-CONFIG_DVB_USB_DVBSKY=m
-CONFIG_DVB_TTUSB_BUDGET=m
-CONFIG_DVB_TTUSB_DEC=m
-CONFIG_SMS_USB_DRV=m
-CONFIG_DVB_B2C2_FLEXCOP_USB=m
-# CONFIG_DVB_B2C2_FLEXCOP_USB_DEBUG is not set
-CONFIG_DVB_AS102=m
-
-#
-# Webcam, TV (analog/digital) USB devices
-#
-CONFIG_VIDEO_EM28XX=m
-CONFIG_VIDEO_EM28XX_V4L2=m
-CONFIG_VIDEO_EM28XX_ALSA=m
-CONFIG_VIDEO_EM28XX_DVB=m
-CONFIG_VIDEO_EM28XX_RC=m
-
-#
-# Software defined radio USB devices
-#
-CONFIG_USB_AIRSPY=m
-CONFIG_USB_HACKRF=m
-CONFIG_USB_MSI2500=m
-CONFIG_MEDIA_PCI_SUPPORT=y
-
-#
-# Media capture support
-#
-CONFIG_VIDEO_MEYE=m
-CONFIG_VIDEO_SOLO6X10=m
-CONFIG_VIDEO_TW68=m
-CONFIG_VIDEO_ZORAN=m
-CONFIG_VIDEO_ZORAN_DC30=m
-CONFIG_VIDEO_ZORAN_ZR36060=m
-CONFIG_VIDEO_ZORAN_BUZ=m
-CONFIG_VIDEO_ZORAN_DC10=m
-CONFIG_VIDEO_ZORAN_LML33=m
-CONFIG_VIDEO_ZORAN_LML33R10=m
-CONFIG_VIDEO_ZORAN_AVS6EYES=m
-
-#
-# Media capture/analog TV support
-#
-CONFIG_VIDEO_IVTV=m
-CONFIG_VIDEO_IVTV_ALSA=m
-CONFIG_VIDEO_FB_IVTV=m
-CONFIG_VIDEO_HEXIUM_GEMINI=m
-CONFIG_VIDEO_HEXIUM_ORION=m
-CONFIG_VIDEO_MXB=m
-CONFIG_VIDEO_DT3155=m
-
-#
-# Media capture/analog/hybrid TV support
-#
-CONFIG_VIDEO_CX18=m
-CONFIG_VIDEO_CX18_ALSA=m
-CONFIG_VIDEO_CX23885=m
-CONFIG_MEDIA_ALTERA_CI=m
-# CONFIG_VIDEO_CX25821 is not set
-CONFIG_VIDEO_CX88=m
-CONFIG_VIDEO_CX88_ALSA=m
-CONFIG_VIDEO_CX88_BLACKBIRD=m
-CONFIG_VIDEO_CX88_DVB=m
-CONFIG_VIDEO_CX88_ENABLE_VP3054=y
-CONFIG_VIDEO_CX88_VP3054=m
-CONFIG_VIDEO_CX88_MPEG=m
-CONFIG_VIDEO_BT848=m
-CONFIG_DVB_BT8XX=m
-CONFIG_VIDEO_SAA7134=m
-CONFIG_VIDEO_SAA7134_ALSA=m
-CONFIG_VIDEO_SAA7134_RC=y
-CONFIG_VIDEO_SAA7134_DVB=m
-CONFIG_VIDEO_SAA7164=m
-
-#
-# Media digital TV PCI Adapters
-#
-CONFIG_DVB_AV7110_IR=y
-CONFIG_DVB_AV7110=m
-CONFIG_DVB_AV7110_OSD=y
-CONFIG_DVB_BUDGET_CORE=m
-CONFIG_DVB_BUDGET=m
-CONFIG_DVB_BUDGET_CI=m
-CONFIG_DVB_BUDGET_AV=m
-CONFIG_DVB_BUDGET_PATCH=m
-CONFIG_DVB_B2C2_FLEXCOP_PCI=m
-# CONFIG_DVB_B2C2_FLEXCOP_PCI_DEBUG is not set
-CONFIG_DVB_PLUTO2=m
-CONFIG_DVB_DM1105=m
-CONFIG_DVB_PT1=m
-CONFIG_DVB_PT3=m
-CONFIG_MANTIS_CORE=m
-CONFIG_DVB_MANTIS=m
-CONFIG_DVB_HOPPER=m
-CONFIG_DVB_NGENE=m
-CONFIG_DVB_DDBRIDGE=m
-CONFIG_DVB_SMIPCIE=m
-CONFIG_DVB_NETUP_UNIDVB=m
-CONFIG_V4L_PLATFORM_DRIVERS=y
-CONFIG_VIDEO_CAFE_CCIC=m
-CONFIG_VIDEO_VIA_CAMERA=m
-# CONFIG_SOC_CAMERA is not set
-CONFIG_V4L_MEM2MEM_DRIVERS=y
-# CONFIG_VIDEO_MEM2MEM_DEINTERLACE is not set
-# CONFIG_VIDEO_SH_VEU is not set
-CONFIG_V4L_TEST_DRIVERS=y
-CONFIG_VIDEO_VIVID=m
-CONFIG_VIDEO_VIVID_MAX_DEVS=64
-# CONFIG_VIDEO_VIM2M is not set
-# CONFIG_DVB_PLATFORM_DRIVERS is not set
-
-#
-# Supported MMC/SDIO adapters
-#
-CONFIG_SMS_SDIO_DRV=m
-CONFIG_RADIO_ADAPTERS=y
-CONFIG_RADIO_TEA575X=m
-CONFIG_RADIO_SI470X=y
-CONFIG_USB_SI470X=m
-# CONFIG_I2C_SI470X is not set
-# CONFIG_RADIO_SI4713 is not set
-CONFIG_USB_MR800=m
-CONFIG_USB_DSBR=m
-CONFIG_RADIO_MAXIRADIO=m
-CONFIG_RADIO_SHARK=m
-CONFIG_RADIO_SHARK2=m
-CONFIG_USB_KEENE=m
-CONFIG_USB_RAREMONO=m
-CONFIG_USB_MA901=m
-# CONFIG_RADIO_TEA5764 is not set
-# CONFIG_RADIO_SAA7706H is not set
-# CONFIG_RADIO_TEF6862 is not set
-# CONFIG_RADIO_WL1273 is not set
-
-#
-# Texas Instruments WL128x FM driver (ST based)
-#
-
-#
-# Supported FireWire (IEEE 1394) Adapters
-#
-CONFIG_DVB_FIREDTV=m
-CONFIG_DVB_FIREDTV_INPUT=y
-CONFIG_MEDIA_COMMON_OPTIONS=y
-
-#
-# common driver options
-#
-CONFIG_VIDEO_CX2341X=m
-CONFIG_VIDEO_TVEEPROM=m
-CONFIG_CYPRESS_FIRMWARE=m
-CONFIG_DVB_B2C2_FLEXCOP=m
-CONFIG_VIDEO_SAA7146=m
-CONFIG_VIDEO_SAA7146_VV=m
-CONFIG_SMS_SIANO_MDTV=m
-CONFIG_SMS_SIANO_RC=y
-
-#
-# Media ancillary drivers (tuners, sensors, i2c, frontends)
-#
-CONFIG_MEDIA_SUBDRV_AUTOSELECT=y
-CONFIG_MEDIA_ATTACH=y
-CONFIG_VIDEO_IR_I2C=m
-
-#
-# Audio decoders, processors and mixers
-#
-CONFIG_VIDEO_TVAUDIO=m
-CONFIG_VIDEO_TDA7432=m
-CONFIG_VIDEO_TDA9840=m
-CONFIG_VIDEO_TEA6415C=m
-CONFIG_VIDEO_TEA6420=m
-CONFIG_VIDEO_MSP3400=m
-CONFIG_VIDEO_CS5345=m
-CONFIG_VIDEO_CS53L32A=m
-CONFIG_VIDEO_WM8775=m
-CONFIG_VIDEO_WM8739=m
-CONFIG_VIDEO_VP27SMPX=m
-
-#
-# RDS decoders
-#
-CONFIG_VIDEO_SAA6588=m
-
-#
-# Video decoders
-#
-CONFIG_VIDEO_BT819=m
-CONFIG_VIDEO_BT856=m
-CONFIG_VIDEO_BT866=m
-CONFIG_VIDEO_KS0127=m
-CONFIG_VIDEO_SAA7110=m
-CONFIG_VIDEO_SAA711X=m
-CONFIG_VIDEO_TVP5150=m
-CONFIG_VIDEO_VPX3220=m
-
-#
-# Video and audio decoders
-#
-CONFIG_VIDEO_SAA717X=m
-CONFIG_VIDEO_CX25840=m
-
-#
-# Video encoders
-#
-CONFIG_VIDEO_SAA7127=m
-CONFIG_VIDEO_SAA7185=m
-CONFIG_VIDEO_ADV7170=m
-CONFIG_VIDEO_ADV7175=m
-
-#
-# Camera sensor devices
-#
-CONFIG_VIDEO_OV7670=m
-CONFIG_VIDEO_MT9V011=m
-
-#
-# Flash devices
-#
-
-#
-# Video improvement chips
-#
-CONFIG_VIDEO_UPD64031A=m
-CONFIG_VIDEO_UPD64083=m
-
-#
-# Audio/Video compression chips
-#
-CONFIG_VIDEO_SAA6752HS=m
-
-#
-# Miscellaneous helper chips
-#
-CONFIG_VIDEO_M52790=m
-
-#
-# Sensors used on soc_camera driver
-#
-CONFIG_MEDIA_TUNER=m
-CONFIG_MEDIA_TUNER_SIMPLE=m
-CONFIG_MEDIA_TUNER_TDA8290=m
-CONFIG_MEDIA_TUNER_TDA827X=m
-CONFIG_MEDIA_TUNER_TDA18271=m
-CONFIG_MEDIA_TUNER_TDA9887=m
-CONFIG_MEDIA_TUNER_TEA5761=m
-CONFIG_MEDIA_TUNER_TEA5767=m
-CONFIG_MEDIA_TUNER_MSI001=m
-CONFIG_MEDIA_TUNER_MT20XX=m
-CONFIG_MEDIA_TUNER_MT2060=m
-CONFIG_MEDIA_TUNER_MT2063=m
-CONFIG_MEDIA_TUNER_MT2266=m
-CONFIG_MEDIA_TUNER_MT2131=m
-CONFIG_MEDIA_TUNER_QT1010=m
-CONFIG_MEDIA_TUNER_XC2028=m
-CONFIG_MEDIA_TUNER_XC5000=m
-CONFIG_MEDIA_TUNER_XC4000=m
-CONFIG_MEDIA_TUNER_MXL5005S=m
-CONFIG_MEDIA_TUNER_MXL5007T=m
-CONFIG_MEDIA_TUNER_MC44S803=m
-CONFIG_MEDIA_TUNER_MAX2165=m
-CONFIG_MEDIA_TUNER_TDA18218=m
-CONFIG_MEDIA_TUNER_FC0011=m
-CONFIG_MEDIA_TUNER_FC0012=m
-CONFIG_MEDIA_TUNER_FC0013=m
-CONFIG_MEDIA_TUNER_TDA18212=m
-CONFIG_MEDIA_TUNER_E4000=m
-CONFIG_MEDIA_TUNER_FC2580=m
-CONFIG_MEDIA_TUNER_M88RS6000T=m
-CONFIG_MEDIA_TUNER_TUA9001=m
-CONFIG_MEDIA_TUNER_SI2157=m
-CONFIG_MEDIA_TUNER_IT913X=m
-CONFIG_MEDIA_TUNER_R820T=m
-CONFIG_MEDIA_TUNER_MXL301RF=m
-CONFIG_MEDIA_TUNER_QM1D1C0042=m
-
-#
-# Multistandard (satellite) frontends
-#
-CONFIG_DVB_STB0899=m
-CONFIG_DVB_STB6100=m
-CONFIG_DVB_STV090x=m
-CONFIG_DVB_STV6110x=m
-CONFIG_DVB_M88DS3103=m
-
-#
-# Multistandard (cable + terrestrial) frontends
-#
-CONFIG_DVB_DRXK=m
-CONFIG_DVB_TDA18271C2DD=m
-CONFIG_DVB_SI2165=m
-
-#
-# DVB-S (satellite) frontends
-#
-CONFIG_DVB_CX24110=m
-CONFIG_DVB_CX24123=m
-CONFIG_DVB_MT312=m
-CONFIG_DVB_ZL10036=m
-CONFIG_DVB_ZL10039=m
-CONFIG_DVB_S5H1420=m
-CONFIG_DVB_STV0288=m
-CONFIG_DVB_STB6000=m
-CONFIG_DVB_STV0299=m
-CONFIG_DVB_STV6110=m
-CONFIG_DVB_STV0900=m
-CONFIG_DVB_TDA8083=m
-CONFIG_DVB_TDA10086=m
-CONFIG_DVB_TDA8261=m
-CONFIG_DVB_VES1X93=m
-CONFIG_DVB_TUNER_ITD1000=m
-CONFIG_DVB_TUNER_CX24113=m
-CONFIG_DVB_TDA826X=m
-CONFIG_DVB_TUA6100=m
-CONFIG_DVB_CX24116=m
-CONFIG_DVB_CX24117=m
-CONFIG_DVB_CX24120=m
-CONFIG_DVB_SI21XX=m
-CONFIG_DVB_TS2020=m
-CONFIG_DVB_DS3000=m
-CONFIG_DVB_MB86A16=m
-CONFIG_DVB_TDA10071=m
-
-#
-# DVB-T (terrestrial) frontends
-#
-CONFIG_DVB_SP8870=m
-CONFIG_DVB_SP887X=m
-CONFIG_DVB_CX22700=m
-CONFIG_DVB_CX22702=m
-CONFIG_DVB_DRXD=m
-CONFIG_DVB_L64781=m
-CONFIG_DVB_TDA1004X=m
-CONFIG_DVB_NXT6000=m
-CONFIG_DVB_MT352=m
-CONFIG_DVB_ZL10353=m
-CONFIG_DVB_DIB3000MB=m
-CONFIG_DVB_DIB3000MC=m
-CONFIG_DVB_DIB7000M=m
-CONFIG_DVB_DIB7000P=m
-CONFIG_DVB_TDA10048=m
-CONFIG_DVB_AF9013=m
-CONFIG_DVB_EC100=m
-CONFIG_DVB_STV0367=m
-CONFIG_DVB_CXD2820R=m
-CONFIG_DVB_CXD2841ER=m
-CONFIG_DVB_RTL2830=m
-CONFIG_DVB_RTL2832=m
-CONFIG_DVB_RTL2832_SDR=m
-CONFIG_DVB_SI2168=m
-CONFIG_DVB_AS102_FE=m
-
-#
-# DVB-C (cable) frontends
-#
-CONFIG_DVB_VES1820=m
-CONFIG_DVB_TDA10021=m
-CONFIG_DVB_TDA10023=m
-CONFIG_DVB_STV0297=m
-
-#
-# ATSC (North American/Korean Terrestrial/Cable DTV) frontends
-#
-CONFIG_DVB_NXT200X=m
-CONFIG_DVB_OR51211=m
-CONFIG_DVB_OR51132=m
-CONFIG_DVB_BCM3510=m
-CONFIG_DVB_LGDT330X=m
-CONFIG_DVB_LGDT3305=m
-CONFIG_DVB_LGDT3306A=m
-CONFIG_DVB_LG2160=m
-CONFIG_DVB_S5H1409=m
-CONFIG_DVB_AU8522=m
-CONFIG_DVB_AU8522_DTV=m
-CONFIG_DVB_AU8522_V4L=m
-CONFIG_DVB_S5H1411=m
-
-#
-# ISDB-T (terrestrial) frontends
-#
-CONFIG_DVB_S921=m
-CONFIG_DVB_DIB8000=m
-CONFIG_DVB_MB86A20S=m
-
-#
-# ISDB-S (satellite) & ISDB-T (terrestrial) frontends
-#
-CONFIG_DVB_TC90522=m
-
-#
-# Digital terrestrial only tuners/PLL
-#
-CONFIG_DVB_PLL=m
-CONFIG_DVB_TUNER_DIB0070=m
-CONFIG_DVB_TUNER_DIB0090=m
-
-#
-# SEC control devices for DVB-S
-#
-CONFIG_DVB_DRX39XYJ=m
-CONFIG_DVB_LNBH25=m
-CONFIG_DVB_LNBP21=m
-CONFIG_DVB_LNBP22=m
-CONFIG_DVB_ISL6405=m
-CONFIG_DVB_ISL6421=m
-CONFIG_DVB_ISL6423=m
-CONFIG_DVB_A8293=m
-CONFIG_DVB_SP2=m
-CONFIG_DVB_LGS8GXX=m
-CONFIG_DVB_ATBM8830=m
-CONFIG_DVB_TDA665x=m
-CONFIG_DVB_IX2505V=m
-CONFIG_DVB_M88RS2000=m
-CONFIG_DVB_AF9033=m
-CONFIG_DVB_HORUS3A=m
-CONFIG_DVB_ASCOT2E=m
-
-#
-# Tools to develop new frontends
-#
-# CONFIG_DVB_DUMMY_FE is not set
-
-#
-# Graphics support
-#
-CONFIG_AGP=y
-CONFIG_AGP_AMD64=y
-CONFIG_AGP_INTEL=y
-CONFIG_AGP_SIS=y
-CONFIG_AGP_VIA=y
-CONFIG_INTEL_GTT=y
-CONFIG_VGA_ARB=y
-CONFIG_VGA_ARB_MAX_GPUS=16
-CONFIG_VGA_SWITCHEROO=y
-CONFIG_DRM=m
-CONFIG_DRM_MIPI_DSI=y
-CONFIG_DRM_KMS_HELPER=m
-CONFIG_DRM_KMS_FB_HELPER=y
-CONFIG_DRM_FBDEV_EMULATION=y
-CONFIG_DRM_LOAD_EDID_FIRMWARE=y
-CONFIG_DRM_TTM=m
-
-#
-# I2C encoder or helper chips
-#
-# CONFIG_DRM_I2C_ADV7511 is not set
-CONFIG_DRM_I2C_CH7006=m
-CONFIG_DRM_I2C_SIL164=m
-# CONFIG_DRM_I2C_NXP_TDA998X is not set
-CONFIG_DRM_TDFX=m
-CONFIG_DRM_R128=m
-CONFIG_DRM_RADEON=m
-# CONFIG_DRM_RADEON_USERPTR is not set
-# CONFIG_DRM_RADEON_UMS is not set
-CONFIG_DRM_AMDGPU=m
-# CONFIG_DRM_AMDGPU_CIK is not set
-CONFIG_DRM_AMDGPU_USERPTR=y
-CONFIG_DRM_NOUVEAU=m
-CONFIG_NOUVEAU_DEBUG=5
-CONFIG_NOUVEAU_DEBUG_DEFAULT=3
-CONFIG_DRM_NOUVEAU_BACKLIGHT=y
-# CONFIG_DRM_I810 is not set
-CONFIG_DRM_I915=m
-# CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set
-CONFIG_DRM_MGA=m
-CONFIG_DRM_SIS=m
-CONFIG_DRM_VIA=m
-CONFIG_DRM_SAVAGE=m
-CONFIG_DRM_VGEM=m
-CONFIG_DRM_VMWGFX=m
-CONFIG_DRM_VMWGFX_FBCON=y
-CONFIG_DRM_GMA500=m
-CONFIG_DRM_GMA600=y
-CONFIG_DRM_GMA3600=y
-CONFIG_DRM_UDL=m
-CONFIG_DRM_AST=m
-CONFIG_DRM_MGAG200=m
-CONFIG_DRM_CIRRUS_QEMU=m
-CONFIG_DRM_QXL=m
-CONFIG_DRM_BOCHS=m
-CONFIG_DRM_VIRTIO_GPU=m
-CONFIG_DRM_PANEL=y
-
-#
-# Display Panels
-#
-CONFIG_DRM_BRIDGE=y
-
-#
-# Display Interface Bridges
-#
-CONFIG_HSA_AMD=m
-
-#
-# Frame buffer Devices
-#
-CONFIG_FB=y
-CONFIG_FIRMWARE_EDID=y
-CONFIG_FB_CMDLINE=y
-CONFIG_FB_DDC=m
-CONFIG_FB_BOOT_VESA_SUPPORT=y
-CONFIG_FB_CFB_FILLRECT=y
-CONFIG_FB_CFB_COPYAREA=y
-CONFIG_FB_CFB_IMAGEBLIT=y
-# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
-CONFIG_FB_SYS_FILLRECT=m
-CONFIG_FB_SYS_COPYAREA=m
-CONFIG_FB_SYS_IMAGEBLIT=m
-# CONFIG_FB_FOREIGN_ENDIAN is not set
-CONFIG_FB_SYS_FOPS=m
-CONFIG_FB_DEFERRED_IO=y
-CONFIG_FB_HECUBA=m
-CONFIG_FB_SVGALIB=m
-# CONFIG_FB_MACMODES is not set
-CONFIG_FB_BACKLIGHT=y
-CONFIG_FB_MODE_HELPERS=y
-CONFIG_FB_TILEBLITTING=y
-
-#
-# Frame buffer hardware drivers
-#
-CONFIG_FB_CIRRUS=m
-CONFIG_FB_PM2=m
-CONFIG_FB_PM2_FIFO_DISCONNECT=y
-CONFIG_FB_CYBER2000=m
-CONFIG_FB_CYBER2000_DDC=y
-CONFIG_FB_ARC=m
-# CONFIG_FB_ASILIANT is not set
-# CONFIG_FB_IMSTT is not set
-CONFIG_FB_VGA16=m
-CONFIG_FB_UVESA=m
-CONFIG_FB_VESA=y
-CONFIG_FB_EFI=y
-CONFIG_FB_N411=m
-CONFIG_FB_HGA=m
-# CONFIG_FB_OPENCORES is not set
-# CONFIG_FB_S1D13XXX is not set
-# CONFIG_FB_I740 is not set
-CONFIG_FB_LE80578=m
-CONFIG_FB_CARILLO_RANCH=m
-# CONFIG_FB_INTEL is not set
-CONFIG_FB_MATROX=m
-CONFIG_FB_MATROX_MILLENIUM=y
-CONFIG_FB_MATROX_MYSTIQUE=y
-CONFIG_FB_MATROX_G=y
-CONFIG_FB_MATROX_I2C=m
-CONFIG_FB_MATROX_MAVEN=m
-CONFIG_FB_RADEON=m
-CONFIG_FB_RADEON_I2C=y
-CONFIG_FB_RADEON_BACKLIGHT=y
-# CONFIG_FB_RADEON_DEBUG is not set
-CONFIG_FB_ATY128=m
-CONFIG_FB_ATY128_BACKLIGHT=y
-CONFIG_FB_ATY=m
-CONFIG_FB_ATY_CT=y
-# CONFIG_FB_ATY_GENERIC_LCD is not set
-CONFIG_FB_ATY_GX=y
-CONFIG_FB_ATY_BACKLIGHT=y
-CONFIG_FB_S3=m
-CONFIG_FB_S3_DDC=y
-CONFIG_FB_SAVAGE=m
-# CONFIG_FB_SAVAGE_I2C is not set
-# CONFIG_FB_SAVAGE_ACCEL is not set
-CONFIG_FB_SIS=m
-CONFIG_FB_SIS_300=y
-CONFIG_FB_SIS_315=y
-CONFIG_FB_VIA=m
-# CONFIG_FB_VIA_DIRECT_PROCFS is not set
-CONFIG_FB_VIA_X_COMPATIBILITY=y
-CONFIG_FB_NEOMAGIC=m
-CONFIG_FB_KYRO=m
-CONFIG_FB_3DFX=m
-# CONFIG_FB_3DFX_ACCEL is not set
-CONFIG_FB_3DFX_I2C=y
-CONFIG_FB_VOODOO1=m
-CONFIG_FB_VT8623=m
-CONFIG_FB_TRIDENT=m
-CONFIG_FB_ARK=m
-CONFIG_FB_PM3=m
-# CONFIG_FB_CARMINE is not set
-CONFIG_FB_SMSCUFX=m
-CONFIG_FB_UDL=m
-# CONFIG_FB_IBM_GXT4500 is not set
-CONFIG_FB_VIRTUAL=m
-# CONFIG_FB_METRONOME is not set
-CONFIG_FB_MB862XX=m
-CONFIG_FB_MB862XX_PCI_GDC=y
-CONFIG_FB_MB862XX_I2C=y
-# CONFIG_FB_BROADSHEET is not set
-# CONFIG_FB_AUO_K190X is not set
-CONFIG_FB_HYPERV=m
-CONFIG_FB_SIMPLE=y
-# CONFIG_FB_SM712 is not set
-CONFIG_BACKLIGHT_LCD_SUPPORT=y
-# CONFIG_LCD_CLASS_DEVICE is not set
-CONFIG_BACKLIGHT_CLASS_DEVICE=y
-# CONFIG_BACKLIGHT_GENERIC is not set
-CONFIG_BACKLIGHT_APPLE=m
-# CONFIG_BACKLIGHT_PM8941_WLED is not set
-# CONFIG_BACKLIGHT_SAHARA is not set
-# CONFIG_BACKLIGHT_ADP8860 is not set
-# CONFIG_BACKLIGHT_ADP8870 is not set
-# CONFIG_BACKLIGHT_LM3639 is not set
-# CONFIG_BACKLIGHT_GPIO is not set
-# CONFIG_BACKLIGHT_LV5207LP is not set
-# CONFIG_BACKLIGHT_BD6107 is not set
-CONFIG_VGASTATE=m
-CONFIG_HDMI=y
-
-#
-# Console display driver support
-#
-CONFIG_VGA_CONSOLE=y
-# CONFIG_VGACON_SOFT_SCROLLBACK is not set
-CONFIG_DUMMY_CONSOLE=y
-CONFIG_DUMMY_CONSOLE_COLUMNS=80
-CONFIG_DUMMY_CONSOLE_ROWS=25
-CONFIG_FRAMEBUFFER_CONSOLE=y
-CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
-CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
-# CONFIG_LOGO is not set
-CONFIG_SOUND=m
-CONFIG_SOUND_OSS_CORE=y
-# CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
-CONFIG_SND=m
-CONFIG_SND_TIMER=m
-CONFIG_SND_PCM=m
-CONFIG_SND_HWDEP=m
-CONFIG_SND_RAWMIDI=m
-CONFIG_SND_JACK=y
-CONFIG_SND_SEQUENCER=m
-CONFIG_SND_SEQ_DUMMY=m
-CONFIG_SND_OSSEMUL=y
-CONFIG_SND_MIXER_OSS=m
-CONFIG_SND_PCM_OSS=m
-CONFIG_SND_PCM_OSS_PLUGINS=y
-CONFIG_SND_PCM_TIMER=y
-# CONFIG_SND_SEQUENCER_OSS is not set
-CONFIG_SND_HRTIMER=m
-CONFIG_SND_SEQ_HRTIMER_DEFAULT=y
-CONFIG_SND_DYNAMIC_MINORS=y
-CONFIG_SND_MAX_CARDS=32
-CONFIG_SND_SUPPORT_OLD_API=y
-CONFIG_SND_PROC_FS=y
-CONFIG_SND_VERBOSE_PROCFS=y
-# CONFIG_SND_VERBOSE_PRINTK is not set
-# CONFIG_SND_DEBUG is not set
-CONFIG_SND_VMASTER=y
-CONFIG_SND_DMA_SGBUF=y
-CONFIG_SND_RAWMIDI_SEQ=m
-CONFIG_SND_OPL3_LIB_SEQ=m
-# CONFIG_SND_OPL4_LIB_SEQ is not set
-# CONFIG_SND_SBAWE_SEQ is not set
-# CONFIG_SND_EMU10K1_SEQ is not set
-CONFIG_SND_MPU401_UART=m
-CONFIG_SND_OPL3_LIB=m
-CONFIG_SND_VX_LIB=m
-CONFIG_SND_AC97_CODEC=m
-CONFIG_SND_DRIVERS=y
-CONFIG_SND_PCSP=m
-CONFIG_SND_DUMMY=m
-CONFIG_SND_ALOOP=m
-CONFIG_SND_VIRMIDI=m
-CONFIG_SND_MTPAV=m
-CONFIG_SND_MTS64=m
-CONFIG_SND_SERIAL_U16550=m
-CONFIG_SND_MPU401=m
-CONFIG_SND_PORTMAN2X4=m
-CONFIG_SND_AC97_POWER_SAVE=y
-CONFIG_SND_AC97_POWER_SAVE_DEFAULT=0
-CONFIG_SND_SB_COMMON=m
-CONFIG_SND_PCI=y
-CONFIG_SND_AD1889=m
-CONFIG_SND_ALS4000=m
-CONFIG_SND_ASIHPI=m
-CONFIG_SND_ATIIXP=m
-CONFIG_SND_ATIIXP_MODEM=m
-CONFIG_SND_AU8810=m
-CONFIG_SND_AU8820=m
-CONFIG_SND_AU8830=m
-# CONFIG_SND_AW2 is not set
-CONFIG_SND_BT87X=m
-# CONFIG_SND_BT87X_OVERCLOCK is not set
-CONFIG_SND_CA0106=m
-CONFIG_SND_CMIPCI=m
-CONFIG_SND_OXYGEN_LIB=m
-CONFIG_SND_OXYGEN=m
-CONFIG_SND_CS4281=m
-CONFIG_SND_CS46XX=m
-CONFIG_SND_CS46XX_NEW_DSP=y
-CONFIG_SND_CTXFI=m
-CONFIG_SND_DARLA20=m
-CONFIG_SND_GINA20=m
-CONFIG_SND_LAYLA20=m
-CONFIG_SND_DARLA24=m
-CONFIG_SND_GINA24=m
-CONFIG_SND_LAYLA24=m
-CONFIG_SND_MONA=m
-CONFIG_SND_MIA=m
-CONFIG_SND_ECHO3G=m
-CONFIG_SND_INDIGO=m
-CONFIG_SND_INDIGOIO=m
-CONFIG_SND_INDIGODJ=m
-CONFIG_SND_INDIGOIOX=m
-CONFIG_SND_INDIGODJX=m
-CONFIG_SND_ENS1370=m
-CONFIG_SND_ENS1371=m
-CONFIG_SND_FM801=m
-CONFIG_SND_FM801_TEA575X_BOOL=y
-CONFIG_SND_HDSP=m
-CONFIG_SND_HDSPM=m
-CONFIG_SND_ICE1724=m
-CONFIG_SND_INTEL8X0=m
-CONFIG_SND_INTEL8X0M=m
-CONFIG_SND_KORG1212=m
-CONFIG_SND_LOLA=m
-CONFIG_SND_LX6464ES=m
-CONFIG_SND_MIXART=m
-CONFIG_SND_NM256=m
-CONFIG_SND_PCXHR=m
-CONFIG_SND_RIPTIDE=m
-CONFIG_SND_RME32=m
-CONFIG_SND_RME96=m
-CONFIG_SND_RME9652=m
-CONFIG_SND_VIA82XX=m
-CONFIG_SND_VIA82XX_MODEM=m
-CONFIG_SND_VIRTUOSO=m
-CONFIG_SND_VX222=m
-CONFIG_SND_YMFPCI=m
-
-#
-# HD-Audio
-#
-CONFIG_SND_HDA=m
-CONFIG_SND_HDA_INTEL=m
-CONFIG_SND_HDA_HWDEP=y
-CONFIG_SND_HDA_RECONFIG=y
-CONFIG_SND_HDA_INPUT_BEEP=y
-CONFIG_SND_HDA_INPUT_BEEP_MODE=1
-CONFIG_SND_HDA_PATCH_LOADER=y
-CONFIG_SND_HDA_CODEC_REALTEK=m
-CONFIG_SND_HDA_CODEC_ANALOG=m
-CONFIG_SND_HDA_CODEC_SIGMATEL=m
-CONFIG_SND_HDA_CODEC_VIA=m
-CONFIG_SND_HDA_CODEC_HDMI=m
-CONFIG_SND_HDA_CODEC_CIRRUS=m
-CONFIG_SND_HDA_CODEC_CONEXANT=m
-CONFIG_SND_HDA_CODEC_CA0110=m
-CONFIG_SND_HDA_CODEC_CA0132=m
-CONFIG_SND_HDA_CODEC_CA0132_DSP=y
-CONFIG_SND_HDA_CODEC_CMEDIA=m
-CONFIG_SND_HDA_CODEC_SI3054=m
-CONFIG_SND_HDA_GENERIC=m
-CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
-CONFIG_SND_HDA_CORE=m
-CONFIG_SND_HDA_DSP_LOADER=y
-CONFIG_SND_HDA_I915=y
-CONFIG_SND_HDA_PREALLOC_SIZE=64
-CONFIG_SND_SPI=y
-CONFIG_SND_USB=y
-CONFIG_SND_USB_AUDIO=m
-CONFIG_SND_USB_UA101=m
-CONFIG_SND_USB_USX2Y=m
-CONFIG_SND_USB_CAIAQ=m
-CONFIG_SND_USB_CAIAQ_INPUT=y
-CONFIG_SND_USB_US122L=m
-CONFIG_SND_USB_6FIRE=m
-CONFIG_SND_USB_HIFACE=m
-CONFIG_SND_BCD2000=m
-CONFIG_SND_USB_LINE6=m
-CONFIG_SND_USB_POD=m
-CONFIG_SND_USB_PODHD=m
-CONFIG_SND_USB_TONEPORT=m
-CONFIG_SND_USB_VARIAX=m
-CONFIG_SND_FIREWIRE=y
-CONFIG_SND_FIREWIRE_LIB=m
-CONFIG_SND_DICE=m
-CONFIG_SND_OXFW=m
-CONFIG_SND_ISIGHT=m
-CONFIG_SND_SCS1X=m
-CONFIG_SND_FIREWORKS=m
-CONFIG_SND_BEBOB=m
-CONFIG_SND_FIREWIRE_DIGI00X=m
-CONFIG_SND_FIREWIRE_TASCAM=m
-CONFIG_SND_PCMCIA=y
-CONFIG_SND_VXPOCKET=m
-CONFIG_SND_PDAUDIOCF=m
-CONFIG_SND_SOC=m
-# CONFIG_SND_ATMEL_SOC is not set
-# CONFIG_SND_DESIGNWARE_I2S is not set
-
-#
-# SoC Audio for Freescale CPUs
-#
-
-#
-# Common SoC Audio options for Freescale CPUs:
-#
-# CONFIG_SND_SOC_FSL_ASRC is not set
-# CONFIG_SND_SOC_FSL_SAI is not set
-# CONFIG_SND_SOC_FSL_SSI is not set
-# CONFIG_SND_SOC_FSL_SPDIF is not set
-# CONFIG_SND_SOC_FSL_ESAI is not set
-# CONFIG_SND_SOC_IMX_AUDMUX is not set
-CONFIG_SND_SOC_INTEL_SST=m
-CONFIG_SND_SOC_INTEL_SST_ACPI=m
-CONFIG_SND_SOC_INTEL_HASWELL=m
-CONFIG_SND_SOC_INTEL_BAYTRAIL=m
-CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
-CONFIG_SND_SOC_INTEL_BYT_RT5640_MACH=m
-CONFIG_SND_SOC_INTEL_BYT_MAX98090_MACH=m
-CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
-# CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH is not set
-# CONFIG_SND_SOC_INTEL_CHT_BSW_RT5672_MACH is not set
-# CONFIG_SND_SOC_INTEL_CHT_BSW_RT5645_MACH is not set
-# CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH is not set
-# CONFIG_SND_SOC_INTEL_SKL_RT286_MACH is not set
-
-#
-# Allwinner SoC Audio support
-#
-# CONFIG_SND_SUN4I_CODEC is not set
-# CONFIG_SND_SOC_XTFPGA_I2S is not set
-CONFIG_SND_SOC_I2C_AND_SPI=m
-
-#
-# CODEC drivers
-#
-# CONFIG_SND_SOC_AC97_CODEC is not set
-# CONFIG_SND_SOC_ADAU1701 is not set
-# CONFIG_SND_SOC_AK4104 is not set
-# CONFIG_SND_SOC_AK4554 is not set
-# CONFIG_SND_SOC_AK4613 is not set
-# CONFIG_SND_SOC_AK4642 is not set
-# CONFIG_SND_SOC_AK5386 is not set
-# CONFIG_SND_SOC_ALC5623 is not set
-# CONFIG_SND_SOC_CS35L32 is not set
-# CONFIG_SND_SOC_CS42L51_I2C is not set
-# CONFIG_SND_SOC_CS42L52 is not set
-# CONFIG_SND_SOC_CS42L56 is not set
-# CONFIG_SND_SOC_CS42L73 is not set
-# CONFIG_SND_SOC_CS4265 is not set
-# CONFIG_SND_SOC_CS4270 is not set
-# CONFIG_SND_SOC_CS4271_I2C is not set
-# CONFIG_SND_SOC_CS4271_SPI is not set
-# CONFIG_SND_SOC_CS42XX8_I2C is not set
-# CONFIG_SND_SOC_CS4349 is not set
-# CONFIG_SND_SOC_ES8328 is not set
-# CONFIG_SND_SOC_GTM601 is not set
-CONFIG_SND_SOC_MAX98090=m
-# CONFIG_SND_SOC_PCM1681 is not set
-# CONFIG_SND_SOC_PCM1792A is not set
-# CONFIG_SND_SOC_PCM512x_I2C is not set
-# CONFIG_SND_SOC_PCM512x_SPI is not set
-CONFIG_SND_SOC_RL6231=m
-CONFIG_SND_SOC_RL6347A=m
-CONFIG_SND_SOC_RT286=m
-# CONFIG_SND_SOC_RT5631 is not set
-CONFIG_SND_SOC_RT5640=m
-# CONFIG_SND_SOC_RT5677_SPI is not set
-# CONFIG_SND_SOC_SGTL5000 is not set
-# CONFIG_SND_SOC_SIRF_AUDIO_CODEC is not set
-# CONFIG_SND_SOC_SPDIF is not set
-# CONFIG_SND_SOC_SSM2602_SPI is not set
-# CONFIG_SND_SOC_SSM2602_I2C is not set
-# CONFIG_SND_SOC_SSM4567 is not set
-# CONFIG_SND_SOC_STA32X is not set
-# CONFIG_SND_SOC_STA350 is not set
-# CONFIG_SND_SOC_STI_SAS is not set
-# CONFIG_SND_SOC_TAS2552 is not set
-# CONFIG_SND_SOC_TAS5086 is not set
-# CONFIG_SND_SOC_TAS571X is not set
-# CONFIG_SND_SOC_TFA9879 is not set
-# CONFIG_SND_SOC_TLV320AIC23_I2C is not set
-# CONFIG_SND_SOC_TLV320AIC23_SPI is not set
-# CONFIG_SND_SOC_TLV320AIC31XX is not set
-# CONFIG_SND_SOC_TLV320AIC3X is not set
-# CONFIG_SND_SOC_TS3A227E is not set
-# CONFIG_SND_SOC_WM8510 is not set
-# CONFIG_SND_SOC_WM8523 is not set
-# CONFIG_SND_SOC_WM8580 is not set
-# CONFIG_SND_SOC_WM8711 is not set
-# CONFIG_SND_SOC_WM8728 is not set
-# CONFIG_SND_SOC_WM8731 is not set
-# CONFIG_SND_SOC_WM8737 is not set
-# CONFIG_SND_SOC_WM8741 is not set
-# CONFIG_SND_SOC_WM8750 is not set
-# CONFIG_SND_SOC_WM8753 is not set
-# CONFIG_SND_SOC_WM8770 is not set
-# CONFIG_SND_SOC_WM8776 is not set
-# CONFIG_SND_SOC_WM8804_I2C is not set
-# CONFIG_SND_SOC_WM8804_SPI is not set
-# CONFIG_SND_SOC_WM8903 is not set
-# CONFIG_SND_SOC_WM8962 is not set
-# CONFIG_SND_SOC_WM8978 is not set
-# CONFIG_SND_SOC_TPA6130A2 is not set
-# CONFIG_SND_SIMPLE_CARD is not set
-# CONFIG_SOUND_PRIME is not set
-CONFIG_AC97_BUS=m
-
-#
-# HID support
-#
-CONFIG_HID=m
-CONFIG_HID_BATTERY_STRENGTH=y
-CONFIG_HIDRAW=y
-CONFIG_UHID=m
-CONFIG_HID_GENERIC=m
-
-#
-# Special HID drivers
-#
-CONFIG_HID_A4TECH=m
-CONFIG_HID_ACRUX=m
-CONFIG_HID_ACRUX_FF=y
-CONFIG_HID_APPLE=m
-CONFIG_HID_APPLEIR=m
-CONFIG_HID_AUREAL=m
-CONFIG_HID_BELKIN=m
-CONFIG_HID_BETOP_FF=m
-CONFIG_HID_CHERRY=m
-CONFIG_HID_CHICONY=m
-CONFIG_HID_CORSAIR=m
-CONFIG_HID_PRODIKEYS=m
-CONFIG_HID_CP2112=m
-CONFIG_HID_CYPRESS=m
-CONFIG_HID_DRAGONRISE=m
-CONFIG_DRAGONRISE_FF=y
-CONFIG_HID_EMS_FF=m
-CONFIG_HID_ELECOM=m
-CONFIG_HID_ELO=m
-CONFIG_HID_EZKEY=m
-CONFIG_HID_GEMBIRD=m
-# CONFIG_HID_GFRM is not set
-CONFIG_HID_HOLTEK=m
-CONFIG_HOLTEK_FF=y
-# CONFIG_HID_GT683R is not set
-CONFIG_HID_KEYTOUCH=m
-CONFIG_HID_KYE=m
-CONFIG_HID_UCLOGIC=m
-CONFIG_HID_WALTOP=m
-CONFIG_HID_GYRATION=m
-CONFIG_HID_ICADE=m
-CONFIG_HID_TWINHAN=m
-CONFIG_HID_KENSINGTON=m
-CONFIG_HID_LCPOWER=m
-CONFIG_HID_LENOVO=m
-CONFIG_HID_LOGITECH=m
-CONFIG_HID_LOGITECH_DJ=m
-CONFIG_HID_LOGITECH_HIDPP=m
-CONFIG_LOGITECH_FF=y
-CONFIG_LOGIRUMBLEPAD2_FF=y
-CONFIG_LOGIG940_FF=y
-CONFIG_LOGIWHEELS_FF=y
-CONFIG_HID_MAGICMOUSE=m
-CONFIG_HID_MICROSOFT=m
-CONFIG_HID_MONTEREY=m
-CONFIG_HID_MULTITOUCH=m
-CONFIG_HID_NTRIG=m
-CONFIG_HID_ORTEK=m
-CONFIG_HID_PANTHERLORD=m
-CONFIG_PANTHERLORD_FF=y
-CONFIG_HID_PENMOUNT=m
-CONFIG_HID_PETALYNX=m
-CONFIG_HID_PICOLCD=m
-CONFIG_HID_PICOLCD_FB=y
-CONFIG_HID_PICOLCD_BACKLIGHT=y
-CONFIG_HID_PICOLCD_LEDS=y
-CONFIG_HID_PICOLCD_CIR=y
-CONFIG_HID_PLANTRONICS=m
-CONFIG_HID_PRIMAX=m
-CONFIG_HID_ROCCAT=m
-CONFIG_HID_SAITEK=m
-CONFIG_HID_SAMSUNG=m
-CONFIG_HID_SONY=m
-CONFIG_SONY_FF=y
-CONFIG_HID_SPEEDLINK=m
-CONFIG_HID_STEELSERIES=m
-CONFIG_HID_SUNPLUS=m
-CONFIG_HID_RMI=m
-CONFIG_HID_GREENASIA=m
-CONFIG_GREENASIA_FF=y
-CONFIG_HID_HYPERV_MOUSE=m
-CONFIG_HID_SMARTJOYPLUS=m
-CONFIG_SMARTJOYPLUS_FF=y
-CONFIG_HID_TIVO=m
-CONFIG_HID_TOPSEED=m
-CONFIG_HID_THINGM=m
-CONFIG_HID_THRUSTMASTER=m
-CONFIG_THRUSTMASTER_FF=y
-CONFIG_HID_WACOM=m
-CONFIG_HID_WIIMOTE=m
-CONFIG_HID_XINMO=m
-CONFIG_HID_ZEROPLUS=m
-CONFIG_ZEROPLUS_FF=y
-CONFIG_HID_ZYDACRON=m
-CONFIG_HID_SENSOR_HUB=m
-# CONFIG_HID_SENSOR_CUSTOM_SENSOR is not set
-
-#
-# USB HID support
-#
-CONFIG_USB_HID=m
-CONFIG_HID_PID=y
-CONFIG_USB_HIDDEV=y
-
-#
-# USB HID Boot Protocol drivers
-#
-# CONFIG_USB_KBD is not set
-# CONFIG_USB_MOUSE is not set
-
-#
-# I2C HID support
-#
-CONFIG_I2C_HID=m
-CONFIG_USB_OHCI_LITTLE_ENDIAN=y
-CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=m
-CONFIG_USB_ARCH_HAS_HCD=y
-CONFIG_USB=m
-CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
-
-#
-# Miscellaneous USB options
-#
-CONFIG_USB_DEFAULT_PERSIST=y
-CONFIG_USB_DYNAMIC_MINORS=y
-# CONFIG_USB_OTG is not set
-# CONFIG_USB_OTG_WHITELIST is not set
-# CONFIG_USB_OTG_BLACKLIST_HUB is not set
-# CONFIG_USB_ULPI_BUS is not set
-CONFIG_USB_MON=m
-CONFIG_USB_WUSB=m
-CONFIG_USB_WUSB_CBAF=m
-# CONFIG_USB_WUSB_CBAF_DEBUG is not set
-
-#
-# USB Host Controller Drivers
-#
-# CONFIG_USB_C67X00_HCD is not set
-CONFIG_USB_XHCI_HCD=m
-CONFIG_USB_XHCI_PCI=m
-# CONFIG_USB_XHCI_PLATFORM is not set
-CONFIG_USB_EHCI_HCD=m
-CONFIG_USB_EHCI_ROOT_HUB_TT=y
-CONFIG_USB_EHCI_TT_NEWSCHED=y
-CONFIG_USB_EHCI_PCI=m
-# CONFIG_USB_EHCI_HCD_PLATFORM is not set
-# CONFIG_USB_OXU210HP_HCD is not set
-# CONFIG_USB_ISP116X_HCD is not set
-# CONFIG_USB_ISP1362_HCD is not set
-# CONFIG_USB_FOTG210_HCD is not set
-# CONFIG_USB_MAX3421_HCD is not set
-CONFIG_USB_OHCI_HCD=m
-CONFIG_USB_OHCI_HCD_PCI=m
-# CONFIG_USB_OHCI_HCD_SSB is not set
-# CONFIG_USB_OHCI_HCD_PLATFORM is not set
-CONFIG_USB_UHCI_HCD=m
-CONFIG_USB_U132_HCD=m
-CONFIG_USB_SL811_HCD=m
-# CONFIG_USB_SL811_HCD_ISO is not set
-CONFIG_USB_SL811_CS=m
-# CONFIG_USB_R8A66597_HCD is not set
-CONFIG_USB_WHCI_HCD=m
-CONFIG_USB_HWA_HCD=m
-# CONFIG_USB_HCD_BCMA is not set
-# CONFIG_USB_HCD_SSB is not set
-# CONFIG_USB_HCD_TEST_MODE is not set
-
-#
-# USB Device Class drivers
-#
-CONFIG_USB_ACM=m
-CONFIG_USB_PRINTER=m
-CONFIG_USB_WDM=m
-CONFIG_USB_TMC=m
-
-#
-# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
-#
-
-#
-# also be needed; see USB_STORAGE Help for more info
-#
-CONFIG_USB_STORAGE=m
-# CONFIG_USB_STORAGE_DEBUG is not set
-CONFIG_USB_STORAGE_REALTEK=m
-CONFIG_REALTEK_AUTOPM=y
-CONFIG_USB_STORAGE_DATAFAB=m
-CONFIG_USB_STORAGE_FREECOM=m
-CONFIG_USB_STORAGE_ISD200=m
-CONFIG_USB_STORAGE_USBAT=m
-CONFIG_USB_STORAGE_SDDR09=m
-CONFIG_USB_STORAGE_SDDR55=m
-CONFIG_USB_STORAGE_JUMPSHOT=m
-CONFIG_USB_STORAGE_ALAUDA=m
-CONFIG_USB_STORAGE_ONETOUCH=m
-CONFIG_USB_STORAGE_KARMA=m
-CONFIG_USB_STORAGE_CYPRESS_ATACB=m
-CONFIG_USB_STORAGE_ENE_UB6250=m
-CONFIG_USB_UAS=m
-
-#
-# USB Imaging devices
-#
-CONFIG_USB_MDC800=m
-CONFIG_USB_MICROTEK=m
-CONFIG_USBIP_CORE=m
-CONFIG_USBIP_VHCI_HCD=m
-CONFIG_USBIP_HOST=m
-# CONFIG_USBIP_DEBUG is not set
-# CONFIG_USB_MUSB_HDRC is not set
-# CONFIG_USB_DWC3 is not set
-# CONFIG_USB_DWC2 is not set
-# CONFIG_USB_CHIPIDEA is not set
-# CONFIG_USB_ISP1760 is not set
-
-#
-# USB port drivers
-#
-CONFIG_USB_USS720=m
-CONFIG_USB_SERIAL=m
-CONFIG_USB_SERIAL_GENERIC=y
-CONFIG_USB_SERIAL_SIMPLE=m
-CONFIG_USB_SERIAL_AIRCABLE=m
-CONFIG_USB_SERIAL_ARK3116=m
-CONFIG_USB_SERIAL_BELKIN=m
-CONFIG_USB_SERIAL_CH341=m
-CONFIG_USB_SERIAL_WHITEHEAT=m
-CONFIG_USB_SERIAL_DIGI_ACCELEPORT=m
-CONFIG_USB_SERIAL_CP210X=m
-CONFIG_USB_SERIAL_CYPRESS_M8=m
-CONFIG_USB_SERIAL_EMPEG=m
-CONFIG_USB_SERIAL_FTDI_SIO=m
-CONFIG_USB_SERIAL_VISOR=m
-CONFIG_USB_SERIAL_IPAQ=m
-CONFIG_USB_SERIAL_IR=m
-CONFIG_USB_SERIAL_EDGEPORT=m
-CONFIG_USB_SERIAL_EDGEPORT_TI=m
-CONFIG_USB_SERIAL_F81232=m
-CONFIG_USB_SERIAL_GARMIN=m
-CONFIG_USB_SERIAL_IPW=m
-CONFIG_USB_SERIAL_IUU=m
-CONFIG_USB_SERIAL_KEYSPAN_PDA=m
-CONFIG_USB_SERIAL_KEYSPAN=m
-CONFIG_USB_SERIAL_KLSI=m
-CONFIG_USB_SERIAL_KOBIL_SCT=m
-CONFIG_USB_SERIAL_MCT_U232=m
-CONFIG_USB_SERIAL_METRO=m
-CONFIG_USB_SERIAL_MOS7720=m
-CONFIG_USB_SERIAL_MOS7715_PARPORT=y
-CONFIG_USB_SERIAL_MOS7840=m
-CONFIG_USB_SERIAL_MXUPORT=m
-CONFIG_USB_SERIAL_NAVMAN=m
-CONFIG_USB_SERIAL_PL2303=m
-CONFIG_USB_SERIAL_OTI6858=m
-CONFIG_USB_SERIAL_QCAUX=m
-CONFIG_USB_SERIAL_QUALCOMM=m
-CONFIG_USB_SERIAL_SPCP8X5=m
-CONFIG_USB_SERIAL_SAFE=m
-# CONFIG_USB_SERIAL_SAFE_PADDED is not set
-CONFIG_USB_SERIAL_SIERRAWIRELESS=m
-CONFIG_USB_SERIAL_SYMBOL=m
-CONFIG_USB_SERIAL_TI=m
-CONFIG_USB_SERIAL_CYBERJACK=m
-CONFIG_USB_SERIAL_XIRCOM=m
-CONFIG_USB_SERIAL_WWAN=m
-CONFIG_USB_SERIAL_OPTION=m
-CONFIG_USB_SERIAL_OMNINET=m
-CONFIG_USB_SERIAL_OPTICON=m
-CONFIG_USB_SERIAL_XSENS_MT=m
-CONFIG_USB_SERIAL_WISHBONE=m
-CONFIG_USB_SERIAL_SSU100=m
-CONFIG_USB_SERIAL_QT2=m
-CONFIG_USB_SERIAL_DEBUG=m
-
-#
-# USB Miscellaneous drivers
-#
-CONFIG_USB_EMI62=m
-CONFIG_USB_EMI26=m
-CONFIG_USB_ADUTUX=m
-CONFIG_USB_SEVSEG=m
-CONFIG_USB_RIO500=m
-CONFIG_USB_LEGOTOWER=m
-CONFIG_USB_LCD=m
-CONFIG_USB_LED=m
-CONFIG_USB_CYPRESS_CY7C63=m
-CONFIG_USB_CYTHERM=m
-CONFIG_USB_IDMOUSE=m
-CONFIG_USB_FTDI_ELAN=m
-CONFIG_USB_APPLEDISPLAY=m
-CONFIG_USB_SISUSBVGA=m
-CONFIG_USB_SISUSBVGA_CON=y
-CONFIG_USB_LD=m
-CONFIG_USB_TRANCEVIBRATOR=m
-CONFIG_USB_IOWARRIOR=m
-CONFIG_USB_TEST=m
-CONFIG_USB_EHSET_TEST_FIXTURE=m
-CONFIG_USB_ISIGHTFW=m
-CONFIG_USB_YUREX=m
-CONFIG_USB_EZUSB_FX2=m
-# CONFIG_USB_HSIC_USB3503 is not set
-# CONFIG_USB_LINK_LAYER_TEST is not set
-CONFIG_USB_CHAOSKEY=m
-CONFIG_USB_ATM=m
-CONFIG_USB_SPEEDTOUCH=m
-CONFIG_USB_CXACRU=m
-CONFIG_USB_UEAGLEATM=m
-CONFIG_USB_XUSBATM=m
-
-#
-# USB Physical Layer drivers
-#
-# CONFIG_USB_PHY is not set
-# CONFIG_NOP_USB_XCEIV is not set
-# CONFIG_USB_GPIO_VBUS is not set
-# CONFIG_USB_ISP1301 is not set
-CONFIG_USB_GADGET=m
-# CONFIG_USB_GADGET_DEBUG is not set
-# CONFIG_USB_GADGET_DEBUG_FILES is not set
-CONFIG_USB_GADGET_VBUS_DRAW=2
-CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2
-
-#
-# USB Peripheral Controller
-#
-# CONFIG_USB_FOTG210_UDC is not set
-# CONFIG_USB_GR_UDC is not set
-# CONFIG_USB_R8A66597 is not set
-# CONFIG_USB_PXA27X is not set
-# CONFIG_USB_MV_UDC is not set
-# CONFIG_USB_MV_U3D is not set
-# CONFIG_USB_M66592 is not set
-# CONFIG_USB_BDC_UDC is not set
-# CONFIG_USB_AMD5536UDC is not set
-# CONFIG_USB_NET2272 is not set
-CONFIG_USB_NET2280=m
-# CONFIG_USB_GOKU is not set
-CONFIG_USB_EG20T=m
-# CONFIG_USB_DUMMY_HCD is not set
-# CONFIG_USB_CONFIGFS is not set
-# CONFIG_USB_ZERO is not set
-# CONFIG_USB_AUDIO is not set
-# CONFIG_USB_ETH is not set
-# CONFIG_USB_G_NCM is not set
-# CONFIG_USB_GADGETFS is not set
-# CONFIG_USB_FUNCTIONFS is not set
-# CONFIG_USB_MASS_STORAGE is not set
-# CONFIG_USB_GADGET_TARGET is not set
-# CONFIG_USB_G_SERIAL is not set
-# CONFIG_USB_MIDI_GADGET is not set
-# CONFIG_USB_G_PRINTER is not set
-# CONFIG_USB_CDC_COMPOSITE is not set
-# CONFIG_USB_G_NOKIA is not set
-# CONFIG_USB_G_ACM_MS is not set
-# CONFIG_USB_G_MULTI is not set
-# CONFIG_USB_G_HID is not set
-# CONFIG_USB_G_DBGP is not set
-# CONFIG_USB_G_WEBCAM is not set
-CONFIG_USB_LED_TRIG=y
-CONFIG_UWB=m
-CONFIG_UWB_HWA=m
-CONFIG_UWB_WHCI=m
-CONFIG_UWB_I1480U=m
-CONFIG_MMC=m
-# CONFIG_MMC_DEBUG is not set
-
-#
-# MMC/SD/SDIO Card Drivers
-#
-CONFIG_MMC_BLOCK=m
-CONFIG_MMC_BLOCK_MINORS=256
-CONFIG_MMC_BLOCK_BOUNCE=y
-CONFIG_SDIO_UART=m
-# CONFIG_MMC_TEST is not set
-
-#
-# MMC/SD/SDIO Host Controller Drivers
-#
-CONFIG_MMC_SDHCI=m
-CONFIG_MMC_SDHCI_PCI=m
-CONFIG_MMC_RICOH_MMC=y
-CONFIG_MMC_SDHCI_ACPI=m
-# CONFIG_MMC_SDHCI_PLTFM is not set
-CONFIG_MMC_WBSD=m
-CONFIG_MMC_TIFM_SD=m
-# CONFIG_MMC_SPI is not set
-CONFIG_MMC_SDRICOH_CS=m
-CONFIG_MMC_CB710=m
-CONFIG_MMC_VIA_SDMMC=m
-CONFIG_MMC_VUB300=m
-CONFIG_MMC_USHC=m
-# CONFIG_MMC_USDHI6ROL0 is not set
-CONFIG_MMC_REALTEK_PCI=m
-CONFIG_MMC_REALTEK_USB=m
-CONFIG_MMC_TOSHIBA_PCI=m
-# CONFIG_MMC_MTK is not set
-CONFIG_MEMSTICK=m
-# CONFIG_MEMSTICK_DEBUG is not set
-
-#
-# MemoryStick drivers
-#
-# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
-CONFIG_MSPRO_BLOCK=m
-# CONFIG_MS_BLOCK is not set
-
-#
-# MemoryStick Host Controller Drivers
-#
-CONFIG_MEMSTICK_TIFM_MS=m
-CONFIG_MEMSTICK_JMICRON_38X=m
-CONFIG_MEMSTICK_R592=m
-CONFIG_MEMSTICK_REALTEK_PCI=m
-CONFIG_MEMSTICK_REALTEK_USB=m
-CONFIG_NEW_LEDS=y
-CONFIG_LEDS_CLASS=y
-# CONFIG_LEDS_CLASS_FLASH is not set
-
-#
-# LED drivers
-#
-# CONFIG_LEDS_LM3530 is not set
-# CONFIG_LEDS_LM3642 is not set
-# CONFIG_LEDS_PCA9532 is not set
-# CONFIG_LEDS_GPIO is not set
-CONFIG_LEDS_LP3944=m
-# CONFIG_LEDS_LP5521 is not set
-# CONFIG_LEDS_LP5523 is not set
-# CONFIG_LEDS_LP5562 is not set
-# CONFIG_LEDS_LP8501 is not set
-# CONFIG_LEDS_LP8860 is not set
-CONFIG_LEDS_CLEVO_MAIL=m
-CONFIG_LEDS_PCA955X=m
-# CONFIG_LEDS_PCA963X is not set
-CONFIG_LEDS_DAC124S085=m
-CONFIG_LEDS_BD2802=m
-CONFIG_LEDS_INTEL_SS4200=m
-CONFIG_LEDS_LT3593=m
-CONFIG_LEDS_DELL_NETBOOKS=m
-# CONFIG_LEDS_TCA6507 is not set
-# CONFIG_LEDS_TLC591XX is not set
-# CONFIG_LEDS_LM355x is not set
-CONFIG_LEDS_MENF21BMC=m
-
-#
-# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM)
-#
-# CONFIG_LEDS_BLINKM is not set
-
-#
-# LED Triggers
-#
-CONFIG_LEDS_TRIGGERS=y
-CONFIG_LEDS_TRIGGER_TIMER=m
-CONFIG_LEDS_TRIGGER_ONESHOT=m
-CONFIG_LEDS_TRIGGER_HEARTBEAT=m
-CONFIG_LEDS_TRIGGER_BACKLIGHT=m
-CONFIG_LEDS_TRIGGER_CPU=y
-CONFIG_LEDS_TRIGGER_GPIO=m
-CONFIG_LEDS_TRIGGER_DEFAULT_ON=m
-
-#
-# iptables trigger is under Netfilter config (LED target)
-#
-CONFIG_LEDS_TRIGGER_TRANSIENT=m
-CONFIG_LEDS_TRIGGER_CAMERA=m
-CONFIG_ACCESSIBILITY=y
-CONFIG_A11Y_BRAILLE_CONSOLE=y
-CONFIG_INFINIBAND=m
-CONFIG_INFINIBAND_USER_MAD=m
-CONFIG_INFINIBAND_USER_ACCESS=m
-CONFIG_INFINIBAND_USER_MEM=y
-CONFIG_INFINIBAND_ON_DEMAND_PAGING=y
-CONFIG_INFINIBAND_ADDR_TRANS=y
-CONFIG_INFINIBAND_MTHCA=m
-CONFIG_INFINIBAND_MTHCA_DEBUG=y
-CONFIG_INFINIBAND_QIB=m
-CONFIG_INFINIBAND_QIB_DCA=y
-CONFIG_INFINIBAND_CXGB3=m
-# CONFIG_INFINIBAND_CXGB3_DEBUG is not set
-CONFIG_INFINIBAND_CXGB4=m
-CONFIG_MLX4_INFINIBAND=m
-CONFIG_MLX5_INFINIBAND=m
-CONFIG_INFINIBAND_NES=m
-# CONFIG_INFINIBAND_NES_DEBUG is not set
-CONFIG_INFINIBAND_OCRDMA=m
-CONFIG_INFINIBAND_USNIC=m
-CONFIG_INFINIBAND_IPOIB=m
-CONFIG_INFINIBAND_IPOIB_CM=y
-CONFIG_INFINIBAND_IPOIB_DEBUG=y
-# CONFIG_INFINIBAND_IPOIB_DEBUG_DATA is not set
-CONFIG_INFINIBAND_SRP=m
-CONFIG_INFINIBAND_SRPT=m
-CONFIG_INFINIBAND_ISER=m
-CONFIG_INFINIBAND_ISERT=m
-CONFIG_EDAC_ATOMIC_SCRUB=y
-CONFIG_EDAC_SUPPORT=y
-CONFIG_EDAC=y
-CONFIG_EDAC_LEGACY_SYSFS=y
-# CONFIG_EDAC_DEBUG is not set
-CONFIG_EDAC_DECODE_MCE=m
-CONFIG_EDAC_MM_EDAC=m
-CONFIG_EDAC_AMD64=m
-# CONFIG_EDAC_AMD64_ERROR_INJECTION is not set
-CONFIG_EDAC_E752X=m
-CONFIG_EDAC_I82975X=m
-CONFIG_EDAC_I3000=m
-CONFIG_EDAC_I3200=m
-CONFIG_EDAC_IE31200=m
-CONFIG_EDAC_X38=m
-CONFIG_EDAC_I5400=m
-CONFIG_EDAC_I7CORE=m
-CONFIG_EDAC_I5000=m
-CONFIG_EDAC_I5100=m
-CONFIG_EDAC_I7300=m
-CONFIG_EDAC_SBRIDGE=m
-CONFIG_RTC_LIB=y
-CONFIG_RTC_CLASS=y
-CONFIG_RTC_HCTOSYS=y
-CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
-CONFIG_RTC_SYSTOHC=y
-CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
-# CONFIG_RTC_DEBUG is not set
-
-#
-# RTC interfaces
-#
-CONFIG_RTC_INTF_SYSFS=y
-CONFIG_RTC_INTF_PROC=y
-CONFIG_RTC_INTF_DEV=y
-# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
-# CONFIG_RTC_DRV_TEST is not set
-
-#
-# I2C RTC drivers
-#
-# CONFIG_RTC_DRV_ABB5ZES3 is not set
-# CONFIG_RTC_DRV_ABX80X is not set
-# CONFIG_RTC_DRV_DS1307 is not set
-# CONFIG_RTC_DRV_DS1374 is not set
-# CONFIG_RTC_DRV_DS1672 is not set
-# CONFIG_RTC_DRV_DS3232 is not set
-# CONFIG_RTC_DRV_MAX6900 is not set
-# CONFIG_RTC_DRV_RS5C372 is not set
-# CONFIG_RTC_DRV_ISL1208 is not set
-# CONFIG_RTC_DRV_ISL12022 is not set
-# CONFIG_RTC_DRV_ISL12057 is not set
-# CONFIG_RTC_DRV_X1205 is not set
-# CONFIG_RTC_DRV_PCF2127 is not set
-# CONFIG_RTC_DRV_PCF8523 is not set
-# CONFIG_RTC_DRV_PCF8563 is not set
-# CONFIG_RTC_DRV_PCF85063 is not set
-# CONFIG_RTC_DRV_PCF8583 is not set
-# CONFIG_RTC_DRV_M41T80 is not set
-# CONFIG_RTC_DRV_BQ32K is not set
-# CONFIG_RTC_DRV_S35390A is not set
-# CONFIG_RTC_DRV_FM3130 is not set
-# CONFIG_RTC_DRV_RX8581 is not set
-# CONFIG_RTC_DRV_RX8025 is not set
-# CONFIG_RTC_DRV_EM3027 is not set
-# CONFIG_RTC_DRV_RV3029C2 is not set
-# CONFIG_RTC_DRV_RV8803 is not set
-
-#
-# SPI RTC drivers
-#
-# CONFIG_RTC_DRV_M41T93 is not set
-# CONFIG_RTC_DRV_M41T94 is not set
-# CONFIG_RTC_DRV_DS1305 is not set
-# CONFIG_RTC_DRV_DS1343 is not set
-# CONFIG_RTC_DRV_DS1347 is not set
-# CONFIG_RTC_DRV_DS1390 is not set
-# CONFIG_RTC_DRV_MAX6902 is not set
-# CONFIG_RTC_DRV_R9701 is not set
-# CONFIG_RTC_DRV_RS5C348 is not set
-# CONFIG_RTC_DRV_DS3234 is not set
-# CONFIG_RTC_DRV_PCF2123 is not set
-# CONFIG_RTC_DRV_RX4581 is not set
-# CONFIG_RTC_DRV_MCP795 is not set
-
-#
-# Platform RTC drivers
-#
-CONFIG_RTC_DRV_CMOS=y
-# CONFIG_RTC_DRV_DS1286 is not set
-# CONFIG_RTC_DRV_DS1511 is not set
-# CONFIG_RTC_DRV_DS1553 is not set
-# CONFIG_RTC_DRV_DS1685_FAMILY is not set
-# CONFIG_RTC_DRV_DS1742 is not set
-# CONFIG_RTC_DRV_DS2404 is not set
-# CONFIG_RTC_DRV_STK17TA8 is not set
-# CONFIG_RTC_DRV_M48T86 is not set
-# CONFIG_RTC_DRV_M48T35 is not set
-# CONFIG_RTC_DRV_M48T59 is not set
-# CONFIG_RTC_DRV_MSM6242 is not set
-# CONFIG_RTC_DRV_BQ4802 is not set
-# CONFIG_RTC_DRV_RP5C01 is not set
-# CONFIG_RTC_DRV_V3020 is not set
-
-#
-# on-CPU RTC drivers
-#
-
-#
-# HID Sensor RTC drivers
-#
-# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
-CONFIG_DMADEVICES=y
-# CONFIG_DMADEVICES_DEBUG is not set
-
-#
-# DMA Devices
-#
-CONFIG_DMA_ENGINE=y
-CONFIG_DMA_VIRTUAL_CHANNELS=m
-CONFIG_DMA_ACPI=y
-CONFIG_INTEL_IDMA64=m
-CONFIG_INTEL_IOATDMA=m
-CONFIG_INTEL_MIC_X100_DMA=m
-CONFIG_DW_DMAC_CORE=m
-CONFIG_DW_DMAC=m
-# CONFIG_DW_DMAC_PCI is not set
-
-#
-# DMA Clients
-#
-CONFIG_ASYNC_TX_DMA=y
-# CONFIG_DMATEST is not set
-CONFIG_DMA_ENGINE_RAID=y
-CONFIG_DCA=m
-# CONFIG_AUXDISPLAY is not set
-CONFIG_UIO=m
-CONFIG_UIO_CIF=m
-# CONFIG_UIO_PDRV_GENIRQ is not set
-# CONFIG_UIO_DMEM_GENIRQ is not set
-CONFIG_UIO_AEC=m
-CONFIG_UIO_SERCOS3=m
-CONFIG_UIO_PCI_GENERIC=m
-CONFIG_UIO_NETX=m
-# CONFIG_UIO_PRUSS is not set
-CONFIG_UIO_MF624=m
-CONFIG_VFIO_IOMMU_TYPE1=m
-CONFIG_VFIO_VIRQFD=m
-CONFIG_VFIO=m
-CONFIG_VFIO_PCI=m
-CONFIG_VFIO_PCI_VGA=y
-CONFIG_VFIO_PCI_MMAP=y
-CONFIG_VFIO_PCI_INTX=y
-CONFIG_IRQ_BYPASS_MANAGER=m
-CONFIG_VIRT_DRIVERS=y
-CONFIG_VIRTIO=m
-
-#
-# Virtio drivers
-#
-CONFIG_VIRTIO_PCI=m
-CONFIG_VIRTIO_PCI_LEGACY=y
-CONFIG_VIRTIO_BALLOON=m
-CONFIG_VIRTIO_INPUT=m
-# CONFIG_VIRTIO_MMIO is not set
-
-#
-# Microsoft Hyper-V guest support
-#
-CONFIG_HYPERV=m
-CONFIG_HYPERV_UTILS=m
-CONFIG_HYPERV_BALLOON=m
-CONFIG_STAGING=y
-# CONFIG_SLICOSS is not set
-CONFIG_PRISM2_USB=m
-CONFIG_COMEDI=m
-# CONFIG_COMEDI_DEBUG is not set
-CONFIG_COMEDI_DEFAULT_BUF_SIZE_KB=2048
-CONFIG_COMEDI_DEFAULT_BUF_MAXSIZE_KB=20480
-CONFIG_COMEDI_MISC_DRIVERS=y
-CONFIG_COMEDI_BOND=m
-CONFIG_COMEDI_TEST=m
-CONFIG_COMEDI_PARPORT=m
-CONFIG_COMEDI_SERIAL2002=m
-# CONFIG_COMEDI_ISA_DRIVERS is not set
-CONFIG_COMEDI_PCI_DRIVERS=m
-CONFIG_COMEDI_8255_PCI=m
-CONFIG_COMEDI_ADDI_WATCHDOG=m
-CONFIG_COMEDI_ADDI_APCI_1032=m
-CONFIG_COMEDI_ADDI_APCI_1500=m
-CONFIG_COMEDI_ADDI_APCI_1516=m
-CONFIG_COMEDI_ADDI_APCI_1564=m
-CONFIG_COMEDI_ADDI_APCI_16XX=m
-CONFIG_COMEDI_ADDI_APCI_2032=m
-CONFIG_COMEDI_ADDI_APCI_2200=m
-CONFIG_COMEDI_ADDI_APCI_3120=m
-CONFIG_COMEDI_ADDI_APCI_3501=m
-CONFIG_COMEDI_ADDI_APCI_3XXX=m
-CONFIG_COMEDI_ADL_PCI6208=m
-CONFIG_COMEDI_ADL_PCI7X3X=m
-CONFIG_COMEDI_ADL_PCI8164=m
-CONFIG_COMEDI_ADL_PCI9111=m
-CONFIG_COMEDI_ADL_PCI9118=m
-CONFIG_COMEDI_ADV_PCI1710=m
-CONFIG_COMEDI_ADV_PCI1723=m
-CONFIG_COMEDI_ADV_PCI1724=m
-CONFIG_COMEDI_ADV_PCI_DIO=m
-CONFIG_COMEDI_AMPLC_DIO200_PCI=m
-CONFIG_COMEDI_AMPLC_PC236_PCI=m
-CONFIG_COMEDI_AMPLC_PC263_PCI=m
-CONFIG_COMEDI_AMPLC_PCI224=m
-CONFIG_COMEDI_AMPLC_PCI230=m
-CONFIG_COMEDI_CONTEC_PCI_DIO=m
-CONFIG_COMEDI_DAS08_PCI=m
-CONFIG_COMEDI_DT3000=m
-CONFIG_COMEDI_DYNA_PCI10XX=m
-CONFIG_COMEDI_GSC_HPDI=m
-CONFIG_COMEDI_MF6X4=m
-CONFIG_COMEDI_ICP_MULTI=m
-CONFIG_COMEDI_DAQBOARD2000=m
-CONFIG_COMEDI_JR3_PCI=m
-CONFIG_COMEDI_KE_COUNTER=m
-CONFIG_COMEDI_CB_PCIDAS64=m
-CONFIG_COMEDI_CB_PCIDAS=m
-CONFIG_COMEDI_CB_PCIDDA=m
-CONFIG_COMEDI_CB_PCIMDAS=m
-CONFIG_COMEDI_CB_PCIMDDA=m
-CONFIG_COMEDI_ME4000=m
-CONFIG_COMEDI_ME_DAQ=m
-CONFIG_COMEDI_NI_6527=m
-CONFIG_COMEDI_NI_65XX=m
-CONFIG_COMEDI_NI_660X=m
-CONFIG_COMEDI_NI_670X=m
-CONFIG_COMEDI_NI_LABPC_PCI=m
-CONFIG_COMEDI_NI_PCIDIO=m
-CONFIG_COMEDI_NI_PCIMIO=m
-CONFIG_COMEDI_RTD520=m
-CONFIG_COMEDI_S626=m
-CONFIG_COMEDI_MITE=m
-CONFIG_COMEDI_NI_TIOCMD=m
-CONFIG_COMEDI_PCMCIA_DRIVERS=m
-CONFIG_COMEDI_CB_DAS16_CS=m
-CONFIG_COMEDI_DAS08_CS=m
-CONFIG_COMEDI_NI_DAQ_700_CS=m
-CONFIG_COMEDI_NI_DAQ_DIO24_CS=m
-CONFIG_COMEDI_NI_LABPC_CS=m
-CONFIG_COMEDI_NI_MIO_CS=m
-CONFIG_COMEDI_QUATECH_DAQP_CS=m
-CONFIG_COMEDI_USB_DRIVERS=m
-CONFIG_COMEDI_DT9812=m
-CONFIG_COMEDI_NI_USB6501=m
-CONFIG_COMEDI_USBDUX=m
-CONFIG_COMEDI_USBDUXFAST=m
-CONFIG_COMEDI_USBDUXSIGMA=m
-CONFIG_COMEDI_VMK80XX=m
-CONFIG_COMEDI_8254=m
-CONFIG_COMEDI_8255=m
-CONFIG_COMEDI_8255_SA=m
-CONFIG_COMEDI_KCOMEDILIB=m
-CONFIG_COMEDI_AMPLC_DIO200=m
-CONFIG_COMEDI_AMPLC_PC236=m
-CONFIG_COMEDI_DAS08=m
-CONFIG_COMEDI_NI_LABPC=m
-CONFIG_COMEDI_NI_TIO=m
-# CONFIG_PANEL is not set
-CONFIG_RTL8192U=m
-CONFIG_RTLLIB=m
-CONFIG_RTLLIB_CRYPTO_CCMP=m
-CONFIG_RTLLIB_CRYPTO_TKIP=m
-CONFIG_RTLLIB_CRYPTO_WEP=m
-CONFIG_RTL8192E=m
-CONFIG_R8712U=m
-CONFIG_R8188EU=m
-CONFIG_88EU_AP_MODE=y
-CONFIG_R8723AU=m
-CONFIG_8723AU_AP_MODE=y
-CONFIG_8723AU_BT_COEXIST=y
-CONFIG_RTS5208=m
-# CONFIG_VT6655 is not set
-CONFIG_VT6656=m
-
-#
-# IIO staging drivers
-#
-
-#
-# Accelerometers
-#
-# CONFIG_ADIS16201 is not set
-# CONFIG_ADIS16203 is not set
-# CONFIG_ADIS16204 is not set
-# CONFIG_ADIS16209 is not set
-# CONFIG_ADIS16220 is not set
-# CONFIG_ADIS16240 is not set
-# CONFIG_LIS3L02DQ is not set
-# CONFIG_SCA3000 is not set
-
-#
-# Analog to digital converters
-#
-# CONFIG_AD7606 is not set
-# CONFIG_AD7780 is not set
-# CONFIG_AD7816 is not set
-# CONFIG_AD7192 is not set
-# CONFIG_AD7280 is not set
-
-#
-# Analog digital bi-direction converters
-#
-# CONFIG_ADT7316 is not set
-
-#
-# Capacitance to digital converters
-#
-# CONFIG_AD7150 is not set
-# CONFIG_AD7152 is not set
-# CONFIG_AD7746 is not set
-
-#
-# Direct Digital Synthesis
-#
-# CONFIG_AD9832 is not set
-# CONFIG_AD9834 is not set
-
-#
-# Digital gyroscope sensors
-#
-# CONFIG_ADIS16060 is not set
-
-#
-# Network Analyzer, Impedance Converters
-#
-# CONFIG_AD5933 is not set
-
-#
-# Light sensors
-#
-CONFIG_SENSORS_ISL29018=m
-# CONFIG_SENSORS_ISL29028 is not set
-CONFIG_TSL2583=m
-# CONFIG_TSL2x7x is not set
-
-#
-# Magnetometer sensors
-#
-# CONFIG_SENSORS_HMC5843_I2C is not set
-# CONFIG_SENSORS_HMC5843_SPI is not set
-
-#
-# Active energy metering IC
-#
-# CONFIG_ADE7753 is not set
-# CONFIG_ADE7754 is not set
-# CONFIG_ADE7758 is not set
-# CONFIG_ADE7759 is not set
-# CONFIG_ADE7854 is not set
-
-#
-# Resolver to digital converters
-#
-# CONFIG_AD2S90 is not set
-# CONFIG_AD2S1200 is not set
-# CONFIG_AD2S1210 is not set
-
-#
-# Triggers - standalone
-#
-# CONFIG_IIO_PERIODIC_RTC_TRIGGER is not set
-# CONFIG_IIO_SIMPLE_DUMMY is not set
-# CONFIG_FB_SM750 is not set
-# CONFIG_FB_XGI is not set
-
-#
-# Speakup console speech
-#
-CONFIG_SPEAKUP=m
-CONFIG_SPEAKUP_SYNTH_ACNTSA=m
-CONFIG_SPEAKUP_SYNTH_APOLLO=m
-CONFIG_SPEAKUP_SYNTH_AUDPTR=m
-CONFIG_SPEAKUP_SYNTH_BNS=m
-CONFIG_SPEAKUP_SYNTH_DECTLK=m
-CONFIG_SPEAKUP_SYNTH_DECEXT=m
-CONFIG_SPEAKUP_SYNTH_LTLK=m
-CONFIG_SPEAKUP_SYNTH_SOFT=m
-CONFIG_SPEAKUP_SYNTH_SPKOUT=m
-CONFIG_SPEAKUP_SYNTH_TXPRT=m
-CONFIG_SPEAKUP_SYNTH_DUMMY=m
-# CONFIG_TOUCHSCREEN_SYNAPTICS_I2C_RMI4 is not set
-CONFIG_STAGING_MEDIA=y
-# CONFIG_I2C_BCM2048 is not set
-# CONFIG_DVB_CXD2099 is not set
-# CONFIG_DVB_MN88472 is not set
-# CONFIG_DVB_MN88473 is not set
-CONFIG_LIRC_STAGING=y
-CONFIG_LIRC_BT829=m
-CONFIG_LIRC_IMON=m
-# CONFIG_LIRC_PARALLEL is not set
-CONFIG_LIRC_SASEM=m
-CONFIG_LIRC_SERIAL=m
-CONFIG_LIRC_SERIAL_TRANSMITTER=y
-CONFIG_LIRC_SIR=m
-CONFIG_LIRC_ZILOG=m
-# CONFIG_STAGING_RDMA is not set
-
-#
-# Android
-#
-CONFIG_WIMAX_GDM72XX=m
-# CONFIG_WIMAX_GDM72XX_QOS is not set
-# CONFIG_WIMAX_GDM72XX_K_MODE is not set
-# CONFIG_WIMAX_GDM72XX_WIMAX2 is not set
-CONFIG_WIMAX_GDM72XX_USB=y
-# CONFIG_WIMAX_GDM72XX_SDIO is not set
-CONFIG_WIMAX_GDM72XX_USB_PM=y
-# CONFIG_LTE_GDM724X is not set
-# CONFIG_FIREWIRE_SERIAL is not set
-# CONFIG_MTD_SPINAND_MT29F is not set
-CONFIG_LUSTRE_FS=m
-CONFIG_LUSTRE_OBD_MAX_IOCTL_BUFFER=8192
-# CONFIG_LUSTRE_DEBUG_EXPENSIVE_CHECK is not set
-CONFIG_LUSTRE_LLITE_LLOOP=m
-CONFIG_LNET=m
-CONFIG_LNET_MAX_PAYLOAD=1048576
-# CONFIG_LNET_SELFTEST is not set
-CONFIG_LNET_XPRT_IB=m
-# CONFIG_DGNC is not set
-# CONFIG_DGAP is not set
-# CONFIG_GS_FPGABOOT is not set
-# CONFIG_CRYPTO_SKEIN is not set
-# CONFIG_UNISYSSPAR is not set
-# CONFIG_FB_TFT is not set
-# CONFIG_WILC1000_DRIVER is not set
-# CONFIG_MOST is not set
-CONFIG_X86_PLATFORM_DEVICES=y
-CONFIG_ACER_WMI=m
-CONFIG_ACERHDF=m
-CONFIG_ALIENWARE_WMI=m
-CONFIG_ASUS_LAPTOP=m
-CONFIG_DELL_LAPTOP=m
-CONFIG_DELL_WMI=m
-CONFIG_DELL_WMI_AIO=m
-CONFIG_DELL_SMO8800=m
-CONFIG_DELL_RBTN=m
-CONFIG_FUJITSU_LAPTOP=m
-# CONFIG_FUJITSU_LAPTOP_DEBUG is not set
-CONFIG_FUJITSU_TABLET=m
-CONFIG_AMILO_RFKILL=m
-CONFIG_HP_ACCEL=m
-CONFIG_HP_WIRELESS=m
-CONFIG_HP_WMI=m
-CONFIG_MSI_LAPTOP=m
-CONFIG_PANASONIC_LAPTOP=m
-CONFIG_COMPAL_LAPTOP=m
-CONFIG_SONY_LAPTOP=m
-CONFIG_SONYPI_COMPAT=y
-CONFIG_IDEAPAD_LAPTOP=m
-CONFIG_THINKPAD_ACPI=m
-CONFIG_THINKPAD_ACPI_ALSA_SUPPORT=y
-# CONFIG_THINKPAD_ACPI_DEBUGFACILITIES is not set
-# CONFIG_THINKPAD_ACPI_DEBUG is not set
-# CONFIG_THINKPAD_ACPI_UNSAFE_LEDS is not set
-CONFIG_THINKPAD_ACPI_VIDEO=y
-CONFIG_THINKPAD_ACPI_HOTKEY_POLL=y
-CONFIG_SENSORS_HDAPS=m
-# CONFIG_INTEL_MENLOW is not set
-CONFIG_EEEPC_LAPTOP=m
-CONFIG_ASUS_WMI=m
-CONFIG_ASUS_NB_WMI=m
-CONFIG_EEEPC_WMI=m
-CONFIG_ACPI_WMI=m
-CONFIG_MSI_WMI=m
-CONFIG_TOPSTAR_LAPTOP=m
-CONFIG_ACPI_TOSHIBA=m
-CONFIG_TOSHIBA_BT_RFKILL=m
-CONFIG_TOSHIBA_HAPS=m
-# CONFIG_TOSHIBA_WMI is not set
-CONFIG_ACPI_CMPC=m
-CONFIG_INTEL_IPS=m
-CONFIG_IBM_RTL=m
-CONFIG_SAMSUNG_LAPTOP=m
-CONFIG_MXM_WMI=m
-CONFIG_INTEL_OAKTRAIL=m
-CONFIG_SAMSUNG_Q10=m
-CONFIG_APPLE_GMUX=m
-CONFIG_INTEL_RST=m
-CONFIG_INTEL_SMARTCONNECT=m
-CONFIG_PVPANIC=m
-CONFIG_INTEL_PMC_IPC=m
-CONFIG_SURFACE_PRO3_BUTTON=m
-CONFIG_CHROME_PLATFORMS=y
-CONFIG_CHROMEOS_LAPTOP=m
-CONFIG_CHROMEOS_PSTORE=m
-CONFIG_CLKDEV_LOOKUP=y
-CONFIG_HAVE_CLK_PREPARE=y
-CONFIG_COMMON_CLK=y
-
-#
-# Common Clock Framework
-#
-# CONFIG_COMMON_CLK_SI5351 is not set
-# CONFIG_COMMON_CLK_PXA is not set
-# CONFIG_COMMON_CLK_CDCE706 is not set
-
-#
-# Hardware Spinlock drivers
-#
-
-#
-# Clock Source drivers
-#
-CONFIG_CLKEVT_I8253=y
-CONFIG_I8253_LOCK=y
-CONFIG_CLKBLD_I8253=y
-# CONFIG_ATMEL_PIT is not set
-# CONFIG_SH_TIMER_CMT is not set
-# CONFIG_SH_TIMER_MTU2 is not set
-# CONFIG_SH_TIMER_TMU is not set
-# CONFIG_EM_TIMER_STI is not set
-# CONFIG_MAILBOX is not set
-CONFIG_IOMMU_API=y
-CONFIG_IOMMU_SUPPORT=y
-
-#
-# Generic IOMMU Pagetable Support
-#
-CONFIG_IOMMU_IOVA=y
-CONFIG_AMD_IOMMU=y
-CONFIG_AMD_IOMMU_V2=y
-CONFIG_DMAR_TABLE=y
-CONFIG_INTEL_IOMMU=y
-CONFIG_INTEL_IOMMU_SVM=y
-# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
-CONFIG_INTEL_IOMMU_FLOPPY_WA=y
-CONFIG_IRQ_REMAP=y
-
-#
-# Remoteproc drivers
-#
-# CONFIG_STE_MODEM_RPROC is not set
-
-#
-# Rpmsg drivers
-#
-
-#
-# SOC (System On Chip) specific Drivers
-#
-# CONFIG_SUNXI_SRAM is not set
-# CONFIG_SOC_TI is not set
-CONFIG_PM_DEVFREQ=y
-
-#
-# DEVFREQ Governors
-#
-CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=m
-# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set
-# CONFIG_DEVFREQ_GOV_POWERSAVE is not set
-# CONFIG_DEVFREQ_GOV_USERSPACE is not set
-
-#
-# DEVFREQ Drivers
-#
-# CONFIG_PM_DEVFREQ_EVENT is not set
-# CONFIG_EXTCON is not set
-CONFIG_MEMORY=y
-CONFIG_IIO=m
-CONFIG_IIO_BUFFER=y
-# CONFIG_IIO_BUFFER_CB is not set
-CONFIG_IIO_KFIFO_BUF=m
-CONFIG_IIO_TRIGGERED_BUFFER=m
-CONFIG_IIO_TRIGGER=y
-CONFIG_IIO_CONSUMERS_PER_TRIGGER=2
-
-#
-# Accelerometers
-#
-# CONFIG_BMA180 is not set
-CONFIG_BMC150_ACCEL=m
-CONFIG_BMC150_ACCEL_I2C=m
-CONFIG_BMC150_ACCEL_SPI=m
-CONFIG_HID_SENSOR_ACCEL_3D=m
-# CONFIG_IIO_ST_ACCEL_3AXIS is not set
-# CONFIG_KXSD9 is not set
-CONFIG_KXCJK1013=m
-# CONFIG_MMA8452 is not set
-CONFIG_MMA9551_CORE=m
-CONFIG_MMA9551=m
-CONFIG_MMA9553=m
-# CONFIG_MXC4005 is not set
-# CONFIG_STK8312 is not set
-# CONFIG_STK8BA50 is not set
-
-#
-# Analog to digital converters
-#
-# CONFIG_AD7266 is not set
-# CONFIG_AD7291 is not set
-# CONFIG_AD7298 is not set
-# CONFIG_AD7476 is not set
-# CONFIG_AD7791 is not set
-# CONFIG_AD7793 is not set
-# CONFIG_AD7887 is not set
-# CONFIG_AD7923 is not set
-# CONFIG_AD799X is not set
-# CONFIG_HI8435 is not set
-# CONFIG_MAX1027 is not set
-# CONFIG_MAX1363 is not set
-# CONFIG_MCP320X is not set
-# CONFIG_MCP3422 is not set
-# CONFIG_NAU7802 is not set
-# CONFIG_TI_ADC081C is not set
-# CONFIG_TI_ADC128S052 is not set
-CONFIG_VIPERBOARD_ADC=m
-
-#
-# Amplifiers
-#
-# CONFIG_AD8366 is not set
-
-#
-# Chemical Sensors
-#
-# CONFIG_VZ89X is not set
-
-#
-# Hid Sensor IIO Common
-#
-CONFIG_HID_SENSOR_IIO_COMMON=m
-CONFIG_HID_SENSOR_IIO_TRIGGER=m
-
-#
-# SSP Sensor Common
-#
-# CONFIG_IIO_SSP_SENSORHUB is not set
-
-#
-# Digital to analog converters
-#
-# CONFIG_AD5064 is not set
-# CONFIG_AD5360 is not set
-# CONFIG_AD5380 is not set
-# CONFIG_AD5421 is not set
-# CONFIG_AD5446 is not set
-# CONFIG_AD5449 is not set
-# CONFIG_AD5504 is not set
-# CONFIG_AD5624R_SPI is not set
-# CONFIG_AD5686 is not set
-# CONFIG_AD5755 is not set
-# CONFIG_AD5764 is not set
-# CONFIG_AD5791 is not set
-# CONFIG_AD7303 is not set
-# CONFIG_M62332 is not set
-# CONFIG_MAX517 is not set
-# CONFIG_MCP4725 is not set
-# CONFIG_MCP4922 is not set
-
-#
-# Frequency Synthesizers DDS/PLL
-#
-
-#
-# Clock Generator/Distribution
-#
-# CONFIG_AD9523 is not set
-
-#
-# Phase-Locked Loop (PLL) frequency synthesizers
-#
-# CONFIG_ADF4350 is not set
-
-#
-# Digital gyroscope sensors
-#
-# CONFIG_ADIS16080 is not set
-# CONFIG_ADIS16130 is not set
-# CONFIG_ADIS16136 is not set
-# CONFIG_ADIS16260 is not set
-# CONFIG_ADXRS450 is not set
-CONFIG_BMG160=m
-CONFIG_BMG160_I2C=m
-CONFIG_BMG160_SPI=m
-CONFIG_HID_SENSOR_GYRO_3D=m
-# CONFIG_IIO_ST_GYRO_3AXIS is not set
-# CONFIG_ITG3200 is not set
-
-#
-# Humidity sensors
-#
-# CONFIG_DHT11 is not set
-# CONFIG_HDC100X is not set
-# CONFIG_HTU21 is not set
-# CONFIG_SI7005 is not set
-# CONFIG_SI7020 is not set
-
-#
-# Inertial measurement units
-#
-# CONFIG_ADIS16400 is not set
-# CONFIG_ADIS16480 is not set
-CONFIG_KMX61=m
-CONFIG_INV_MPU6050_IIO=m
-
-#
-# Light sensors
-#
-CONFIG_ACPI_ALS=m
-# CONFIG_ADJD_S311 is not set
-# CONFIG_AL3320A is not set
-# CONFIG_APDS9300 is not set
-# CONFIG_APDS9960 is not set
-# CONFIG_BH1750 is not set
-# CONFIG_CM32181 is not set
-# CONFIG_CM3232 is not set
-# CONFIG_CM3323 is not set
-# CONFIG_CM36651 is not set
-# CONFIG_GP2AP020A00F is not set
-# CONFIG_ISL29125 is not set
-CONFIG_HID_SENSOR_ALS=m
-CONFIG_HID_SENSOR_PROX=m
-CONFIG_JSA1212=m
-# CONFIG_RPR0521 is not set
-# CONFIG_LTR501 is not set
-# CONFIG_OPT3001 is not set
-# CONFIG_PA12203001 is not set
-# CONFIG_STK3310 is not set
-# CONFIG_TCS3414 is not set
-# CONFIG_TCS3472 is not set
-CONFIG_SENSORS_TSL2563=m
-# CONFIG_TSL4531 is not set
-# CONFIG_US5182D is not set
-# CONFIG_VCNL4000 is not set
-
-#
-# Magnetometer sensors
-#
-CONFIG_AK8975=m
-# CONFIG_AK09911 is not set
-# CONFIG_BMC150_MAGN is not set
-# CONFIG_MAG3110 is not set
-CONFIG_HID_SENSOR_MAGNETOMETER_3D=m
-# CONFIG_MMC35240 is not set
-# CONFIG_IIO_ST_MAGN_3AXIS is not set
-
-#
-# Inclinometer sensors
-#
-CONFIG_HID_SENSOR_INCLINOMETER_3D=m
-CONFIG_HID_SENSOR_DEVICE_ROTATION=m
-
-#
-# Triggers - standalone
-#
-# CONFIG_IIO_INTERRUPT_TRIGGER is not set
-# CONFIG_IIO_SYSFS_TRIGGER is not set
-
-#
-# Digital potentiometers
-#
-# CONFIG_MCP4531 is not set
-
-#
-# Pressure sensors
-#
-CONFIG_BMP280=m
-CONFIG_HID_SENSOR_PRESS=m
-# CONFIG_MPL115 is not set
-# CONFIG_MPL3115 is not set
-# CONFIG_MS5611 is not set
-# CONFIG_MS5637 is not set
-# CONFIG_IIO_ST_PRESS is not set
-# CONFIG_T5403 is not set
-
-#
-# Lightning sensors
-#
-# CONFIG_AS3935 is not set
-
-#
-# Proximity sensors
-#
-# CONFIG_LIDAR_LITE_V2 is not set
-CONFIG_SX9500=m
-
-#
-# Temperature sensors
-#
-# CONFIG_MLX90614 is not set
-# CONFIG_TMP006 is not set
-# CONFIG_TSYS01 is not set
-# CONFIG_TSYS02D is not set
-# CONFIG_NTB is not set
-# CONFIG_VME_BUS is not set
-# CONFIG_PWM is not set
-# CONFIG_IPACK_BUS is not set
-# CONFIG_RESET_CONTROLLER is not set
-# CONFIG_FMC is not set
-
-#
-# PHY Subsystem
-#
-CONFIG_GENERIC_PHY=y
-# CONFIG_PHY_PXA_28NM_HSIC is not set
-# CONFIG_PHY_PXA_28NM_USB2 is not set
-# CONFIG_BCM_KONA_USB2_PHY is not set
-CONFIG_POWERCAP=y
-CONFIG_INTEL_RAPL=m
-# CONFIG_MCB is not set
-
-#
-# Performance monitor support
-#
-CONFIG_RAS=y
-CONFIG_THUNDERBOLT=m
-
-#
-# Android
-#
-# CONFIG_ANDROID is not set
-CONFIG_LIBNVDIMM=m
-CONFIG_BLK_DEV_PMEM=m
-CONFIG_ND_BLK=m
-CONFIG_ND_CLAIM=y
-CONFIG_ND_BTT=m
-CONFIG_BTT=y
-CONFIG_ND_PFN=m
-CONFIG_NVDIMM_PFN=y
-# CONFIG_NVMEM is not set
-# CONFIG_STM is not set
-# CONFIG_STM_DUMMY is not set
-# CONFIG_STM_SOURCE_CONSOLE is not set
-# CONFIG_INTEL_TH is not set
-
-#
-# FPGA Configuration Support
-#
-# CONFIG_FPGA is not set
-
-#
-# Firmware Drivers
-#
-CONFIG_EDD=m
-# CONFIG_EDD_OFF is not set
-CONFIG_FIRMWARE_MEMMAP=y
-CONFIG_DELL_RBU=m
-CONFIG_DCDBAS=m
-CONFIG_DMIID=y
-CONFIG_DMI_SYSFS=y
-CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
-CONFIG_ISCSI_IBFT_FIND=y
-CONFIG_ISCSI_IBFT=m
-# CONFIG_GOOGLE_FIRMWARE is not set
-
-#
-# EFI (Extensible Firmware Interface) Support
-#
-CONFIG_EFI_VARS=m
-CONFIG_EFI_ESRT=y
-CONFIG_EFI_VARS_PSTORE=m
-# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
-# CONFIG_EFI_FAKE_MEMMAP is not set
-CONFIG_EFI_RUNTIME_WRAPPERS=y
-CONFIG_UEFI_CPER=y
-
-#
-# File systems
-#
-CONFIG_DCACHE_WORD_ACCESS=y
-# CONFIG_EXT2_FS is not set
-# CONFIG_EXT3_FS is not set
-CONFIG_EXT4_FS=m
-CONFIG_EXT4_USE_FOR_EXT2=y
-CONFIG_EXT4_FS_POSIX_ACL=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_EXT4_ENCRYPTION=m
-CONFIG_EXT4_FS_ENCRYPTION=y
-# CONFIG_EXT4_DEBUG is not set
-CONFIG_JBD2=m
-# CONFIG_JBD2_DEBUG is not set
-CONFIG_FS_MBCACHE=m
-CONFIG_REISERFS_FS=m
-# CONFIG_REISERFS_CHECK is not set
-# CONFIG_REISERFS_PROC_INFO is not set
-CONFIG_REISERFS_FS_XATTR=y
-CONFIG_REISERFS_FS_POSIX_ACL=y
-CONFIG_REISERFS_FS_SECURITY=y
-CONFIG_JFS_FS=m
-CONFIG_JFS_POSIX_ACL=y
-CONFIG_JFS_SECURITY=y
-# CONFIG_JFS_DEBUG is not set
-# CONFIG_JFS_STATISTICS is not set
-CONFIG_XFS_FS=m
-CONFIG_XFS_QUOTA=y
-CONFIG_XFS_POSIX_ACL=y
-CONFIG_XFS_RT=y
-# CONFIG_XFS_WARN is not set
-# CONFIG_XFS_DEBUG is not set
-CONFIG_GFS2_FS=m
-CONFIG_GFS2_FS_LOCKING_DLM=y
-CONFIG_OCFS2_FS=m
-CONFIG_OCFS2_FS_O2CB=m
-CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m
-CONFIG_OCFS2_DEBUG_MASKLOG=y
-# CONFIG_OCFS2_DEBUG_FS is not set
-CONFIG_BTRFS_FS=m
-CONFIG_BTRFS_FS_POSIX_ACL=y
-# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
-# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
-# CONFIG_BTRFS_DEBUG is not set
-# CONFIG_BTRFS_ASSERT is not set
-CONFIG_NILFS2_FS=m
-CONFIG_F2FS_FS=m
-CONFIG_F2FS_FS_XATTR=y
-CONFIG_F2FS_FS_POSIX_ACL=y
-CONFIG_F2FS_FS_SECURITY=y
-# CONFIG_F2FS_CHECK_FS is not set
-CONFIG_F2FS_FS_ENCRYPTION=y
-CONFIG_FS_DAX=y
-CONFIG_FS_POSIX_ACL=y
-CONFIG_EXPORTFS=y
-CONFIG_FILE_LOCKING=y
-CONFIG_FSNOTIFY=y
-CONFIG_DNOTIFY=y
-CONFIG_INOTIFY_USER=y
-CONFIG_FANOTIFY=y
-# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
-CONFIG_QUOTA=y
-CONFIG_QUOTA_NETLINK_INTERFACE=y
-CONFIG_PRINT_QUOTA_WARNING=y
-# CONFIG_QUOTA_DEBUG is not set
-CONFIG_QUOTA_TREE=m
-CONFIG_QFMT_V1=m
-CONFIG_QFMT_V2=m
-CONFIG_QUOTACTL=y
-CONFIG_QUOTACTL_COMPAT=y
-CONFIG_AUTOFS4_FS=m
-CONFIG_FUSE_FS=m
-CONFIG_CUSE=m
-CONFIG_OVERLAY_FS=m
-
-#
-# Caches
-#
-CONFIG_FSCACHE=m
-CONFIG_FSCACHE_STATS=y
-# CONFIG_FSCACHE_HISTOGRAM is not set
-# CONFIG_FSCACHE_DEBUG is not set
-# CONFIG_FSCACHE_OBJECT_LIST is not set
-CONFIG_CACHEFILES=m
-# CONFIG_CACHEFILES_DEBUG is not set
-# CONFIG_CACHEFILES_HISTOGRAM is not set
-
-#
-# CD-ROM/DVD Filesystems
-#
-CONFIG_ISO9660_FS=m
-CONFIG_JOLIET=y
-CONFIG_ZISOFS=y
-CONFIG_UDF_FS=m
-CONFIG_UDF_NLS=y
-
-#
-# DOS/FAT/NT Filesystems
-#
-CONFIG_FAT_FS=m
-CONFIG_MSDOS_FS=m
-CONFIG_VFAT_FS=m
-CONFIG_FAT_DEFAULT_CODEPAGE=437
-CONFIG_FAT_DEFAULT_IOCHARSET="utf8"
-CONFIG_NTFS_FS=m
-# CONFIG_NTFS_DEBUG is not set
-CONFIG_NTFS_RW=y
-
-#
-# Pseudo filesystems
-#
-CONFIG_PROC_FS=y
-CONFIG_PROC_SYSCTL=y
-# CONFIG_PROC_CHILDREN is not set
-CONFIG_KERNFS=y
-CONFIG_SYSFS=y
-CONFIG_TMPFS=y
-CONFIG_TMPFS_POSIX_ACL=y
-CONFIG_TMPFS_XATTR=y
-CONFIG_HUGETLBFS=y
-CONFIG_HUGETLB_PAGE=y
-CONFIG_CONFIGFS_FS=m
-CONFIG_EFIVAR_FS=m
-CONFIG_MISC_FILESYSTEMS=y
-CONFIG_ADFS_FS=m
-# CONFIG_ADFS_FS_RW is not set
-CONFIG_AFFS_FS=m
-CONFIG_ECRYPT_FS=m
-CONFIG_ECRYPT_FS_MESSAGING=y
-CONFIG_HFS_FS=m
-CONFIG_HFSPLUS_FS=m
-# CONFIG_HFSPLUS_FS_POSIX_ACL is not set
-CONFIG_BEFS_FS=m
-# CONFIG_BEFS_DEBUG is not set
-CONFIG_BFS_FS=m
-CONFIG_EFS_FS=m
-CONFIG_JFFS2_FS=m
-CONFIG_JFFS2_FS_DEBUG=0
-CONFIG_JFFS2_FS_WRITEBUFFER=y
-# CONFIG_JFFS2_FS_WBUF_VERIFY is not set
-CONFIG_JFFS2_SUMMARY=y
-CONFIG_JFFS2_FS_XATTR=y
-CONFIG_JFFS2_FS_POSIX_ACL=y
-CONFIG_JFFS2_FS_SECURITY=y
-CONFIG_JFFS2_COMPRESSION_OPTIONS=y
-CONFIG_JFFS2_ZLIB=y
-CONFIG_JFFS2_LZO=y
-CONFIG_JFFS2_RTIME=y
-# CONFIG_JFFS2_RUBIN is not set
-# CONFIG_JFFS2_CMODE_NONE is not set
-CONFIG_JFFS2_CMODE_PRIORITY=y
-# CONFIG_JFFS2_CMODE_SIZE is not set
-# CONFIG_JFFS2_CMODE_FAVOURLZO is not set
-CONFIG_UBIFS_FS=m
-CONFIG_UBIFS_FS_ADVANCED_COMPR=y
-CONFIG_UBIFS_FS_LZO=y
-CONFIG_UBIFS_FS_ZLIB=y
-# CONFIG_UBIFS_ATIME_SUPPORT is not set
-CONFIG_LOGFS=m
-# CONFIG_CRAMFS is not set
-CONFIG_SQUASHFS=m
-CONFIG_SQUASHFS_FILE_CACHE=y
-# CONFIG_SQUASHFS_FILE_DIRECT is not set
-CONFIG_SQUASHFS_DECOMP_SINGLE=y
-# CONFIG_SQUASHFS_DECOMP_MULTI is not set
-# CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
-CONFIG_SQUASHFS_XATTR=y
-CONFIG_SQUASHFS_ZLIB=y
-# CONFIG_SQUASHFS_LZ4 is not set
-CONFIG_SQUASHFS_LZO=y
-CONFIG_SQUASHFS_XZ=y
-# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
-# CONFIG_SQUASHFS_EMBEDDED is not set
-CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
-CONFIG_VXFS_FS=m
-CONFIG_MINIX_FS=m
-CONFIG_OMFS_FS=m
-# CONFIG_HPFS_FS is not set
-CONFIG_QNX4FS_FS=m
-CONFIG_QNX6FS_FS=m
-# CONFIG_QNX6FS_DEBUG is not set
-CONFIG_ROMFS_FS=m
-# CONFIG_ROMFS_BACKED_BY_BLOCK is not set
-# CONFIG_ROMFS_BACKED_BY_MTD is not set
-CONFIG_ROMFS_BACKED_BY_BOTH=y
-CONFIG_ROMFS_ON_BLOCK=y
-CONFIG_ROMFS_ON_MTD=y
-CONFIG_PSTORE=y
-# CONFIG_PSTORE_CONSOLE is not set
-# CONFIG_PSTORE_PMSG is not set
-CONFIG_PSTORE_RAM=m
-CONFIG_SYSV_FS=m
-CONFIG_UFS_FS=m
-# CONFIG_UFS_FS_WRITE is not set
-# CONFIG_UFS_DEBUG is not set
-CONFIG_EXOFS_FS=m
-# CONFIG_EXOFS_DEBUG is not set
-CONFIG_ORE=m
-CONFIG_NETWORK_FILESYSTEMS=y
-CONFIG_NFS_FS=m
-CONFIG_NFS_V2=m
-CONFIG_NFS_V3=m
-CONFIG_NFS_V3_ACL=y
-CONFIG_NFS_V4=m
-CONFIG_NFS_SWAP=y
-CONFIG_NFS_V4_1=y
-CONFIG_NFS_V4_2=y
-CONFIG_PNFS_FILE_LAYOUT=m
-CONFIG_PNFS_BLOCK=m
-CONFIG_PNFS_OBJLAYOUT=m
-CONFIG_PNFS_FLEXFILE_LAYOUT=m
-CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
-# CONFIG_NFS_V4_1_MIGRATION is not set
-CONFIG_NFS_V4_SECURITY_LABEL=y
-CONFIG_NFS_FSCACHE=y
-# CONFIG_NFS_USE_LEGACY_DNS is not set
-CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFSD=m
-CONFIG_NFSD_V2_ACL=y
-CONFIG_NFSD_V3=y
-CONFIG_NFSD_V3_ACL=y
-CONFIG_NFSD_V4=y
-CONFIG_NFSD_PNFS=y
-CONFIG_NFSD_V4_SECURITY_LABEL=y
-CONFIG_GRACE_PERIOD=m
-CONFIG_LOCKD=m
-CONFIG_LOCKD_V4=y
-CONFIG_NFS_ACL_SUPPORT=m
-CONFIG_NFS_COMMON=y
-CONFIG_SUNRPC=m
-CONFIG_SUNRPC_GSS=m
-CONFIG_SUNRPC_BACKCHANNEL=y
-CONFIG_SUNRPC_SWAP=y
-CONFIG_RPCSEC_GSS_KRB5=m
-CONFIG_SUNRPC_XPRT_RDMA=m
-CONFIG_CEPH_FS=m
-CONFIG_CEPH_FSCACHE=y
-CONFIG_CEPH_FS_POSIX_ACL=y
-CONFIG_CIFS=m
-# CONFIG_CIFS_STATS is not set
-CONFIG_CIFS_WEAK_PW_HASH=y
-CONFIG_CIFS_UPCALL=y
-CONFIG_CIFS_XATTR=y
-CONFIG_CIFS_POSIX=y
-CONFIG_CIFS_ACL=y
-CONFIG_CIFS_DEBUG=y
-# CONFIG_CIFS_DEBUG2 is not set
-CONFIG_CIFS_DFS_UPCALL=y
-CONFIG_CIFS_SMB2=y
-# CONFIG_CIFS_SMB311 is not set
-CONFIG_CIFS_FSCACHE=y
-CONFIG_NCP_FS=m
-CONFIG_NCPFS_PACKET_SIGNING=y
-CONFIG_NCPFS_IOCTL_LOCKING=y
-CONFIG_NCPFS_STRONG=y
-CONFIG_NCPFS_NFS_NS=y
-CONFIG_NCPFS_OS2_NS=y
-# CONFIG_NCPFS_SMALLDOS is not set
-CONFIG_NCPFS_NLS=y
-CONFIG_NCPFS_EXTRAS=y
-CONFIG_CODA_FS=m
-CONFIG_AFS_FS=m
-# CONFIG_AFS_DEBUG is not set
-CONFIG_AFS_FSCACHE=y
-CONFIG_9P_FS=m
-CONFIG_9P_FSCACHE=y
-CONFIG_9P_FS_POSIX_ACL=y
-CONFIG_9P_FS_SECURITY=y
-CONFIG_NLS=y
-CONFIG_NLS_DEFAULT="utf8"
-CONFIG_NLS_CODEPAGE_437=m
-CONFIG_NLS_CODEPAGE_737=m
-CONFIG_NLS_CODEPAGE_775=m
-CONFIG_NLS_CODEPAGE_850=m
-CONFIG_NLS_CODEPAGE_852=m
-CONFIG_NLS_CODEPAGE_855=m
-CONFIG_NLS_CODEPAGE_857=m
-CONFIG_NLS_CODEPAGE_860=m
-CONFIG_NLS_CODEPAGE_861=m
-CONFIG_NLS_CODEPAGE_862=m
-CONFIG_NLS_CODEPAGE_863=m
-CONFIG_NLS_CODEPAGE_864=m
-CONFIG_NLS_CODEPAGE_865=m
-CONFIG_NLS_CODEPAGE_866=m
-CONFIG_NLS_CODEPAGE_869=m
-CONFIG_NLS_CODEPAGE_936=m
-CONFIG_NLS_CODEPAGE_950=m
-CONFIG_NLS_CODEPAGE_932=m
-CONFIG_NLS_CODEPAGE_949=m
-CONFIG_NLS_CODEPAGE_874=m
-CONFIG_NLS_ISO8859_8=m
-CONFIG_NLS_CODEPAGE_1250=m
-CONFIG_NLS_CODEPAGE_1251=m
-CONFIG_NLS_ASCII=m
-CONFIG_NLS_ISO8859_1=m
-CONFIG_NLS_ISO8859_2=m
-CONFIG_NLS_ISO8859_3=m
-CONFIG_NLS_ISO8859_4=m
-CONFIG_NLS_ISO8859_5=m
-CONFIG_NLS_ISO8859_6=m
-CONFIG_NLS_ISO8859_7=m
-CONFIG_NLS_ISO8859_9=m
-CONFIG_NLS_ISO8859_13=m
-CONFIG_NLS_ISO8859_14=m
-CONFIG_NLS_ISO8859_15=m
-CONFIG_NLS_KOI8_R=m
-CONFIG_NLS_KOI8_U=m
-CONFIG_NLS_MAC_ROMAN=m
-CONFIG_NLS_MAC_CELTIC=m
-CONFIG_NLS_MAC_CENTEURO=m
-CONFIG_NLS_MAC_CROATIAN=m
-CONFIG_NLS_MAC_CYRILLIC=m
-CONFIG_NLS_MAC_GAELIC=m
-CONFIG_NLS_MAC_GREEK=m
-CONFIG_NLS_MAC_ICELAND=m
-CONFIG_NLS_MAC_INUIT=m
-CONFIG_NLS_MAC_ROMANIAN=m
-CONFIG_NLS_MAC_TURKISH=m
-CONFIG_NLS_UTF8=m
-CONFIG_DLM=m
-CONFIG_DLM_DEBUG=y
-
-#
-# Kernel hacking
-#
-CONFIG_TRACE_IRQFLAGS_SUPPORT=y
-
-#
-# printk and dmesg options
-#
-CONFIG_PRINTK_TIME=y
-CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
-CONFIG_BOOT_PRINTK_DELAY=y
-
-#
-# Compile-time checks and compiler options
-#
-# CONFIG_DEBUG_INFO is not set
-CONFIG_ENABLE_WARN_DEPRECATED=y
-CONFIG_ENABLE_MUST_CHECK=y
-CONFIG_FRAME_WARN=2048
-CONFIG_STRIP_ASM_SYMS=y
-# CONFIG_READABLE_ASM is not set
-CONFIG_UNUSED_SYMBOLS=y
-# CONFIG_HEADERS_CHECK is not set
-# CONFIG_DEBUG_SECTION_MISMATCH is not set
-CONFIG_SECTION_MISMATCH_WARN_ONLY=y
-CONFIG_ARCH_WANT_FRAME_POINTERS=y
-# CONFIG_FRAME_POINTER is not set
-# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
-CONFIG_MAGIC_SYSRQ=y
-CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
-CONFIG_DEBUG_KERNEL=y
-
-#
-# Memory Debugging
-#
-# CONFIG_PAGE_EXTENSION is not set
-# CONFIG_DEBUG_OBJECTS is not set
-# CONFIG_DEBUG_SLAB is not set
-CONFIG_HAVE_DEBUG_KMEMLEAK=y
-# CONFIG_DEBUG_STACK_USAGE is not set
-# CONFIG_DEBUG_VM is not set
-# CONFIG_DEBUG_VIRTUAL is not set
-CONFIG_DEBUG_MEMORY_INIT=y
-# CONFIG_DEBUG_PER_CPU_MAPS is not set
-CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
-# CONFIG_DEBUG_STACKOVERFLOW is not set
-CONFIG_HAVE_ARCH_KMEMCHECK=y
-# CONFIG_KMEMCHECK is not set
-CONFIG_HAVE_ARCH_KASAN=y
-# CONFIG_DEBUG_SHIRQ is not set
-
-#
-# Debug Lockups and Hangs
-#
-CONFIG_LOCKUP_DETECTOR=y
-CONFIG_HARDLOCKUP_DETECTOR=y
-# CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set
-CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=0
-# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
-CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
-CONFIG_DETECT_HUNG_TASK=y
-CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
-# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
-CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
-# CONFIG_PANIC_ON_OOPS is not set
-CONFIG_PANIC_ON_OOPS_VALUE=0
-CONFIG_PANIC_TIMEOUT=0
-CONFIG_SCHED_DEBUG=y
-CONFIG_SCHED_INFO=y
-# CONFIG_SCHEDSTATS is not set
-CONFIG_SCHED_STACK_END_CHECK=y
-# CONFIG_DEBUG_TIMEKEEPING is not set
-CONFIG_TIMER_STATS=y
-
-#
-# Lock Debugging (spinlocks, mutexes, etc...)
-#
-# CONFIG_DEBUG_RT_MUTEXES is not set
-# CONFIG_DEBUG_SPINLOCK is not set
-# CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_ATOMIC_SLEEP is not set
-# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
-# CONFIG_LOCK_TORTURE_TEST is not set
-# CONFIG_STACKTRACE is not set
-# CONFIG_DEBUG_KOBJECT is not set
-CONFIG_DEBUG_BUGVERBOSE=y
-CONFIG_DEBUG_LIST=y
-# CONFIG_DEBUG_PI_LIST is not set
-# CONFIG_DEBUG_SG is not set
-# CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_DEBUG_CREDENTIALS is not set
-
-#
-# RCU Debugging
-#
-# CONFIG_PROVE_RCU is not set
-# CONFIG_SPARSE_RCU_POINTER is not set
-# CONFIG_TORTURE_TEST is not set
-# CONFIG_RCU_TORTURE_TEST is not set
-CONFIG_RCU_CPU_STALL_TIMEOUT=21
-# CONFIG_RCU_TRACE is not set
-# CONFIG_RCU_EQS_DEBUG is not set
-# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
-# CONFIG_FAULT_INJECTION is not set
-CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
-CONFIG_USER_STACKTRACE_SUPPORT=y
-CONFIG_HAVE_FUNCTION_TRACER=y
-CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
-CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
-CONFIG_HAVE_DYNAMIC_FTRACE=y
-CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
-CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
-CONFIG_HAVE_FENTRY=y
-CONFIG_HAVE_C_RECORDMCOUNT=y
-CONFIG_TRACE_CLOCK=y
-CONFIG_RING_BUFFER=y
-CONFIG_RING_BUFFER_ALLOW_SWAP=y
-
-#
-# Runtime Testing
-#
-# CONFIG_TEST_LIST_SORT is not set
-# CONFIG_KPROBES_SANITY_TEST is not set
-# CONFIG_BACKTRACE_SELF_TEST is not set
-# CONFIG_RBTREE_TEST is not set
-# CONFIG_INTERVAL_TREE_TEST is not set
-# CONFIG_PERCPU_TEST is not set
-# CONFIG_ATOMIC64_SELFTEST is not set
-# CONFIG_ASYNC_RAID6_TEST is not set
-# CONFIG_TEST_HEXDUMP is not set
-# CONFIG_TEST_STRING_HELPERS is not set
-# CONFIG_TEST_KSTRTOX is not set
-# CONFIG_TEST_PRINTF is not set
-# CONFIG_TEST_RHASHTABLE is not set
-# CONFIG_DMA_API_DEBUG is not set
-# CONFIG_TEST_LKM is not set
-CONFIG_TEST_USER_COPY=m
-CONFIG_TEST_BPF=m
-CONFIG_TEST_FIRMWARE=m
-# CONFIG_TEST_UDELAY is not set
-CONFIG_MEMTEST=y
-CONFIG_TEST_STATIC_KEYS=m
-# CONFIG_SAMPLES is not set
-CONFIG_HAVE_ARCH_KGDB=y
-# CONFIG_KGDB is not set
-CONFIG_STRICT_DEVMEM=y
-# CONFIG_X86_VERBOSE_BOOTUP is not set
-CONFIG_EARLY_PRINTK=y
-# CONFIG_EARLY_PRINTK_DBGP is not set
-CONFIG_EARLY_PRINTK_EFI=y
-# CONFIG_X86_PTDUMP_CORE is not set
-# CONFIG_EFI_PGT_DUMP is not set
-# CONFIG_DEBUG_NX_TEST is not set
-CONFIG_DOUBLEFAULT=y
-# CONFIG_DEBUG_TLBFLUSH is not set
-# CONFIG_IOMMU_DEBUG is not set
-# CONFIG_IOMMU_STRESS is not set
-CONFIG_HAVE_MMIOTRACE_SUPPORT=y
-# CONFIG_X86_DECODER_SELFTEST is not set
-CONFIG_IO_DELAY_TYPE_0X80=0
-CONFIG_IO_DELAY_TYPE_0XED=1
-CONFIG_IO_DELAY_TYPE_UDELAY=2
-CONFIG_IO_DELAY_TYPE_NONE=3
-CONFIG_IO_DELAY_0X80=y
-# CONFIG_IO_DELAY_0XED is not set
-# CONFIG_IO_DELAY_UDELAY is not set
-# CONFIG_IO_DELAY_NONE is not set
-CONFIG_DEFAULT_IO_DELAY_TYPE=0
-# CONFIG_CPA_DEBUG is not set
-CONFIG_OPTIMIZE_INLINING=y
-# CONFIG_DEBUG_ENTRY is not set
-# CONFIG_DEBUG_NMI_SELFTEST is not set
-# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
-CONFIG_X86_DEBUG_FPU=y
-
-#
-# Security options
-#
-
-#
-# Grsecurity
-#
-CONFIG_PAX_KERNEXEC_PLUGIN=y
-CONFIG_PAX_PER_CPU_PGD=y
-CONFIG_TASK_SIZE_MAX_SHIFT=42
-CONFIG_PAX_USERCOPY_SLABS=y
-CONFIG_GRKERNSEC=y
-# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
-CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
-CONFIG_GRKERNSEC_TPE_TRUSTED_GID=64040
-CONFIG_GRKERNSEC_SYMLINKOWN_GID=33
-
-#
-# Customize Configuration
-#
-
-#
-# PaX
-#
-CONFIG_PAX=y
-
-#
-# PaX Control
-#
-CONFIG_PAX_SOFTMODE=y
-CONFIG_PAX_EI_PAX=y
-CONFIG_PAX_PT_PAX_FLAGS=y
-CONFIG_PAX_XATTR_PAX_FLAGS=y
-# CONFIG_PAX_NO_ACL_FLAGS is not set
-CONFIG_PAX_HAVE_ACL_FLAGS=y
-# CONFIG_PAX_HOOK_ACL_FLAGS is not set
-
-#
-# Non-executable pages
-#
-CONFIG_PAX_NOEXEC=y
-CONFIG_PAX_PAGEEXEC=y
-CONFIG_PAX_EMUTRAMP=y
-CONFIG_PAX_MPROTECT=y
-# CONFIG_PAX_MPROTECT_COMPAT is not set
-# CONFIG_PAX_ELFRELOCS is not set
-CONFIG_PAX_KERNEXEC=y
-CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
-CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
-
-#
-# Address Space Layout Randomization
-#
-CONFIG_PAX_ASLR=y
-CONFIG_PAX_RANDKSTACK=y
-CONFIG_PAX_RANDUSTACK=y
-CONFIG_PAX_RANDMMAP=y
-
-#
-# Miscellaneous hardening features
-#
-CONFIG_PAX_MEMORY_SANITIZE=y
-CONFIG_PAX_MEMORY_STACKLEAK=y
-CONFIG_PAX_MEMORY_STRUCTLEAK=y
-CONFIG_PAX_MEMORY_UDEREF=y
-CONFIG_PAX_REFCOUNT=y
-CONFIG_PAX_CONSTIFY_PLUGIN=y
-CONFIG_PAX_USERCOPY=y
-# CONFIG_PAX_USERCOPY_DEBUG is not set
-CONFIG_PAX_SIZE_OVERFLOW=y
-CONFIG_PAX_LATENT_ENTROPY=y
-
-#
-# Memory Protections
-#
-CONFIG_GRKERNSEC_KMEM=y
-CONFIG_GRKERNSEC_IO=y
-CONFIG_GRKERNSEC_BPF_HARDEN=y
-CONFIG_GRKERNSEC_PERF_HARDEN=y
-CONFIG_GRKERNSEC_RAND_THREADSTACK=y
-CONFIG_GRKERNSEC_PROC_MEMMAP=y
-CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
-CONFIG_GRKERNSEC_BRUTE=y
-CONFIG_GRKERNSEC_MODHARDEN=y
-CONFIG_GRKERNSEC_HIDESYM=y
-CONFIG_GRKERNSEC_RANDSTRUCT=y
-CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GRKERNSEC_KERN_LOCKOUT=y
-
-#
-# Role Based Access Control Options
-#
-# CONFIG_GRKERNSEC_NO_RBAC is not set
-CONFIG_GRKERNSEC_ACL_HIDEKERN=y
-CONFIG_GRKERNSEC_ACL_MAXTRIES=3
-CONFIG_GRKERNSEC_ACL_TIMEOUT=30
-
-#
-# Filesystem Protections
-#
-CONFIG_GRKERNSEC_PROC=y
-CONFIG_GRKERNSEC_PROC_USER=y
-CONFIG_GRKERNSEC_PROC_ADD=y
-CONFIG_GRKERNSEC_LINK=y
-CONFIG_GRKERNSEC_SYMLINKOWN=y
-CONFIG_GRKERNSEC_FIFO=y
-# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
-CONFIG_GRKERNSEC_ROFS=y
-CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
-CONFIG_GRKERNSEC_CHROOT=y
-CONFIG_GRKERNSEC_CHROOT_MOUNT=y
-CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
-CONFIG_GRKERNSEC_CHROOT_PIVOT=y
-CONFIG_GRKERNSEC_CHROOT_CHDIR=y
-CONFIG_GRKERNSEC_CHROOT_CHMOD=y
-CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
-CONFIG_GRKERNSEC_CHROOT_MKNOD=y
-CONFIG_GRKERNSEC_CHROOT_SHMAT=y
-CONFIG_GRKERNSEC_CHROOT_UNIX=y
-CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
-CONFIG_GRKERNSEC_CHROOT_NICE=y
-CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
-CONFIG_GRKERNSEC_CHROOT_RENAME=y
-CONFIG_GRKERNSEC_CHROOT_CAPS=y
-CONFIG_GRKERNSEC_CHROOT_INITRD=y
-
-#
-# Kernel Auditing
-#
-CONFIG_GRKERNSEC_AUDIT_GROUP=y
-CONFIG_GRKERNSEC_AUDIT_GID=64044
-CONFIG_GRKERNSEC_EXECLOG=y
-CONFIG_GRKERNSEC_RESLOG=y
-CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
-CONFIG_GRKERNSEC_AUDIT_PTRACE=y
-CONFIG_GRKERNSEC_AUDIT_CHDIR=y
-CONFIG_GRKERNSEC_AUDIT_MOUNT=y
-CONFIG_GRKERNSEC_SIGNAL=y
-CONFIG_GRKERNSEC_FORKFAIL=y
-CONFIG_GRKERNSEC_TIME=y
-CONFIG_GRKERNSEC_PROC_IPADDR=y
-CONFIG_GRKERNSEC_RWXMAP_LOG=y
-
-#
-# Executable Protections
-#
-CONFIG_GRKERNSEC_DMESG=y
-CONFIG_GRKERNSEC_HARDEN_PTRACE=y
-CONFIG_GRKERNSEC_PTRACE_READEXEC=y
-CONFIG_GRKERNSEC_SETXID=y
-CONFIG_GRKERNSEC_HARDEN_IPC=y
-CONFIG_GRKERNSEC_HARDEN_TTY=y
-CONFIG_GRKERNSEC_TPE=y
-CONFIG_GRKERNSEC_TPE_ALL=y
-CONFIG_GRKERNSEC_TPE_INVERT=y
-CONFIG_GRKERNSEC_TPE_GID=64040
-
-#
-# Network Protections
-#
-CONFIG_GRKERNSEC_BLACKHOLE=y
-CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
-CONFIG_GRKERNSEC_SOCKET=y
-CONFIG_GRKERNSEC_SOCKET_ALL=y
-CONFIG_GRKERNSEC_SOCKET_ALL_GID=64041
-CONFIG_GRKERNSEC_SOCKET_CLIENT=y
-CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=64042
-CONFIG_GRKERNSEC_SOCKET_SERVER=y
-CONFIG_GRKERNSEC_SOCKET_SERVER_GID=64043
-
-#
-# Physical Protections
-#
-CONFIG_GRKERNSEC_DENYUSB=y
-# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
-
-#
-# Sysctl Support
-#
-CONFIG_GRKERNSEC_SYSCTL=y
-CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
-CONFIG_GRKERNSEC_SYSCTL_ON=y
-
-#
-# Logging Options
-#
-CONFIG_GRKERNSEC_FLOODTIME=10
-CONFIG_GRKERNSEC_FLOODBURST=6
-CONFIG_KEYS=y
-# CONFIG_PERSISTENT_KEYRINGS is not set
-# CONFIG_BIG_KEYS is not set
-# CONFIG_TRUSTED_KEYS is not set
-CONFIG_ENCRYPTED_KEYS=m
-CONFIG_SECURITY_DMESG_RESTRICT=y
-CONFIG_SECURITY=y
-CONFIG_SECURITYFS=y
-CONFIG_SECURITY_NETWORK=y
-CONFIG_SECURITY_NETWORK_XFRM=y
-CONFIG_SECURITY_PATH=y
-# CONFIG_INTEL_TXT is not set
-CONFIG_LSM_MMAP_MIN_ADDR=65536
-CONFIG_SECURITY_SELINUX=y
-# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
-# CONFIG_SECURITY_SELINUX_DISABLE is not set
-CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_AVC_STATS=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
-# CONFIG_SECURITY_SMACK is not set
-CONFIG_SECURITY_TOMOYO=y
-CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
-CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
-# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
-CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
-CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
-CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
-CONFIG_SECURITY_APPARMOR_HASH=y
-CONFIG_INTEGRITY=y
-# CONFIG_INTEGRITY_SIGNATURE is not set
-CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_IMA is not set
-# CONFIG_EVM is not set
-# CONFIG_DEFAULT_SECURITY_SELINUX is not set
-# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
-CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_DEFAULT_SECURITY=""
-CONFIG_XOR_BLOCKS=m
-CONFIG_ASYNC_CORE=m
-CONFIG_ASYNC_MEMCPY=m
-CONFIG_ASYNC_XOR=m
-CONFIG_ASYNC_PQ=m
-CONFIG_ASYNC_RAID6_RECOV=m
-CONFIG_CRYPTO=y
-
-#
-# Crypto core or helper
-#
-CONFIG_CRYPTO_ALGAPI=y
-CONFIG_CRYPTO_ALGAPI2=y
-CONFIG_CRYPTO_AEAD=m
-CONFIG_CRYPTO_AEAD2=y
-CONFIG_CRYPTO_BLKCIPHER=m
-CONFIG_CRYPTO_BLKCIPHER2=y
-CONFIG_CRYPTO_HASH=y
-CONFIG_CRYPTO_HASH2=y
-CONFIG_CRYPTO_RNG=m
-CONFIG_CRYPTO_RNG2=y
-CONFIG_CRYPTO_RNG_DEFAULT=m
-CONFIG_CRYPTO_PCOMP=m
-CONFIG_CRYPTO_PCOMP2=y
-CONFIG_CRYPTO_AKCIPHER2=y
-CONFIG_CRYPTO_AKCIPHER=m
-# CONFIG_CRYPTO_RSA is not set
-CONFIG_CRYPTO_MANAGER=y
-CONFIG_CRYPTO_MANAGER2=y
-# CONFIG_CRYPTO_USER is not set
-# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set
-CONFIG_CRYPTO_GF128MUL=m
-CONFIG_CRYPTO_NULL=m
-CONFIG_CRYPTO_NULL2=y
-CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_WORKQUEUE=y
-CONFIG_CRYPTO_CRYPTD=m
-# CONFIG_CRYPTO_MCRYPTD is not set
-CONFIG_CRYPTO_AUTHENC=m
-CONFIG_CRYPTO_TEST=m
-CONFIG_CRYPTO_ABLK_HELPER=m
-CONFIG_CRYPTO_GLUE_HELPER_X86=m
-
-#
-# Authenticated Encryption with Associated Data
-#
-CONFIG_CRYPTO_CCM=m
-CONFIG_CRYPTO_GCM=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
-CONFIG_CRYPTO_SEQIV=m
-CONFIG_CRYPTO_ECHAINIV=m
-
-#
-# Block modes
-#
-CONFIG_CRYPTO_CBC=m
-CONFIG_CRYPTO_CTR=m
-CONFIG_CRYPTO_CTS=m
-CONFIG_CRYPTO_ECB=m
-CONFIG_CRYPTO_LRW=m
-CONFIG_CRYPTO_PCBC=m
-CONFIG_CRYPTO_XTS=m
-# CONFIG_CRYPTO_KEYWRAP is not set
-
-#
-# Hash modes
-#
-CONFIG_CRYPTO_CMAC=m
-CONFIG_CRYPTO_HMAC=m
-CONFIG_CRYPTO_XCBC=m
-CONFIG_CRYPTO_VMAC=m
-
-#
-# Digest
-#
-CONFIG_CRYPTO_CRC32C=m
-CONFIG_CRYPTO_CRC32C_INTEL=m
-CONFIG_CRYPTO_CRC32=m
-CONFIG_CRYPTO_CRC32_PCLMUL=m
-CONFIG_CRYPTO_CRCT10DIF=y
-CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
-CONFIG_CRYPTO_GHASH=m
-CONFIG_CRYPTO_POLY1305=m
-CONFIG_CRYPTO_POLY1305_X86_64=m
-CONFIG_CRYPTO_MD4=m
-CONFIG_CRYPTO_MD5=y
-CONFIG_CRYPTO_MICHAEL_MIC=m
-CONFIG_CRYPTO_RMD128=m
-CONFIG_CRYPTO_RMD160=m
-CONFIG_CRYPTO_RMD256=m
-CONFIG_CRYPTO_RMD320=m
-CONFIG_CRYPTO_SHA1=y
-CONFIG_CRYPTO_SHA1_SSSE3=m
-CONFIG_CRYPTO_SHA256_SSSE3=m
-CONFIG_CRYPTO_SHA512_SSSE3=m
-# CONFIG_CRYPTO_SHA1_MB is not set
-CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
-CONFIG_CRYPTO_TGR192=m
-CONFIG_CRYPTO_WP512=m
-CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
-
-#
-# Ciphers
-#
-CONFIG_CRYPTO_AES=y
-CONFIG_CRYPTO_AES_X86_64=m
-CONFIG_CRYPTO_AES_NI_INTEL=m
-CONFIG_CRYPTO_ANUBIS=m
-CONFIG_CRYPTO_ARC4=m
-CONFIG_CRYPTO_BLOWFISH=m
-CONFIG_CRYPTO_BLOWFISH_COMMON=m
-CONFIG_CRYPTO_BLOWFISH_X86_64=m
-CONFIG_CRYPTO_CAMELLIA=m
-CONFIG_CRYPTO_CAMELLIA_X86_64=m
-CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
-CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
-CONFIG_CRYPTO_CAST_COMMON=m
-CONFIG_CRYPTO_CAST5=m
-CONFIG_CRYPTO_CAST5_AVX_X86_64=m
-CONFIG_CRYPTO_CAST6=m
-CONFIG_CRYPTO_CAST6_AVX_X86_64=m
-CONFIG_CRYPTO_DES=m
-CONFIG_CRYPTO_DES3_EDE_X86_64=m
-CONFIG_CRYPTO_FCRYPT=m
-CONFIG_CRYPTO_KHAZAD=m
-CONFIG_CRYPTO_SALSA20=m
-CONFIG_CRYPTO_SALSA20_X86_64=m
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20_X86_64=m
-CONFIG_CRYPTO_SEED=m
-CONFIG_CRYPTO_SERPENT=m
-CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
-CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
-CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
-CONFIG_CRYPTO_TEA=m
-CONFIG_CRYPTO_TWOFISH=m
-CONFIG_CRYPTO_TWOFISH_COMMON=m
-CONFIG_CRYPTO_TWOFISH_X86_64=m
-CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
-CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
-
-#
-# Compression
-#
-CONFIG_CRYPTO_DEFLATE=m
-CONFIG_CRYPTO_ZLIB=m
-CONFIG_CRYPTO_LZO=y
-# CONFIG_CRYPTO_842 is not set
-CONFIG_CRYPTO_LZ4=m
-CONFIG_CRYPTO_LZ4HC=m
-
-#
-# Random Number Generation
-#
-CONFIG_CRYPTO_ANSI_CPRNG=m
-CONFIG_CRYPTO_DRBG_MENU=m
-CONFIG_CRYPTO_DRBG_HMAC=y
-# CONFIG_CRYPTO_DRBG_HASH is not set
-# CONFIG_CRYPTO_DRBG_CTR is not set
-CONFIG_CRYPTO_DRBG=m
-CONFIG_CRYPTO_JITTERENTROPY=m
-CONFIG_CRYPTO_USER_API=m
-CONFIG_CRYPTO_USER_API_HASH=m
-CONFIG_CRYPTO_USER_API_SKCIPHER=m
-# CONFIG_CRYPTO_USER_API_RNG is not set
-CONFIG_CRYPTO_USER_API_AEAD=m
-CONFIG_CRYPTO_HW=y
-CONFIG_CRYPTO_DEV_PADLOCK=m
-CONFIG_CRYPTO_DEV_PADLOCK_AES=m
-CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
-CONFIG_CRYPTO_DEV_CCP=y
-CONFIG_CRYPTO_DEV_CCP_DD=m
-CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
-CONFIG_CRYPTO_DEV_QAT=m
-CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
-CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
-# CONFIG_ASYMMETRIC_KEY_TYPE is not set
-
-#
-# Certificates for signature checking
-#
-# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
-CONFIG_HAVE_KVM=y
-CONFIG_HAVE_KVM_IRQCHIP=y
-CONFIG_HAVE_KVM_IRQFD=y
-CONFIG_HAVE_KVM_IRQ_ROUTING=y
-CONFIG_HAVE_KVM_EVENTFD=y
-CONFIG_KVM_APIC_ARCHITECTURE=y
-CONFIG_KVM_MMIO=y
-CONFIG_KVM_ASYNC_PF=y
-CONFIG_HAVE_KVM_MSI=y
-CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
-CONFIG_KVM_VFIO=y
-CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
-CONFIG_KVM_COMPAT=y
-CONFIG_HAVE_KVM_IRQ_BYPASS=y
-CONFIG_VIRTUALIZATION=y
-CONFIG_KVM=m
-CONFIG_KVM_INTEL=m
-CONFIG_KVM_AMD=m
-CONFIG_KVM_DEVICE_ASSIGNMENT=y
-# CONFIG_BINARY_PRINTF is not set
-
-#
-# Library routines
-#
-CONFIG_RAID6_PQ=m
-CONFIG_BITREVERSE=y
-# CONFIG_HAVE_ARCH_BITREVERSE is not set
-CONFIG_RATIONAL=y
-CONFIG_GENERIC_STRNCPY_FROM_USER=y
-CONFIG_GENERIC_STRNLEN_USER=y
-CONFIG_GENERIC_NET_UTILS=y
-CONFIG_GENERIC_FIND_FIRST_BIT=y
-CONFIG_GENERIC_PCI_IOMAP=y
-CONFIG_GENERIC_IOMAP=y
-CONFIG_GENERIC_IO=y
-CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
-CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
-CONFIG_CRC16=m
-CONFIG_CRC_T10DIF=y
-CONFIG_CRC_ITU_T=m
-CONFIG_CRC32=y
-# CONFIG_CRC32_SELFTEST is not set
-CONFIG_CRC32_SLICEBY8=y
-# CONFIG_CRC32_SLICEBY4 is not set
-# CONFIG_CRC32_SARWATE is not set
-# CONFIG_CRC32_BIT is not set
-CONFIG_CRC7=m
-CONFIG_LIBCRC32C=m
-# CONFIG_CRC8 is not set
-# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
-# CONFIG_RANDOM32_SELFTEST is not set
-CONFIG_ZLIB_INFLATE=y
-CONFIG_ZLIB_DEFLATE=y
-CONFIG_LZO_COMPRESS=y
-CONFIG_LZO_DECOMPRESS=y
-CONFIG_LZ4_COMPRESS=m
-CONFIG_LZ4HC_COMPRESS=m
-CONFIG_LZ4_DECOMPRESS=y
-CONFIG_XZ_DEC=y
-CONFIG_XZ_DEC_X86=y
-# CONFIG_XZ_DEC_POWERPC is not set
-# CONFIG_XZ_DEC_IA64 is not set
-# CONFIG_XZ_DEC_ARM is not set
-# CONFIG_XZ_DEC_ARMTHUMB is not set
-# CONFIG_XZ_DEC_SPARC is not set
-CONFIG_XZ_DEC_BCJ=y
-# CONFIG_XZ_DEC_TEST is not set
-CONFIG_DECOMPRESS_GZIP=y
-CONFIG_DECOMPRESS_BZIP2=y
-CONFIG_DECOMPRESS_LZMA=y
-CONFIG_DECOMPRESS_XZ=y
-CONFIG_DECOMPRESS_LZO=y
-CONFIG_DECOMPRESS_LZ4=y
-CONFIG_GENERIC_ALLOCATOR=y
-CONFIG_REED_SOLOMON=m
-CONFIG_REED_SOLOMON_ENC8=y
-CONFIG_REED_SOLOMON_DEC8=y
-CONFIG_REED_SOLOMON_DEC16=y
-CONFIG_BCH=m
-CONFIG_TEXTSEARCH=y
-CONFIG_TEXTSEARCH_KMP=m
-CONFIG_TEXTSEARCH_BM=m
-CONFIG_TEXTSEARCH_FSM=m
-CONFIG_BTREE=y
-CONFIG_INTERVAL_TREE=y
-CONFIG_ASSOCIATIVE_ARRAY=y
-CONFIG_HAS_IOMEM=y
-CONFIG_HAS_IOPORT_MAP=y
-CONFIG_HAS_DMA=y
-CONFIG_CHECK_SIGNATURE=y
-CONFIG_CPU_RMAP=y
-CONFIG_DQL=y
-CONFIG_GLOB=y
-# CONFIG_GLOB_SELFTEST is not set
-CONFIG_NLATTR=y
-CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
-CONFIG_LRU_CACHE=m
-CONFIG_CORDIC=m
-# CONFIG_DDR is not set
-CONFIG_OID_REGISTRY=m
-CONFIG_UCS2_STRING=y
-CONFIG_FONT_SUPPORT=y
-# CONFIG_FONTS is not set
-CONFIG_FONT_8x8=y
-CONFIG_FONT_8x16=y
-# CONFIG_SG_SPLIT is not set
-CONFIG_ARCH_HAS_SG_CHAIN=y
-CONFIG_ARCH_HAS_PMEM_API=y
-CONFIG_ARCH_HAS_MMIO_FLUSH=y
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
index 5e9c1764d..8da9c452b 100644
--- a/src/tools/extract_caps.c
+++ b/src/tools/extract_caps.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -17,6 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/src/tools/extract_errnos.sh b/src/tools/extract_errnos.sh
index 43b225828..34c416b04 100644
--- a/src/tools/extract_errnos.sh
+++ b/src/tools/extract_errnos.sh
@@ -1,3 +1,8 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
 echo -e "#include <errno.h>\n#include <attr/xattr.h>" | \
     cpp -dD | \
     grep "^#define E" | \
diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c
new file mode 100644
index 000000000..b5f92d2df
--- /dev/null
+++ b/src/tools/extract_seccomp.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <linux/filter.h>
+
+#define MAXBUF 1024
+#define errExit(msg)  { char msgout[256]; \
+                        snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \
+                        perror(msgout); \
+                        exit(1); }
+
+// dump all seccomp filters of a process
+// for further analysis with fsec-print
+// requires kernel 4.4 or higher
+
+void dump_filter(const char *dname, unsigned cnt, const struct sock_filter *f, size_t nmemb) {
+        char fname[MAXBUF];
+        snprintf(fname, MAXBUF, "%s/%u", dname, cnt);
+        printf("Writing file %s\n", fname);
+        FILE *fp = fopen(fname, "w");
+        if (!fp) {
+                printf("Error: Cannot open %s for writing: %s\n", fname, strerror(errno));
+                exit(1);
+        }
+        if (fwrite(f, sizeof(struct sock_filter), nmemb, fp) != nmemb) {
+                printf("Error: Cannot write %s\n", fname);
+                exit(1);
+        }
+        fclose(fp);
+}
+
+int main(int argc, char **argv) {
+        if (argc != 2)
+                goto usage;
+        pid_t pid = (pid_t) strtol(argv[1], NULL, 10);
+        if (pid <= 0)
+                goto usage;
+
+        printf("** Attaching to process with pid %d **\n", pid);
+        long rv = ptrace(PTRACE_ATTACH, pid, 0, 0);
+        if (rv != 0) {
+                printf("Error: Cannot attach: %s\n", strerror(errno));
+                exit(1);
+        }
+        waitpid(pid, NULL, 0);
+        printf("Attached\n");
+
+        char dname[MAXBUF];
+        snprintf(dname, MAXBUF, "/tmp/seccomp-%d", pid);
+        printf("** Creating directory %s **\n", dname);
+        if (mkdir(dname, 0755) < 0) {
+                printf("Error: Cannot create directory: %s\n", strerror(errno));
+                exit(1);
+        }
+        printf("Created\n");
+
+        printf("** Extracting seccomp filters **\n");
+        unsigned cnt = 0;
+        while ((rv = ptrace(PTRACE_SECCOMP_GET_FILTER, pid, cnt, NULL)) > 0) {
+                struct sock_filter *f = malloc(rv * sizeof(struct sock_filter));
+                if (!f)
+                        errExit("malloc");
+                if (ptrace(PTRACE_SECCOMP_GET_FILTER, pid, cnt, f) < 0)
+                        errExit("ptrace");
+
+                dump_filter(dname, cnt, f, rv);
+                free(f);
+                cnt++;
+        }
+
+        if (cnt)
+                printf("Dumped %u filters\n", cnt);
+        else {
+                printf("No seccomp filter was found\n");
+                printf("** Cleanup **\n");
+                if (remove(dname) == 0)
+                        printf("Removed %s\n", dname);
+                else
+                        printf("Could not remove %s: %s\n", dname, strerror(errno));
+        }
+
+        printf("Bye ...\n");
+        return 0;
+
+usage:
+        printf("Usage: %s <PID>\n", argv[0]);
+        return 1;
+}
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c
index 18c1814e6..9159b6576 100644
--- a/src/tools/extract_syscalls.c
+++ b/src/tools/extract_syscalls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
diff --git a/src/tools/grsec.conf b/src/tools/grsec.conf
deleted file mode 100644
index 177e4d59b..000000000
--- a/src/tools/grsec.conf
+++ /dev/null
@@ -1,98 +0,0 @@
-## Address Space Protection
-# Disable privileged io: iopl(2) and ioperm(2)
-# Warning: Xorg without modesetting needs it to be 0
-kernel.grsecurity.disable_priv_io = 1
-kernel.grsecurity.deter_bruteforce = 1
-
-kernel.grsecurity.deny_new_usb = 0
-kernel.grsecurity.harden_ipc = 1
-
-## Filesystem Protections
-# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
-# folders)
-kernel.grsecurity.linking_restrictions = 1
-# Prevent writing to fifo not owned in world-writable +t folders
-kernel.grsecurity.fifo_restrictions = 1
-
-# Chroot restrictions
-kernel.grsecurity.chroot_deny_bad_rename = 1
-kernel.grsecurity.chroot_deny_mount = 1
-kernel.grsecurity.chroot_deny_chroot = 1
-kernel.grsecurity.chroot_deny_pivot = 1
-kernel.grsecurity.chroot_enforce_chdir = 1
-kernel.grsecurity.chroot_deny_chmod = 1
-kernel.grsecurity.chroot_deny_fchdir = 1
-kernel.grsecurity.chroot_deny_mknod = 1
-kernel.grsecurity.chroot_deny_shmat = 1
-kernel.grsecurity.chroot_deny_unix = 1
-kernel.grsecurity.chroot_findtask = 1
-kernel.grsecurity.chroot_restrict_nice = 1
-kernel.grsecurity.chroot_deny_sysctl = 1
-kernel.grsecurity.chroot_caps = 1
-
-## Kernel Auditing
-kernel.grsecurity.exec_logging = 1
-kernel.grsecurity.audit_chdir = 1
-# By default exec_logging and audit_chdir only target members of audit_gid, you
-# can change that by setting audit_group to 0
-kernel.grsecurity.audit_group = 1
-# You can also override audit_gid to use another group
-kernel.grsecurity.audit_gid = 0
-kernel.grsecurity.resource_logging = 1
-kernel.grsecurity.chroot_execlog = 1
-kernel.grsecurity.audit_ptrace = 1
-kernel.grsecurity.audit_mount = 1
-kernel.grsecurity.signal_logging = 1
-kernel.grsecurity.forkfail_logging = 1
-kernel.grsecurity.timechange_logging = 1
-kernel.grsecurity.rwxmap_logging = 1
-
-## Executable Protections
-kernel.grsecurity.dmesg = 1
-kernel.grsecurity.consistent_setxid = 1
-# Trusted execution
-# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
-# from untrusted directories
-kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_invert = 1
-kernel.grsecurity.tpe_restrict_all = 1
-kernel.grsecurity.tpe_gid = 64040
-
-## Kernel-enforce SymlinkIfOwnerMatch
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 33
-
-## Network Protections
-kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-# Socket restrictions
-# If the setting is enabled and an user is added to relevant group, she won't
-# be able to open this kind of socket
-kernel.grsecurity.socket_all = 1
-kernel.grsecurity.socket_all_gid = 64041
-kernel.grsecurity.socket_client = 1
-kernel.grsecurity.socket_client_gid = 64042
-kernel.grsecurity.socket_server = 1
-kernel.grsecurity.socket_server_gid = 64043
-
-# Ptrace
-kernel.grsecurity.harden_ptrace = 1
-kernel.grsecurity.ptrace_readexec = 1
-
-# Protect mounts
-# don't try to set it to 0, it'll fail, just let it commented
-# kernel.grsecurity.romount_protect = 1
-
-# PAX
-kernel.pax.softmode = 0
-
-# Disable module loading
-# This is not a grsecurity anymore, but you might still want to disable module
-# loading so no code is inserted into the kernel
-# kernel.modules_disabled=1
-
-# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
-# grsec sysctl on a running system
-kernel.grsecurity.grsec_lock = 1
-
-# vim: filetype=conf:
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
index d4a68e397..86d798a11 100755
--- a/src/tools/mkcoverit.sh
+++ b/src/tools/mkcoverit.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 # unpack firejail archive
 ARCFIREJAIL=`ls *.tar.xz| grep firejail`
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
new file mode 100644
index 000000000..93bb3f73d
--- /dev/null
+++ b/src/tools/profcleaner.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+//*************************************************************
+// Small utility program to convert profiles from blacklist/whitelist to deny/allow
+// Compile:
+//       gcc -o profcleaner profcleaner.c
+// Usage:
+//       profcleaner *.profile
+//*************************************************************
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#define MAXBUF 4096
+
+int main(int argc, char **argv) {
+        printf("Usage: profcleaner files\n");
+        int i;
+
+        for (i = 1; i < argc; i++) {
+                FILE *fp = fopen(argv[i], "r");
+                if (!fp) {
+                        fprintf(stderr, "Error: cannot open %s\n", argv[i]);
+                        return 1;
+                }
+
+                FILE *fpout = fopen("profcleaner-tmp", "w");
+                if (!fpout) {
+                        fprintf(stderr, "Error: cannot open output file\n");
+                        return 1;
+                }
+
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp)) {
+                        if (strncmp(buf, "blacklist-nolog", 15) == 0)
+                                fprintf(fpout, "deny-nolog %s", buf + 15);
+                        else if (strncmp(buf, "blacklist", 9) == 0)
+                                fprintf(fpout, "deny %s", buf + 9);
+                        else if (strncmp(buf, "noblacklist", 11) == 0)
+                                fprintf(fpout, "nodeny %s", buf + 11);
+                        else if (strncmp(buf, "whitelist", 9) == 0)
+                                fprintf(fpout, "allow %s", buf + 9);
+                        else if (strncmp(buf, "nowhitelist", 11) == 0)
+                                fprintf(fpout, "noallow %s", buf + 11);
+                        else
+                                fprintf(fpout, "%s", buf);
+                }
+
+                fclose(fp);
+                fclose(fpout);
+                unlink(argv[i]);
+                rename("profcleaner-tmp", argv[i]);
+        }
+
+        return 0;
+}
\ No newline at end of file
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
new file mode 100755
index 000000000..96402aed6
--- /dev/null
+++ b/src/tools/profcleaner.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright (C) 2021 Firejail Authors
+#
+# This file is part of firejail project
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [[ $1 == --help ]]; then
+        cat <<-EOM
+        USAGE:
+          profcleaner.sh --help        Show this help message and exit
+          profcleaner.sh --system      Clean all profiles in /etc/firejail
+          profcleaner.sh --user        Clean all profiles in ~/.config/firejail
+          profcleaner.sh /path/to/profile1 /path/to/profile2 ...
+        EOM
+        exit 0
+fi
+
+if [[ $1 == --system ]]; then
+        profiles=(/etc/firejail/*.{inc,local,profile})
+elif [[ $1 == --user ]]; then
+        profiles=("$HOME"/.config/firejail/*.{inc,local,profile})
+else
+        profiles=("$@")
+fi
+
+sed -i -E \
+        -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \
+        -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \
+        -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \
+        -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \
+        "${profiles[@]}"
diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c
deleted file mode 100644
index f2f114ea7..000000000
--- a/src/tools/rvtest.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * Copyright (C) 2014-2017 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-
-// run it as "rvtest 2>/dev/null | grep TESTING"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/types.h>
-#include <signal.h>
-
-#define MAXBUF 1024     // line buffer
-#define TIMEOUT 30      // timeout time in seconds
-
-static pid_t pid;
-static void catch_alarm(int sig) {
-        kill(pid, SIGTERM);
-        sleep(1);
-        kill(pid, SIGKILL);
-        printf("TESTING ERROR: SIGALARM triggered\n");
-        exit(1);
-}
-
-static void usage(void) {
-        printf("Usage: rvtest testfile\n");
-        printf("\n");
-        printf("Testfile format:\n");
-        printf("\tretval command\n");
-        printf("\n");
-        printf("Testfile example:\n");
-        printf("\n");
-        printf("0 firejail --net=none exit\n");
-        printf("1 firejail --private=/etc sleep 1\n");
-        printf("1 firejail --blablabla\n");
-}
-
-int main(int argc, char **argv) {
-        if (argc != 2) {
-                fprintf(stderr, "Error: test file missing\n");
-                usage();
-                return 1;
-        }
-
-        signal (SIGALRM, catch_alarm);
-
-        // open test file
-        char *fname = argv[1];
-        FILE *fp = fopen(fname, "r");
-
-        // read test file
-        char buf[MAXBUF];
-        int line = 0;
-        while (fgets(buf, MAXBUF, fp)) {
-                line++;
-                // skip blanks
-                char *start = buf;
-                while (*start == ' ' || *start == '\t')
-                        start++;
-                // remove '\n'
-                char *ptr = strchr(start, '\n');
-                if (ptr)
-                        *ptr ='\0';
-                if (*start == '\0')
-                        continue;
-
-                // skip comments
-                if (*start == '#')
-                        continue;
-                ptr = strchr(start, '#');
-                if (ptr)
-                        *ptr = '\0';
-
-                // extract exit status
-                int status;
-                int rv = sscanf(start, "%d\n", &status);
-                if (rv != 1) {
-                        fprintf(stderr, "Error: invalid line %d in %s\n", line, fname);
-                        exit(1);
-                }
-
-                // extract command
-                char *cmd = strchr(start, ' ');
-                if (!cmd) {
-                        fprintf(stderr, "Error: invalid line %d in %s\n", line, fname);
-                        exit(1);
-                }
-
-                // execute command
-                printf("TESTING %s\n", cmd);
-                fflush(0);
-                pid = fork();
-                if (pid == -1) {
-                        perror("fork");
-                        exit(1);
-                }
-
-                // child
-                if (pid == 0) {
-                        char *earg[50];
-                        earg[0] = "/bin/bash";
-                        earg[1] = "-c";
-                        earg[2] = cmd;
-                        earg[3] = NULL;
-                        execvp(earg[0], earg);
-                }
-                // parent
-                else {
-                        int exit_status;
-
-                        alarm(TIMEOUT);
-                        pid = waitpid(pid, &exit_status, 0);
-                        if (pid == -1) {
-                                perror("waitpid");
-                                exit(1);
-                        }
-
-                        if (WEXITSTATUS(exit_status) != status)
-                                printf("ERROR TESTING: %s\n", cmd);
-                }
-
-                fflush(0);
-        }
-        fclose(fp);
-
-        return 0;
-}
diff --git a/src/faudit/faudit.h b/src/tools/testuid.c
index 16a13d0ff..a18d57d5e 100644
--- a/src/faudit/faudit.h
+++ b/src/tools/testuid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Firejail Authors
+ * Copyright (C) 2014-2021 Firejail Authors
  *
  * This file is part of firejail project
  *
@@ -18,51 +18,32 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifndef FAUDIT_H
-#define FAUDIT_H
-#define _GNU_SOURCE
+// compile: gcc -o testuid testuid.c
+
 #include <stdio.h>
 #include <stdlib.h>
-#include <stdint.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/mount.h>
-#include <assert.h>
-
-#define errExit(msg)    do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
-
-// main.c
-extern char *prog;
-
-// pid.c
-void pid_test(void);
-
-// caps.c
-void caps_test(void);
-
-// seccomp.c
-void seccomp_test(void);
-
-// syscall.c
-void syscall_helper(int argc, char **argv);
-void syscall_run(const char *name);
-
-// files.c
-void files_test(void);
 
-// network.c
-void network_test(void);
 
-// dbus.c
-int check_unix(const char *sockfile);
-void dbus_test(void);
+static void print_status(void) {
+        FILE *fp = fopen("/proc/self/status", "r");
+        if (!fp) {
+                fprintf(stderr, "Error, cannot open status file\n");
+                exit(1);
+        }
 
-// dev.c
-void dev_test(void);
+        char buf[4096];
+        while (fgets(buf, 4096, fp)) {
+                if (strncmp(buf, "Uid", 3) == 0 || strncmp(buf, "Gid", 3) == 0)
+                        printf("%s", buf);
+        }
 
-// x11.c
-void x11_test(void);
+        fclose(fp);
+}
 
-#endif
+int main(void) {
+        print_status();
+        return 0;
+}
diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c
index a449bf9ba..0f72753bc 100644
--- a/src/tools/ttytest.c
+++ b/src/tools/ttytest.c
@@ -1,3 +1,23 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
 #define _XOPEN_SOURCE 600
 #include <stdlib.h>
 #include <stdio.h>
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c
index c4302eed3..c4ecabca7 100644
--- a/src/tools/unixsocket.c
+++ b/src/tools/unixsocket.c
@@ -1,3 +1,23 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
diff --git a/src/zsh_completion/Makefile.in b/src/zsh_completion/Makefile.in
new file mode 100644
index 000000000..a83cccf6c
--- /dev/null
+++ b/src/zsh_completion/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: _firejail
+
+include ../common.mk
+
+_firejail: _firejail.in
+        gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp
+        sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@
+        rm $@.tmp
+
+.PHONY: clean
+clean:
+        rm -fr _firejail
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
new file mode 100644
index 000000000..c7f6ee3f1
--- /dev/null
+++ b/src/zsh_completion/_firejail.in
@@ -0,0 +1,286 @@
+#compdef firejail
+
+# Documentation: man 1 zshcompsys
+# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org
+
+_all_firejails() {
+    local -a _all_firejails_list
+    for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do
+        _all_firejails_list+=${jail%% *}
+    done
+    _describe 'firejails list' _all_firejails_list
+}
+
+_all_cpus() {
+    _cpu_count=$(getconf _NPROCESSORS_ONLN)
+    for i in {0..$((_cpu_count-1))} ; do
+        print $i
+    done
+}
+
+_profiles() {
+    print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;"
+}
+_profiles_with_ext() {
+    print $1/*.profile
+}
+
+_all_profiles() {
+    _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .)
+}
+
+_session_bus_names() {
+    _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1)
+    # Alternatives to hack on for non-systemd systems:
+    #  dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames
+    #  ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service
+}
+
+_system_bus_names() {
+    _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1)
+}
+
+_caps() {
+    _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')
+}
+
+_firejail_args=(
+    '*::arguments:_normal'
+
+    '--appimage[sandbox an AppImage application]'
+    '--build[build a profile for the application and print it on stdout]'
+    '--build=-[build a profile for the application and save it]: :_files'
+    # Ignore that you can do -? too as it's the only short option
+    '--help[this help screen]'
+    '--join=-[join the sandbox name|pid]: :_all_firejails'
+    '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails'
+    '--list[list all sandboxes]'
+    '(--profile)--noprofile[do not use a security profile]'
+    '(--noprofile)--profile=-[use a custom profile]: :_all_profiles'
+    '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails'
+    '--top[monitor the most CPU-intensive sandboxes]'
+    '--tree[print a tree of all sandboxed processes]'
+    '--version[print program version and exit]'
+
+    '--ids-check[verify file system]'
+    '--ids-init[initialize IDS database]'
+
+    '--debug[print sandbox debug messages]'
+    '--debug-allow[debug file system access]'
+    '--debug-caps[print all recognized capabilities]'
+    '--debug-deny[debug file system access]'
+    '--debug-errnos[print all recognized error numbers]'
+    '--debug-private-lib[debug for --private-lib option]'
+    '--debug-protocols[print all recognized protocols]'
+    '--debug-syscalls[print all recognized system calls]'
+    '--debug-syscalls32[print all recognized 32 bit system calls]'
+
+    '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
+    '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
+    '--fs.print=-[print the filesystem log name|pid]: :_all_firejails'
+    '--profile.print=-[print the name of profile file name|pid]: :_all_firejails'
+    '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails'
+    '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails'
+
+    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
+    '--allusers[all user home directories are visible inside the sandbox]'
+    # Should be _files, a comma and files or files -/
+    '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
+    '--caps[enable default Linux capabilities filter]'
+    '--caps.drop=all[drop all capabilities]'
+    '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
+    '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
+    '--cgroup=-[place the sandbox in the specified control group]: :'
+    '--cpu=-[set cpu affinity]: :->cpus'
+    '*--deny=-[deny access to directory or file]: :_files'
+    "--deterministic-exit-code[always exit with first child's status code]"
+    '*--dns=-[set DNS server]: :'
+    '*--env=-[set environment variable]: :'
+    '--hostname=-[set sandbox hostname]: :'
+    '--hosts-file=-[use file as /etc/hosts]: :_files'
+    '*--ignore=-[ignore command in profile files]: :'
+    '--ipc-namespace[enable a new IPC namespace]'
+    '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-config-pulse[disable automatic ~/.config/pulse init]'
+    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--keep-var-tmp[/var/tmp directory is untouched]'
+    '--machine-id[preserve /etc/machine-id]'
+    '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
+    '*--mkdir=-[create a directory]:'
+    '*--mkfile=-[create a file]:'
+    '--name=-[set sandbox name]: :'
+    '--net=none[enable a new, unconnected network namespace]'
+    # Sample values as I don't think
+    # many would enjoy getting a list from -20..20
+    '--nice=-[set nice value]: :(1 10 15 20)'
+    '--no3d[disable 3D hardware acceleration]'
+    '--noautopulse[disable automatic ~/.config/pulse init]'
+    '--nodeny=-[disable deny command for file or directory]: :_files'
+    '--nodbus[disable D-Bus access]'
+    '--nodvd[disable DVD and audio CD devices]'
+    '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
+    '--nogroups[disable supplementary groups]'
+    '--noinput[disable input devices]'
+    '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+    '--nosound[disable sound system]'
+    '--nou2f[disable U2F devices]'
+    '--novideo[disable video devices]'
+    '--private[temporary home directory]'
+    '--private=-[use directory as user home]: :_files -/'
+    '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin'
+    '--private-cwd[do not inherit working directory inside jail]'
+    '--private-cwd=-[set working directory inside jail]: :_files -/'
+    '--private-dev[create a new /dev directory with a small number of common device files]'
+    '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc'
+    '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt'
+    '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv'
+    '--private-tmp[mount a tmpfs on top of /tmp directory]'
+    '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth'
+    "--quiet[turn off Firejail's output.]"
+    '*--read-only=-[set directory or file read-only]: :_files'
+    '*--read-write=-[set directory or file read-write]: :_files'
+    "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :"
+    '--rlimit-cpu=-[set the maximum CPU time in seconds]: :'
+    '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :'
+    '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :'
+    '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
+    '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
+    '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
+    '--seccomp[enable seccomp filter and drop the default syscalls]: :'
+    '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp.block-secondary[build only the native architecture filters]'
+    '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    # FIXME: Add errnos
+    '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
+    '--shell=none[run the program directly without a user shell]'
+    '--shell=-[set default user shell]: :_values $(cat /etc/shells)'
+    '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
+    #'(--tracelog)--trace[trace open, access and connect system calls]'
+    '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]'
+    '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
+    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
+    '--writable-var[/var directory is mounted read-write]'
+    '--writable-var-log[use the real /var/log directory, not a clone]'
+
+#ifdef HAVE_APPARMOR
+    '--apparmor[enable AppArmor confinement]'
+    '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
+#endif
+
+#ifdef HAVE_CHROOT
+    '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/'
+#endif
+
+#ifdef HAVE_DBUSPROXY
+    # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}.
+    # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl
+    '--dbus-log=-[set DBus log file location]: :_files'
+    '--dbus-system=-[set system DBus access policy]: :(filter none)'
+    '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names'
+    '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names'
+    '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names'
+    '--dbus-user=-[set session DBus access policy or none]: :(filter none)'
+    '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names'
+    '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names'
+    '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names'
+#endif
+
+#ifdef HAVE_FILE_TRANSFER
+    '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails'
+    '--get=-[get a file from sandbox container name|pid]: :_all_firejails'
+    # --put=name|pid src-filename dest-filename - put a file in sandbox container.
+    '--put=-[put a file in sandbox container]: :'
+    '--ls=-[list files in sandbox container name|pid]: :_all_firejails'
+#endif
+
+#ifdef HAVE_FIRETUNNEL
+    '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :'
+#endif
+
+#ifdef HAVE_NETWORK
+    '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails'
+    '--defaultgw=[configure default gateway]: :'
+    '--dns.print=-[print DNS configuration name|pid]: :_all_firejails'
+    '--join-network=-[join the network namespace name|pid]: :_all_firejails'
+    '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
+    '--mtu=-[set interface MTU]: :'
+    '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
+    '--net.print=-[print network interface configuration name|pid]: :_all_firejails'
+    '--netfilter=-[enable firewall]: :'
+    '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
+    '--netfilter6=-[enable IPv6 firewall]: :'
+    '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
+    '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :'
+    '--netns=-[Run the program in a named, persistent network namespace]: :'
+    '--netstats[monitor network statistics]'
+    '--interface=-[move interface in sandbox]: :'
+    '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
+    '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
+    '--iprange=-[configure an IP address in this range]: :'
+    '--scan[ARP-scan all the networks from inside a network namespace]'
+    '--veth-name=-[use this name for the interface connected to the bridge]: :'
+#endif
+
+#ifdef HAVE_OUTPUT
+    '--output=-[stdout logging and log rotation]: :_files'
+    '--output-stderr=-[stdout and stderr logging and log rotation]: :_files'
+#endif
+
+#ifdef HAVE_OVERLAYFS
+    '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]'
+    '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]'
+    '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/'
+    '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
+#endif
+
+#ifdef HAVE_PRIVATE_HOME
+    '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files'
+#endif
+
+#ifdef HAVE_USERNS
+    '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]'
+#endif
+
+#ifdef HAVE_USERTMPFS
+    '--private-cache[temporary ~/.cache directory]'
+    '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
+#endif
+
+    '*--noallow=-[disable allow command for file or directory]: :_files'
+    '*--allow=-[allow file system access]: :_files'
+
+#ifdef HAVE_X11
+    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
+    '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
+    '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
+#endif
+)
+
+
+_firejail() {
+    _arguments -S $_firejail_args
+    case "$state" in
+        cpus)
+            _values -s "," 'cpus' $(_all_cpus)
+            ;;
+        net_or_none)
+            local netdevs=($(ip link | awk '{print $2}' | grep '^.*:$' | tr -d ':'))
+            local net_and_none=(none $netdevs)
+            _values 'net' $net_and_none
+            ;;
+        seccomp)
+            # TODO: syscall groups
+            _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2)
+            ;;
+    esac
+}
+
+# vim: ft=zsh sw=4 ts=4 et sts=4 ai
diff --git a/test/Makefile.in b/test/Makefile.in
new file mode 100644
index 000000000..264314a3b
--- /dev/null
+++ b/test/Makefile.in
@@ -0,0 +1,14 @@
+TESTS=$(patsubst %/,%,$(wildcard */))
+
+.PHONY: $(TESTS)
+$(TESTS):
+        cd $@ && ./$@.sh 2>&1 | tee $@.log
+        cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+
+.PHONY: clean
+clean:
+        for test in $(TESTS); do rm -f "$$test/$$test.log"; done
+
+.PHONY: distclean
+distclean: clean
+        rm -f Makefile
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index a2cc9285e..eecb9bf82 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -56,7 +56,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "appimage Leafpad"
@@ -95,8 +95,8 @@ send -- "firejail --shutdown=appimage-test\r"
 
 set spawn_id $appimage_id
 expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
-        "AppImage unmounted"
+        timeout {puts "shutdown\n";exit}
+        "AppImage detached"
 }
 
 after 100
diff --git a/test/tty.exp b/test/appimage/appimage-trace.exp
index 0d66f5ce7..2f67eb531 100755
--- a/test/tty.exp
+++ b/test/appimage/appimage-trace.exp
@@ -1,96 +1,68 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
+set appimage_id $spawn_id
 
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 2
-send -- "xterm &\r"
-sleep 2
-send -- "urxvt &\r"
-sleep 2
-send -- "rxvt &\r"
-sleep 2
-
-send -- "ps aux\r"
+send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "USER"
+        "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "xterm"
+        "leafpad:socket"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "urxvt"
+        "leafpad:connect"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "rxvt"
+        "X11-unix/X0"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "ps aux"
+        "Parent is shutting down, bye"
 }
-
-send -- "pkill xterm\r"
-sleep 1
-send -- "pkill urxvt\r"
-sleep 1
-send -- "pkill rxvt\r"
-sleep 1
-send -- "exit\r"
-sleep 2
-
-
-send -- "firejail --private-dev\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        timeout {puts "shutdown\n"}
+        "AppImage detached"
 }
-sleep 2
-send -- "xterm &\r"
-sleep 2
-send -- "urxvt &\r"
-sleep 2
-send -- "rxvt &\r"
-sleep 2
+sleep 1
 
-send -- "ps aux\r"
+send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "USER"
+        "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "xterm"
+        "leafpad:socket"
 }
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "urxvt"
+        "leafpad:connect"
 }
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
-        "rxvt"
+        "X11-unix/X0"
 }
 expect {
         timeout {puts "TESTING ERROR 15\n";exit}
-        "ps aux"
+        "Parent is shutting down, bye"
+}
+expect {
+        timeout {puts "shutdown\n"}
+        "AppImage detached"
 }
-
-send -- "pkill xterm\r"
-sleep 1
-send -- "pkill urxvt\r"
-sleep 1
-send -- "pkill rxvt\r"
 sleep 1
-send -- "exit\r"
-sleep 2
 
-puts "\n"
+
+after 100
+
+puts "\nall done\n"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 86a968125..b8b6e0c96 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -44,7 +44,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "appimage Leafpad"
@@ -83,8 +83,8 @@ send -- "firejail --shutdown=appimage-test\r"
 
 set spawn_id $appimage_id
 expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "AppImage unmounted"
+        timeout {puts "shutdown\n"}
+        "AppImage detached"
 }
 
 after 100
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index f89ac008c..243824f75 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -82,8 +82,8 @@ spawn $env(SHELL)
 send -- "firejail --shutdown=appimage-test\r"
 set spawn_id $appimage_id
 expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "AppImage unmounted"
+        timeout {puts "shutdown\n"}
+        "AppImage detached"
 }
 
 after 100
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index 4221944e2..e766b1acd 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -1,10 +1,11 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)"
 ./appimage-v1.exp
@@ -17,3 +18,6 @@ echo "TESTING: AppImage file name (test/appimage/filename.exp)";
 
 echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
 ./appimage-args.exp
+
+echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)"
+./appimage-trace.exp
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp
index ebf2125f0..54d8d722d 100755
--- a/test/appimage/filename.exp
+++ b/test/appimage/filename.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -17,7 +17,7 @@ after 100
 send -- "firejail --appimage /etc/shadow\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "cannot access"
+        "cannot read"
 }
 after 100
 
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
index 6f051b28d..7f37914aa 100755
--- a/test/apps-x11-xorg/apps-x11-xorg.sh
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -1,12 +1,13 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
-which firefox
+which firefox 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: firefox x11 xorg"
@@ -15,7 +16,7 @@ else
         echo "TESTING SKIP: firefox not found"
 fi
 
-which transmission-gtk
+which transmission-gtk 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: transmission-gtk x11 xorg"
@@ -24,7 +25,16 @@ else
         echo "TESTING SKIP: transmission-gtk not found"
 fi
 
-which thunderbird
+which transmission-qt 2>/dev/null
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-qt x11 xorg"
+        ./transmission-qt.exp
+else
+        echo "TESTING SKIP: transmission-qt not found"
+fi
+
+which thunderbird 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: thunderbird x11 xorg"
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
index a0e8284d3..12fcc13ce 100755
--- a/test/apps-x11-xorg/firefox.exp
+++ b/test/apps-x11-xorg/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -41,7 +41,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -61,7 +61,7 @@ expect {
         "name=blablabla"
 }
 sleep 1
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         " firefox" {puts "firefox detected\n";}
diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp
index 42220b52e..5c810c517 100755
--- a/test/apps-x11-xorg/thunderbird.exp
+++ b/test/apps-x11-xorg/thunderbird.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -38,7 +38,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -57,7 +57,7 @@ expect {
         "name=blablabla"
 }
 sleep 2
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         ":firejail"
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
index aec4c46ad..e0f519c00 100755
--- a/test/apps-x11-xorg/transmission-gtk.exp
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -38,7 +38,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -57,7 +57,7 @@ expect {
         "name=blablabla"
 }
 sleep 1
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         ":firejail"
diff --git a/test/apps-x11-xorg/transmission-qt.exp b/test/apps-x11-xorg/transmission-qt.exp
new file mode 100755
index 000000000..02a015968
--- /dev/null
+++ b/test/apps-x11-xorg/transmission-qt.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-qt\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "transmission-qt"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp --wrap\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "transmission-qt"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps --wrap\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "transmission-qt"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
index 1e98b74fd..9954cb736 100755
--- a/test/apps-x11/apps-x11.sh
+++ b/test/apps-x11/apps-x11.sh
@@ -1,29 +1,30 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 echo "TESTING: no x11 (test/apps-x11/x11-none.exp)"
 ./x11-none.exp
 
 
-which xterm
+which xterm 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: xterm x11 xorg"
         ./xterm-xorg.exp
 
-        which xpra
+        which xpra 2>/dev/null
         if [ "$?" -eq 0 ];
         then
         echo "TESTING: xterm x11 xpra"
         ./xterm-xpra.exp
         fi
 
-        which Xephyr
+        which Xephyr 2>/dev/null
         if [ "$?" -eq 0 ];
         then
         echo "TESTING: xterm x11 xephyr"
@@ -34,13 +35,13 @@ else
 fi
 
 # check xpra/xephyr
-which xpra
+which xpra 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "xpra found"
 else
         echo "xpra not found"
-        which Xephyr
+        which Xephyr 2>/dev/null
         if [ "$?" -eq 0 ];
         then
                 echo "Xephyr found"
@@ -50,7 +51,7 @@ else
         fi
 fi
 
-which firefox
+which firefox 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: firefox x11"
@@ -59,7 +60,7 @@ else
         echo "TESTING SKIP: firefox not found"
 fi
 
-which chromium
+which chromium 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: chromium x11"
@@ -68,7 +69,7 @@ else
         echo "TESTING SKIP: chromium not found"
 fi
 
-which transmission-gtk
+which transmission-gtk 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: transmission-gtk x11"
@@ -77,7 +78,7 @@ else
         echo "TESTING SKIP: transmission-gtk not found"
 fi
 
-which thunderbird
+which thunderbird 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: thunderbird x11"
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp
index a7eace125..92739048c 100755
--- a/test/apps-x11/chromium.exp
+++ b/test/apps-x11/chromium.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp
index c77d120a8..69efc79d9 100755
--- a/test/apps-x11/firefox.exp
+++ b/test/apps-x11/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/thunderbird.exp b/test/apps-x11/thunderbird.exp
index 604a6a0d3..7cfc957b7 100755
--- a/test/apps-x11/thunderbird.exp
+++ b/test/apps-x11/thunderbird.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp
index 8403b7a9f..53e396a9e 100755
--- a/test/apps-x11/transmission-gtk.exp
+++ b/test/apps-x11/transmission-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp
index e811533f9..b45751aa7 100755
--- a/test/apps-x11/x11-none.exp
+++ b/test/apps-x11/x11-none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp
index 3f032ae4a..3da0e1a46 100755
--- a/test/apps-x11/x11-xephyr.exp
+++ b/test/apps-x11/x11-xephyr.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp
index b1ee9e5b4..5edbadad9 100755
--- a/test/apps-x11/xterm-xephyr.exp
+++ b/test/apps-x11/xterm-xephyr.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp
index 76c6891ea..a2a027729 100755
--- a/test/apps-x11/xterm-xorg.exp
+++ b/test/apps-x11/xterm-xorg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp
index 6425412c9..0f1458d15 100755
--- a/test/apps-x11/xterm-xpra.exp
+++ b/test/apps-x11/xterm-xpra.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/apps.sh b/test/apps/apps.sh
index 86b7f636e..c332fe416 100755
--- a/test/apps/apps.sh
+++ b/test/apps/apps.sh
@@ -1,179 +1,22 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-
-which firefox
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: firefox"
-        ./firefox.exp
-else
-        echo "TESTING SKIP: firefox not found"
-fi
-
-which midori
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: midori"
-        ./midori.exp
-else
-        echo "TESTING SKIP: midori not found"
-fi
-
-which chromium
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: chromium"
-        ./chromium.exp
-else
-        echo "TESTING SKIP: chromium not found"
-fi
-
-which opera
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: opera"
-        ./opera.exp
-else
-        echo "TESTING SKIP: opera not found"
-fi
-
-which transmission-gtk
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: transmission-gtk"
-        ./transmission-gtk.exp
-else
-        echo "TESTING SKIP: transmission-gtk not found"
-fi
-
-which transmission-qt
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: transmission-qt"
-        ./transmission-qt.exp
-else
-        echo "TESTING SKIP: transmission-qt not found"
-fi
-
-which qbittorrent
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: qbittorrent"
-        ./qbittorrent.exp
-else
-        echo "TESTING SKIP: qbittorrent not found"
-fi
-
-which uget-gtk
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: uget"
-        ./uget-gtk.exp
-else
-        echo "TESTING SKIP: uget-gtk not found"
-fi
-
-which filezilla
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: filezilla"
-        ./filezilla.exp
-else
-        echo "TESTING SKIP: filezilla not found"
-fi
-
-which evince
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: evince"
-        ./evince.exp
-else
-        echo "TESTING SKIP: evince not found"
-fi
-
-
-which gthumb
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: gthumb"
-        ./gthumb.exp
-else
-        echo "TESTING SKIP: gthumb not found"
-fi
-
-which thunderbird
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: thunderbird"
-        ./thunderbird.exp
-else
-        echo "TESTING SKIP: thunderbird not found"
-fi
-
-which vlc
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: vlc"
-        ./vlc.exp
-else
-        echo "TESTING SKIP: vlc not found"
-fi
-
-which fbreader
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: fbreader"
-        ./fbreader.exp
-else
-        echo "TESTING SKIP: fbreader not found"
-fi
-
-which deluge
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: deluge"
-        ./deluge.exp
-else
-        echo "TESTING SKIP: deluge not found"
-fi
-
-which gnome-mplayer
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: gnome-mplayer"
-        ./gnome-mplayer.exp
-else
-        echo "TESTING SKIP: gnome-mplayer not found"
-fi
-
-which xchat
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: xchat"
-        ./xchat.exp
-else
-        echo "TESTING SKIP: xchat not found"
-fi
-
-which hexchat
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: hexchat"
-        ./hexchat.exp
-else
-        echo "TESTING SKIP: hexchat not found"
-fi
-
-which wine
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: wine"
-        ./wine.exp
-else
-        echo "TESTING SKIP: wine not found"
-fi
+export LC_ALL=C
+
+LIST="firefox midori chromium opera transmission-qt qbittorrent uget-gtk filezilla gthumb thunderbird "
+LIST+="vlc fbreader deluge gnome-mplayer xchat wine kcalc ktorrent hexchat"
+
+for app in $LIST; do
+        which $app 2>/dev/null
+        if [ "$?" -eq 0 ];
+        then
+                echo "TESTING: $app"
+                ./$app.exp
+        else
+                echo "TESTING SKIP: $app not found"
+        fi
+done
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp
index 6b784e395..d65bc93a9 100755
--- a/test/apps/chromium.exp
+++ b/test/apps/chromium.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp
index 004b8d144..25c98623c 100755
--- a/test/apps/deluge.exp
+++ b/test/apps/deluge.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp
index d0ad8be0a..67301c1d2 100755
--- a/test/apps/fbreader.exp
+++ b/test/apps/fbreader.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp
index da8c23773..da37f1eff 100755
--- a/test/apps/filezilla.exp
+++ b/test/apps/filezilla.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp
index 84504ccbf..2a6f18276 100755
--- a/test/apps/firefox.exp
+++ b/test/apps/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp
index d0c370df0..564220d95 100755
--- a/test/apps/gnome-mplayer.exp
+++ b/test/apps/gnome-mplayer.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp
index 9edcd68fe..569adcd34 100755
--- a/test/apps/gthumb.exp
+++ b/test/apps/gthumb.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp
index 9d78a9676..adea02216 100755
--- a/test/apps/hexchat.exp
+++ b/test/apps/hexchat.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -50,7 +50,7 @@ send -- "firemon --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-        "hexchat"
+        ":firejail hexchat"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +64,7 @@ after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "hexchat"
+        ":firejail hexchat"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
@@ -80,4 +80,4 @@ expect {
 }
 after 100
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/apps/kcalc.exp b/test/apps/kcalc.exp
new file mode 100755
index 000000000..aaeb5221d
--- /dev/null
+++ b/test/apps/kcalc.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail kcalc\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/kcalc.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "kcalc"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail kcalc"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail kcalc"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/apps/ktorrent.exp b/test/apps/ktorrent.exp
new file mode 100755
index 000000000..8693f5f1d
--- /dev/null
+++ b/test/apps/ktorrent.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail ktorrent\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/ktorrent.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "ktorrent"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail ktorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail ktorrent"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/apps/midori.exp b/test/apps/midori.exp
index be6df1cbd..fae41e6da 100755
--- a/test/apps/midori.exp
+++ b/test/apps/midori.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/opera.exp b/test/apps/opera.exp
index eb6aef719..990476ed5 100755
--- a/test/apps/opera.exp
+++ b/test/apps/opera.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp
index 742d9baf1..bc0386335 100755
--- a/test/apps/qbittorrent.exp
+++ b/test/apps/qbittorrent.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/thunderbird.exp b/test/apps/thunderbird.exp
index f1aad2871..10d0bb2f6 100755
--- a/test/apps/thunderbird.exp
+++ b/test/apps/thunderbird.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp
index 63f135b1d..fec18a8bf 100755
--- a/test/apps/transmission-qt.exp
+++ b/test/apps/transmission-qt.exp
@@ -1,13 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail transmission-qt\r"
+send -- "firejail --ignore=quiet transmission-qt\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Reading profile /etc/firejail/transmission-qt.profile"
@@ -50,7 +50,7 @@ send -- "firemon --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-        ":firejail transmission-qt"
+        ":firejail --ignore=quiet transmission-qt"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +64,7 @@ after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail transmission-qt"
+        ":firejail --ignore=quiet transmission-qt"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp
index 05dd9edc6..caa4063b9 100755
--- a/test/apps/uget-gtk.exp
+++ b/test/apps/uget-gtk.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp
index 9d75c40d6..ce3df1ba6 100755
--- a/test/apps/vlc.exp
+++ b/test/apps/vlc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/wine.exp b/test/apps/wine.exp
index 75f044ca6..982a0c6d9 100755
--- a/test/apps/wine.exp
+++ b/test/apps/wine.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp
index 427e09159..9ed75d821 100755
--- a/test/apps/xchat.exp
+++ b/test/apps/xchat.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh
deleted file mode 100755
index 049236900..000000000
--- a/test/arguments/arguments.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-if [ -f /etc/debian_version ]; then
-        libdir=$(dirname "$(dpkg -L firejail | grep faudit)")
-        export PATH="$PATH:$libdir"
-else
-        export PATH="$PATH:/usr/lib/firejail"
-fi
-export PATH="$PATH:/usr/lib/firejail"
-
-echo "TESTING: 1. regular bash session"
-./bashrun.exp
-sleep 1
-
-echo "TESTING: 2. symbolic link to firejail"
-./symrun.exp
-rm -fr symtest
-sleep 1
-
-echo "TESTING: 3. --join option"
-./joinrun.exp
-sleep 1
-
-echo "TESTING: 4. --output option"
-./outrun.exp
-rm out
-rm out.*
diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp
deleted file mode 100755
index a3c9e382d..000000000
--- a/test/arguments/bashrun.exp
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "./bashrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.1.3\n";exit}
-        "#arg2#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 1.2.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.2.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 1.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.3.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 1.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.4.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 1.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.5.3\n";exit}
-        "#arg2&tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 1.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 1.6.3\n";exit}
-        "#arg2&tail#"
-}
-
-puts "\nall done\n"
diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh
deleted file mode 100755
index a4773fd6c..000000000
--- a/test/arguments/bashrun.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-echo "TESTING: 1.1 - simple args"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1 arg2
-
-# simple quotes, testing spaces in file names
-echo "TESTING: 1.2 - args with space and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail"
-
-echo "TESTING: 1.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail'
-
-# escaped space in file names
-echo "TESTING: 1.4 - args with space and \\"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail
-
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 1.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail"
-
-echo "TESTING: 1.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
deleted file mode 100755
index 97972e5e8..000000000
--- a/test/arguments/joinrun.exp
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-
-send -- "firejail --name=joinrun\r"
-sleep 2
-
-spawn $env(SHELL)
-send --  "./joinrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.1.3\n";exit}
-        "#arg2#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 3.2.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.2.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.3.3\n";exit}
-        "#arg2 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.4.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 3.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.5.3\n";exit}
-        "#arg2&tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 3.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 3.6.3\n";exit}
-        "#arg2&tail#"
-}
-
-puts "\nall done\n"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
deleted file mode 100755
index b00ea0e80..000000000
--- a/test/arguments/joinrun.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-echo "TESTING: 3.1 - simple args"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2
-
-# simple quotes, testing spaces in file names
-echo "TESTING: 3.2 - args with space and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail"
-
-echo "TESTING: 3.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail'
-
-# escaped space in file names
-echo "TESTING: 3.4 - args with space and \\"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail
-
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 3.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail"
-
-echo "TESTING: 3.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp
deleted file mode 100755
index d28e75661..000000000
--- a/test/arguments/outrun.exp
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "./outrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.1.3\n";exit}
-        "#arg2#"
-}
-
-exit
-#***************************************************
-#  breaking down from here on - bug to fix
-#***************************************************
-expect {
-        timeout {puts "TESTING ERROR 4.2.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.2.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 4.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.3.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 4.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.4.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 4.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.5.3\n";exit}
-        "#arg2&tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 4.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 4.6.3\n";exit}
-        "#arg2&tail#"
-}
-
-puts "\nall done\n"
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
deleted file mode 100755
index 5bc3b1e37..000000000
--- a/test/arguments/outrun.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-echo "TESTING: 4.1 - simple args"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1 arg2
-
-# simple quotes, testing spaces in file names
-echo "TESTING: 4.2 - args with space and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail"
-
-echo "TESTING: 4.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail'
-
-# escaped space in file names
-echo "TESTING: 4.4 - args with space and \\"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail
-
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 4.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail"
-
-echo "TESTING: 4.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp
deleted file mode 100755
index 10e7ac6c8..000000000
--- a/test/arguments/symrun.exp
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "./symrun.sh\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1.2\n";exit}
-        "#arg1#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.1.3\n";exit}
-        "#arg2#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 2.3.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.3.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 2.4.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4.2\n";exit}
-        "#arg1 tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.4.3\n";exit}
-        "#arg2 tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 2.5.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.5.3\n";exit}
-        "#arg2&tail#"
-}
-
-expect {
-        timeout {puts "TESTING ERROR 2.6.1\n";exit}
-        "Arguments:"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6.2\n";exit}
-        "#arg1&tail#"
-}
-expect {
-        timeout {puts "TESTING ERROR 2.6.3\n";exit}
-        "#arg2&tail#"
-}
diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
deleted file mode 100755
index db5f06835..000000000
--- a/test/arguments/symrun.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-mkdir symtest
-ln -s /usr/bin/firejail symtest/faudit
-
-# search for faudit in current directory
-export PATH=$PATH:.
-export FIREJAIL_TEST_ARGUMENTS=yes
-
-echo "TESTING: 2.1 - simple args"
-symtest/faudit arg1 arg2
-
-# simple quotes, testing spaces in file names
-echo "TESTING: 2.2 - args with space and \""
-symtest/faudit "arg1 tail" "arg2 tail"
-
-echo "TESTING: 2.3 - args with space and '"
-symtest/faudit 'arg1 tail' 'arg2 tail'
-
-# escaped space in file names
-echo "TESTING: 2.4 - args with space and \\"
-symtest/faudit arg1\ tail arg2\ tail
-
-# & char appears in URLs - URLs should be quoted
-echo "TESTING: 2.5 - args with & and \""
-symtest/faudit "arg1&tail" "arg2&tail"
-
-echo "TESTING: 2.6 - args with & and '"
-symtest/faudit 'arg1&tail' 'arg2&tail'
-
-rm -fr symtest
diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp
deleted file mode 100755
index 4252f875a..000000000
--- a/test/blacklist-link.exp
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# blacklist a directory symlink
-send -- "firejail --blacklist=auto2\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls auto2\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-
-# blacklist a directory symlink from a profile file
-send -- "firejail --profile=blacklist3.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls auto2\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "cannot open directory"
-}
-send -- "exit\r"
-sleep 1
-
-# do not blacklist /bin
-send -- "firejail --blacklist=auto3\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "auto3 directory link was not blacklisted"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls auto3; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "cannot open directory" {puts "TESTING ERROR 6.1\n";exit}
-        "home"
-}
-send -- "exit\r"
-sleep 1
-
-# do not blacklist /usr/bin
-send -- "firejail --blacklist=auto3\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "auto3 directory link was not blacklisted"
-}
-expect {
-        timeout {puts "TESTING ERROR 7.1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls auto3; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "cannot open directory" {puts "TESTING ERROR 9.1\n";exit}
-        "home"
-}
-send -- "exit\r"
-sleep 1
-
-
-puts "all done\n"
diff --git a/test/blacklist.exp b/test/blacklist.exp
deleted file mode 100755
index 9c3dddf1f..000000000
--- a/test/blacklist.exp
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# directory with ~
-send -- "firejail --blacklist=~/.config\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al ~/.config\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "cannot open directory"
-}
-
-send -- "exit\r"
-sleep 1
-
-# directory with ~ in profile file
-send -- "firejail --profile=blacklist1.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al ~/.config\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "cannot open directory"
-}
-
-send -- "exit\r"
-sleep 1
-
-
-# directory with space
-send -- "firejail \"--blacklist=dir with space\"\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al \"dir with space\"\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "cannot open directory"
-}
-
-send -- "exit\r"
-sleep 1
-
-# directory with space in profile
-send -- "firejail --profile=blacklist2.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al \"dir with space\"\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "cannot open directory"
-}
-
-
-
-puts "\n"
diff --git a/test/blacklist1.profile b/test/blacklist1.profile
deleted file mode 100644
index f12facd05..000000000
--- a/test/blacklist1.profile
+++ /dev/null
@@ -1 +0,0 @@
-blacklist ~/.config
diff --git a/test/blacklist2.profile b/test/blacklist2.profile
deleted file mode 100644
index 4bb603db2..000000000
--- a/test/blacklist2.profile
+++ /dev/null
@@ -1 +0,0 @@
-blacklist dir with space
diff --git a/test/blacklist3.profile b/test/blacklist3.profile
deleted file mode 100644
index 08f754f3f..000000000
--- a/test/blacklist3.profile
+++ /dev/null
@@ -1 +0,0 @@
-blacklist auto2
diff --git a/test/chk_config.exp b/test/chk_config.exp
deleted file mode 100755
index f47fd0eee..000000000
--- a/test/chk_config.exp
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# check br0
-send -- "/sbin/ifconfig;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0 - please run ./configure\n";exit}
-        "br0"
-}
-expect {
-        timeout {puts "TESTING ERROR 0 - please run ./configure\n";exit}
-        "10.10.20.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 0 - please run ./configure\n";exit}
-        "home"
-}
-
-# check br1
-send -- "/sbin/ifconfig;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "br1"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "10.10.30.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "home"
-}
-
-# check br2
-send -- "/sbin/ifconfig;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "br2"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "10.10.40.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
-}
-
-# check br3
-send -- "/sbin/ifconfig;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "br3"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "10.10.50.1"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-
-# start a sandbox and check MALLOC_PERTURB
-send -- "firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-set timeout 2
-send -- "env | grep MALLOC;pwd\r"
-expect {
-        timeout {puts "\nTESTING: MALLOC_PERTURB_ disabled\n"}
-        "MALLOC_PERTURB_" {puts "\nTESTING: MALLOC_PERTURB_ enabled\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "home" {puts "regular user\n"}
-        "root" {puts "root user\n"}
-}
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh
index e7911caa0..1ac5cf47e 100755
--- a/test/chroot/chroot.sh
+++ b/test/chroot/chroot.sh
@@ -1,10 +1,11 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 rm -f unchroot
 gcc -o unchroot unchroot.c
diff --git a/test/chroot/configure b/test/chroot/configure
index 26a516931..747dc4383 100755
--- a/test/chroot/configure
+++ b/test/chroot/configure
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 # build a very small chroot
 ROOTDIR="/tmp/chroot"                   # default chroot directory
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp
index a071027e5..650425829 100755
--- a/test/chroot/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp
index e4bedd539..b88367054 100755
--- a/test/chroot/unchroot-as-root.exp
+++ b/test/chroot/unchroot-as-root.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c
index 4919637d6..643983ce4 100644
--- a/test/chroot/unchroot.c
+++ b/test/chroot/unchroot.c
@@ -1,3 +1,7 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2021 Firejail Authors
+// License GPL v2
+
 // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier
 #include <unistd.h>
 #include <stdlib.h>
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 9b7d19057..101998187 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -1,26 +1,44 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+# not currently covered
+#  --disable-suid          install as a non-SUID executable
+#  --enable-fatal-warnings -W -Wall -Werror
+#  --enable-gcov           Gcov instrumentation
+#  --enable-contrib-install
+#                          install contrib scripts
+#  --enable-analyzer       enable GCC 10 static analyzer
+
+
 
 arr[1]="TEST 1: standard compilation"
-arr[2]="TEST 2: compile seccomp disabled"
+arr[2]="TEST 2: compile dbus proxy disabled"
 arr[3]="TEST 3: compile chroot disabled"
-arr[4]="TEST 4: compile bind disabled"
+arr[4]="TEST 4: compile firetunnel disabled"
 arr[5]="TEST 5: compile user namespace disabled"
 arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
-arr[8]="TEST 8: compile network restricted"
+arr[8]="TEST 8: compile selinux"
 arr[9]="TEST 9: compile file transfer disabled"
 arr[10]="TEST 10: compile disable whitelist"
 arr[11]="TEST 11: compile disable global config"
 arr[12]="TEST 12: compile apparmor"
 arr[13]="TEST 13: compile busybox"
 arr[14]="TEST 14: compile overlayfs disabled"
-arr[15]="TEST 15: compile apparmor enabled"
+arr[15]="TEST 15: compile private-home disabled"
+arr[16]="TEST 16: compile disable manpages"
+arr[17]="TEST 17: disable tmpfs as regular user"
+arr[18]="TEST 18: disable private home"
 
 # remove previous reports and output file
 cleanup() {
         rm -f report*
         rm -fr firejail
         rm -f oc* om*
+        rm -f output-configure
+        rm -f output-make
 }
 
 print_title() {
@@ -74,13 +92,12 @@ rm output-configure output-make
 #*****************************************************************
 # TEST 2
 #*****************************************************************
-# - disable seccomp configuration
+# - disable dbus proxy configuration
 #*****************************************************************
 print_title "${arr[2]}"
-# seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --disable-seccomp  --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-dbusproxy  --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test2
@@ -95,7 +112,6 @@ rm output-configure output-make
 # - disable chroot configuration
 #*****************************************************************
 print_title "${arr[3]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-chroot  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -110,13 +126,12 @@ rm output-configure output-make
 #*****************************************************************
 # TEST 4
 #*****************************************************************
-# - disable bind configuration
+# - disable firetunnel configuration
 #*****************************************************************
 print_title "${arr[4]}"
-# seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --disable-bind  --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-firetunnel  --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test4
@@ -131,7 +146,6 @@ rm output-configure output-make
 # - disable user namespace configuration
 #*****************************************************************
 print_title "${arr[5]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-userns  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -150,7 +164,6 @@ rm output-configure output-make
 # - check compilation
 #*****************************************************************
 print_title "${arr[6]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-network  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -168,7 +181,6 @@ rm output-configure output-make
 # - disable X11 support
 #*****************************************************************
 print_title "${arr[7]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-x11  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -180,17 +192,15 @@ cp output-configure oc7
 cp output-make om7
 rm output-configure output-make
 
-
 #*****************************************************************
 # TEST 8
 #*****************************************************************
-# - enable network restricted
+# - enable selinux
 #*****************************************************************
 print_title "${arr[8]}"
-# seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test8
@@ -199,14 +209,12 @@ cp output-configure oc8
 cp output-make om8
 rm output-configure output-make
 
-
 #*****************************************************************
 # TEST 9
 #*****************************************************************
 # - disable file transfer
 #*****************************************************************
 print_title "${arr[9]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-file-transfer  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -224,7 +232,6 @@ rm output-configure output-make
 # - disable whitelist
 #*****************************************************************
 print_title "${arr[10]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-whitelist  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -242,7 +249,6 @@ rm output-configure output-make
 # - disable global config
 #*****************************************************************
 print_title "${arr[11]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-globalcfg  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -260,7 +266,6 @@ rm output-configure output-make
 # - enable apparmor
 #*****************************************************************
 print_title "${arr[12]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --enable-apparmor  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -278,7 +283,6 @@ rm output-configure output-make
 # - enable busybox workaround
 #*****************************************************************
 print_title "${arr[13]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -296,7 +300,6 @@ rm output-configure output-make
 # - disable overlayfs
 #*****************************************************************
 print_title "${arr[14]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -311,13 +314,12 @@ rm output-configure output-make
 #*****************************************************************
 # TEST 15
 #*****************************************************************
-# - enable apparmor
+# - disable private home
 #*****************************************************************
 print_title "${arr[15]}"
-# seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test15
@@ -326,6 +328,56 @@ cp output-configure oc15
 cp output-make om15
 rm output-configure output-make
 
+#*****************************************************************
+# TEST 16
+#*****************************************************************
+# - disable manpages
+#*****************************************************************
+print_title "${arr[16]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-man --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test16
+grep Error output-configure output-make >> ./report-test16
+cp output-configure oc16
+cp output-make om16
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 17
+#*****************************************************************
+# - disable tmpfs as regular user"
+#*****************************************************************
+print_title "${arr[17]}"
+cd firejail
+make distclean
+./configure --prefix=/usr  --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test17
+grep Error output-configure output-make >> ./report-test17
+cp output-configure oc17
+cp output-make om17
+rm output-configure output-make
+
+#*****************************************************************
+# TEST 18
+#*****************************************************************
+# - disable private home feature
+#*****************************************************************
+print_title "${arr[18]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test18
+grep Error output-configure output-make >> ./report-test18
+cp output-configure oc18
+cp output-make om18
+rm output-configure output-make
 
 #*****************************************************************
 # PRINT REPORTS
@@ -356,3 +408,6 @@ echo ${arr[12]}
 echo ${arr[13]}
 echo ${arr[14]}
 echo ${arr[15]}
+echo ${arr[16]}
+echo ${arr[17]}
+echo ${arr[18]}
diff --git a/test/configure b/test/configure
deleted file mode 100755
index bb955670b..000000000
--- a/test/configure
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/bash
-
-brctl addbr br0
-ifconfig br0 10.10.20.1/29 up
-# NAT masquerade
-iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE
-# port forwarding
-# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80
-
-brctl addbr br1
-ifconfig br1 10.10.30.1/24 up
-brctl addbr br2
-ifconfig br2 10.10.40.1/24 up
-brctl addbr br3
-ifconfig br3 10.10.50.1/24 up
-brctl addbr br4
-ifconfig br4 10.10.60.1/24 up
-ip link add link eth0 name eth0.5 type vlan id 5
-/sbin/ifconfig eth0.5 10.10.205.10/24 up
-ip link add link eth0 name eth0.6 type vlan id 6
-/sbin/ifconfig eth0.6 10.10.206.10/24 up
-ip link add link eth0 name eth0.7 type vlan id 7
-/sbin/ifconfig eth0.7 10.10.207.10/24 up
-
-
-# build a very small chroot
-ROOTDIR="/tmp/chroot"                   # default chroot directory
-DEFAULT_FILES="/bin/bash /bin/sh "      # basic chroot files
-DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
-DEFAULT_FILES+=`find /lib -name libnss*`        # files required by glibc
-DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
-
-rm -fr $ROOTDIR
-mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
-chmod 777 $ROOTDIR/tmp
-mkdir -p $ROOTDIR/etc/firejail
-mkdir -p $ROOTDIR/home/netblue/.config/firejail
-chown netblue:netblue $ROOTDIR/home/netblue
-chown netblue:netblue $ROOTDIR/home/netblue/.config
-cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/.
-cp -a /etc/skel $ROOTDIR/etc/.
-mkdir $ROOTDIR/home/someotheruser
-mkdir $ROOTDIR/boot
-mkdir $ROOTDIR/selinux
-cp /etc/passwd $ROOTDIR/etc/.
-cp /etc/group $ROOTDIR/etc/.
-cp /etc/hosts $ROOTDIR/etc/.
-cp /etc/hostname $ROOTDIR/etc/.
-mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu
-cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/.
-cp -a /usr/lib/ssl $ROOTDIR/usr/lib/.
-touch $ROOTDIR/var/log/syslog
-touch $ROOTDIR/var/tmp/somefile
-SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u`
-for FILE in $SORTED
-do
-        cp --parents $FILE $ROOTDIR
-done
-cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR
-cp --parents /lib/ld-linux.so.2 $ROOTDIR
-cp ../src/tools/unchroot $ROOTDIR/.
-touch $ROOTDIR/this-is-my-chroot
-
-cd $ROOTDIR; find .
-mkdir -p usr/lib/firejail/
-cp /usr/lib/firejail/libtrace.so usr/lib/firejail/.
-
-
-echo "To enter the chroot directory run: firejail --chroot=$ROOTDIR"
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
index 359f94db1..f660c123a 100755
--- a/test/environment/allow-debuggers.exp
+++ b/test/environment/allow-debuggers.exp
@@ -1,40 +1,34 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r"
+send -- "firejail --allow-debuggers\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized" { puts "\n"}
         "is disabled on Linux kernels prior to 4.8" { puts "TESTING SKIP: kernel too old\n"; exit }
 }
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "ioctl"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "exit_group"
-}
 after 100
 
-send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
-}
+send -- "strace ls\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "ioctl"
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "open"
 }
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "exit_group"
 }
 after 100
+send -- "exit\r"
+sleep 1
+
 
 
 puts "\nall done\n"
diff --git a/test/environment/csh.exp b/test/environment/csh.exp
index 633934791..f8ced07b5 100755
--- a/test/environment/csh.exp
+++ b/test/environment/csh.exp
@@ -1,35 +1,34 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --csh\r"
+send -- "firejail --private --shell=/bin/csh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        ".cshrc"
+        "SHELL"
 }
-
-send -- "env | grep SHELL\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "SHELL"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/csh"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "/bin/csh"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "home"
 }
 send -- "exit\r"
 after 100
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/environment/dash.exp b/test/environment/dash.exp
index cad4422a0..983a527cf 100755
--- a/test/environment/dash.exp
+++ b/test/environment/dash.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 cd /home
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp
new file mode 100755
index 000000000..1a1e53605
--- /dev/null
+++ b/test/environment/deterministic-exit-code.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+after 300
+
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "53"
+}
+after 100
+
+send -- "firejail --deterministic-exit-code\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 300
+
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "35"
+}
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/environment/dns.exp b/test/environment/dns.exp
index 0d12a82f2..5b06b51c0 100755
--- a/test/environment/dns.exp
+++ b/test/environment/dns.exp
@@ -1,29 +1,82 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
-set timeout 30
+set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r"
+send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2 --dns=1.2.3.4 sleep 1\r"
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Warning: up to 4 DNS servers can be specified, 1.2.3.4 ignored"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "DNS server 8.8.4.4"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "DNS server 8.8.8.8"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3\n";exit}
+        "DNS server 4.2.2.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        "DNS server ::2"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
+        "Parent is shutting down, bye..."
+}
+after 100
+
+
+send -- "firejail --quiet --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2 --dns=1.2.3.4  cat /etc/passwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Warning: up to 4 DNS servers can be specified, 1.2.3.4 ignored" {puts "TESTING ERROR 2.1\n";exit}
+        "DNS server 8.8.4.4" {puts "TESTING ERROR 2.2\n";exit}
+        "DNS server 8.8.8.8" {puts "TESTING ERROR 2.3\n";exit}
+        "DNS server 4.2.2.1" {puts "TESTING ERROR 2.4\n";exit}
+        "DNS server ::2" {puts "TESTING ERROR 2.5\n";exit}
+        "Child process initialized" {puts "TESTING ERROR 2.6\n";exit}
+        "Parent is shutting down, bye..." {puts "TESTING ERROR 2.7\n";exit}
+        "root"
+}
+after 100
+
+send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1 --dns=::2\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
 }
 sleep 1
 
 send -- "cat /etc/resolv.conf\r"
 expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
+        timeout {puts "TESTING ERROR 4.1\n";exit}
         "nameserver 8.8.4.4"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.3\n";exit}
+        timeout {puts "TESTING ERROR 4.2\n";exit}
         "nameserver 8.8.8.8"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.4\n";exit}
+        timeout {puts "TESTING ERROR 4.3\n";exit}
         "nameserver 4.2.2.1"
 }
+expect {
+        timeout {puts "TESTING ERROR 4.4\n";exit}
+        "nameserver ::2"
+}
 after 100
 send -- "exit\r"
 sleep 1
@@ -31,39 +84,43 @@ sleep 1
 
 send -- "firejail --profile=dns.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
+        timeout {puts "TESTING ERROR 5.1\n";exit}
         "Child process initialized"
 }
 sleep 1
 
 send -- "cat /etc/resolv.conf\r"
 expect {
-        timeout {puts "TESTING ERROR 12.2\n";exit}
+        timeout {puts "TESTING ERROR 5.2\n";exit}
         "nameserver 8.8.4.4"
 }
 expect {
-        timeout {puts "TESTING ERROR 12.3\n";exit}
+        timeout {puts "TESTING ERROR 5.3\n";exit}
         "nameserver 8.8.8.8"
 }
 expect {
-        timeout {puts "TESTING ERROR 12.4\n";exit}
+        timeout {puts "TESTING ERROR 5.4\n";exit}
         "nameserver 4.2.2.1"
 }
 after 100
+expect {
+        timeout {puts "TESTING ERROR 5.5\n";exit}
+        "nameserver ::2"
+}
 send -- "exit\r"
 sleep 1
 
 send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r"
 expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
+        timeout {puts "TESTING ERROR 6.1\n";exit}
         "connect"
 }
 expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
+        timeout {puts "TESTING ERROR 6.2\n";exit}
         "208.67.222.222"
 }
 expect {
-        timeout {puts "TESTING ERROR 1.2\n";exit}
+        timeout {puts "TESTING ERROR 6.3\n";exit}
         "53"
 }
 after 100
diff --git a/test/environment/dns.profile b/test/environment/dns.profile
index d1b842c86..ade2f2650 100644
--- a/test/environment/dns.profile
+++ b/test/environment/dns.profile
@@ -1,3 +1,4 @@
 dns 8.8.4.4
 dns 8.8.8.8
 dns 4.2.2.1
+dns ::2
diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp
index ed0419f2d..275755337 100755
--- a/test/environment/doubledash.exp
+++ b/test/environment/doubledash.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/environment/env.exp b/test/environment/env.exp
index 9e2ba1e1c..4f6f8a1b7 100755
--- a/test/environment/env.exp
+++ b/test/environment/env.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 308d99871..1e1dd549b 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -1,12 +1,16 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 
+echo "TESTING: timeout (test/environment/timeout.exp)"
+./timeout.exp
+
 echo "TESTING: DNS (test/environment/dns.exp)"
 ./dns.exp
 
@@ -35,7 +39,7 @@ echo "TESTING: environment variables (test/environment/env.exp)"
 echo "TESTING: shell none(test/environment/shell-none.exp)"
 ./shell-none.exp
 
-which dash
+which dash 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: dash (test/environment/dash.exp)"
@@ -44,7 +48,7 @@ else
         echo "TESTING SKIP: dash not found"
 fi
 
-which csh
+which csh 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: csh (test/environment/csh.exp)"
@@ -53,7 +57,7 @@ else
         echo "TESTING SKIP: csh not found"
 fi
 
-which zsh
+which zsh 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: zsh (test/environment/zsh.exp)"
@@ -65,16 +69,13 @@ fi
 echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)"
 ./firejail-in-firejail.exp
 
-echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)"
-./firejail-in-firejail2.exp
-
-which aplay
-if [ "$?" -eq 0 ];
+which aplay 2>/dev/null
+if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ];
 then
         echo "TESTING: sound (test/environment/sound.exp)"
         ./sound.exp
 else
-        echo "TESTING SKIP: aplay not found"
+        echo "TESTING SKIP: no aplay or sound card found"
 fi
 
 echo "TESTING: nice (test/environment/nice.exp)"
@@ -83,7 +84,7 @@ echo "TESTING: nice (test/environment/nice.exp)"
 echo "TESTING: quiet (test/environment/quiet.exp)"
 ./quiet.exp
 
-which strace
+which strace 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)"
@@ -111,8 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)"
 echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
 ./rlimit-profile.exp
 
+echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
+./rlimit-join.exp
+
 echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 ./rlimit-bad.exp
 
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
+
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
+./deterministic-exit-code.exp
+
+echo "TESTING: retain umask (test/environment/umask.exp)"
+(umask 123 && ./umask.exp)
diff --git a/test/environment/extract_command.exp b/test/environment/extract_command.exp
index 72d7501aa..f91a10fa6 100755
--- a/test/environment/extract_command.exp
+++ b/test/environment/extract_command.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp
index c2e2be596..459056260 100755
--- a/test/environment/firejail-in-firejail.exp
+++ b/test/environment/firejail-in-firejail.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -24,26 +24,6 @@ after 100
 send --  "exit\r"
 after 100
 
-send --  "firejail --force\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "cannot rise privileges"
-}
-after 100
-
-send --  "firejail --version\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "firejail version"
-}
-after 100
-
-send --  "firejail --version --force\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "firejail version"
-}
-after 100
 
 
 puts "\nall done\n"
diff --git a/test/environment/hostfile.exp b/test/environment/hostfile.exp
index c42864432..6b98863e5 100755
--- a/test/environment/hostfile.exp
+++ b/test/environment/hostfile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 
diff --git a/test/environment/ibus.exp b/test/environment/ibus.exp
index 75c7f5450..089736f33 100755
--- a/test/environment/ibus.exp
+++ b/test/environment/ibus.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 cd /home
diff --git a/test/environment/machineid.exp b/test/environment/machineid.exp
index 02eb6b232..f0b3d2942 100755
--- a/test/environment/machineid.exp
+++ b/test/environment/machineid.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 
diff --git a/test/environment/nice.exp b/test/environment/nice.exp
index f0ca93a5e..80591978d 100755
--- a/test/environment/nice.exp
+++ b/test/environment/nice.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,11 +14,7 @@ expect {
 }
 sleep 1
 
-send -- "top -b -n 1\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        $env(USER)
-}
+send -- "top -b -n 1 | awk '{ print \$4, \$12 }'\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "15"
@@ -28,10 +24,6 @@ expect {
         "bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        $env(USER)
-}
-expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "15"
 }
@@ -51,11 +43,7 @@ expect {
 }
 sleep 1
 
-send -- "top -b -n 1\r"
-expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        $env(USER)
-}
+send -- "top -b -n 1 | awk '{ print \$4, \$12 }'\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
         "15"
@@ -65,10 +53,6 @@ expect {
         "bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        $env(USER)
-}
-expect {
         timeout {puts "TESTING ERROR 15\n";exit}
         "15"
 }
@@ -90,11 +74,7 @@ expect {
 }
 sleep 1
 
-send -- "top -b -n 1\r"
-expect {
-        timeout {puts "TESTING ERROR 18\n";exit}
-        $env(USER)
-}
+send -- "top -b -n 1 | awk '{ print \$4, \$12 }'\r"
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
         "0"
@@ -104,10 +84,6 @@ expect {
         "bash"
 }
 expect {
-        timeout {puts "TESTING ERROR 21\n";exit}
-        $env(USER)
-}
-expect {
         timeout {puts "TESTING ERROR 22\n";exit}
         "0"
 }
diff --git a/test/environment/output.exp b/test/environment/output.exp
index d175ddae2..dd03001d7 100755
--- a/test/environment/output.exp
+++ b/test/environment/output.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/environment/output.sh b/test/environment/output.sh
index 2be188e3a..edf7dc4cb 100755
--- a/test/environment/output.sh
+++ b/test/environment/output.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 i="0"
 
diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp
index 3ab6d7f53..510491738 100755
--- a/test/environment/quiet.exp
+++ b/test/environment/quiet.exp
@@ -1,13 +1,14 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 4
 spawn $env(SHELL)
 match_max 100000
 
-# check ip address
+send -- "stty -echo\r"
+after 100
 send -- "firejail --quiet echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp
index cd77402fd..b1572afb6 100755
--- a/test/environment/rlimit-bad-profile.exp
+++ b/test/environment/rlimit-bad-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -8,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=rlimit-bad1.profile\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."
 }
 after 100
 
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp
index 0a2fe9c98..c05e14b97 100755
--- a/test/environment/rlimit-bad.exp
+++ b/test/environment/rlimit-bad.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -7,7 +10,7 @@ match_max 100000
 send -- "firejail --rlimit-fsize=-1024\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."
 }
 after 100
 
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp
new file mode 100755
index 000000000..aa8a203c0
--- /dev/null
+++ b/test/environment/rlimit-join.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --noprofile --name=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send --  "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+
+send -- "cat /proc/self/limits\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Max open files            1234                 1234"
+}
+after 100
+
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp
index a9e54a405..4071675ee 100755
--- a/test/environment/rlimit-profile.exp
+++ b/test/environment/rlimit-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 #cd /home
@@ -27,6 +30,10 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
+        "Max address space         1234567890           1234567890"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
         "Max pending signals       200                  200"
 }
 after 100
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp
index ecbe2a3b7..6fcb554a7 100755
--- a/test/environment/rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -1,11 +1,14 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r"
+send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -27,10 +30,14 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max pending signals       200                  200"
+        "Max address space         1234567890           1234567890"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
+        "Max pending signals       200                  200"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
         "home"
 }
 after 100
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index 88fc9ff31..2f1134e6c 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -1,4 +1,5 @@
-  rlimit-fsize 1024
+rlimit-fsize 1024
 rlimit-nproc 1000
-        rlimit-nofile   500
-rlimit-sigpending       200
+rlimit-nofile 500
+rlimit-sigpending 200
+rlimit-as 1234567890
diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp
index 6514e6840..507225326 100755
--- a/test/environment/shell-none.exp
+++ b/test/environment/shell-none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/environment/sound.exp b/test/environment/sound.exp
index 18691b1f9..e5fa27e77 100755
--- a/test/environment/sound.exp
+++ b/test/environment/sound.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 
diff --git a/test/environment/timeout.exp b/test/environment/timeout.exp
new file mode 100755
index 000000000..ea0dd67b7
--- /dev/null
+++ b/test/environment/timeout.exp
@@ -0,0 +1,31 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "time firejail --timeout=00:00:05\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+sleep 3
+send -- "env\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "container=firejail"
+}
+
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "m5."  {puts "5 seconds"}
+        "m6."  {puts "6 seconds"}
+        "m7." {puts "7 seconds"}
+}
+
+puts "\nall done\n"
diff --git a/test/fs_home_sanitize.exp b/test/environment/umask.exp
index d661f9c7b..e1f520fcd 100755
--- a/test/fs_home_sanitize.exp
+++ b/test/environment/umask.exp
@@ -1,32 +1,44 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail\r"
+send -- "firejail --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "ls /home;pwd\r"
+send -- "umask\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "bingo"
+        "0123"
 }
+after 100
+
+send -- "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "Warning: an existing sandbox was detected"
 }
-sleep 1
+after 100
 
-send -- "ls /home/bingo;pwd\r"
+send -- "umask\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "cannot open directory"
+        "0123"
 }
+after 100
+
+send -- "exit\r"
+after 100
+
+send -- "exit\r"
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp
index 711905f2c..a750ac55c 100755
--- a/test/environment/zsh.exp
+++ b/test/environment/zsh.exp
@@ -1,33 +1,32 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
+cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private --tracelog --zsh\r"
+send -- "firejail --private --shell=/bin/zsh\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find ~\r"
+send -- "env | grep SHELL;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        ".zshrc"
+        "SHELL"
 }
-
-send -- "env | grep SHELL;pwd\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "SHELL"
+        "/bin/zsh"
 }
 expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "/bin/zsh"
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "home"
 }
 send -- "exit\r"
 after 100
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp
index 798c9e718..00e44e489 100755
--- a/test/fcopy/cmdline.exp
+++ b/test/fcopy/cmdline.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
index e8462ae82..633d12d08 100755
--- a/test/fcopy/dircopy.exp
+++ b/test/fcopy/dircopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 #
@@ -118,6 +118,8 @@ expect {
 }
 after 100
 
+send -- "stty -echo\r"
+after 100
 send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 16\n";exit}
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh
index 19401cf98..822f6a9cd 100755
--- a/test/fcopy/fcopy.sh
+++ b/test/fcopy/fcopy.sh
@@ -1,17 +1,18 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 if [ -f /etc/debian_version ]; then
         libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
         export PATH="$PATH:$libdir"
 fi
 
-export PATH="$PATH:/usr/lib/firejail"
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 
 mkdir dest
 
@@ -27,7 +28,4 @@ echo "TESTING: fcopy file (test/fcopy/filecopy.exp)"
 echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)"
 ./linkcopy.exp
 
-echo "TESTING: fcopy trailing char (test/copy/trailing.exp)"
-./trailing.exp
-
 rm -fr dest/*
diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp
index 824a22bba..fb911e222 100755
--- a/test/fcopy/filecopy.exp
+++ b/test/fcopy/filecopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 #
@@ -35,6 +35,8 @@ expect {
         "rwxrwxr-x" { puts "umask 0002\n" }
 }
 after 100
+send -- "stty -echo\r"
+after 100
 
 send -- "diff -q dircopy.exp dest/dircopy.exp; echo done\r"
 expect {
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp
index 46ee327cb..dbc33c6a7 100755
--- a/test/fcopy/linkcopy.exp
+++ b/test/fcopy/linkcopy.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 #
@@ -34,6 +34,8 @@ expect {
         "lrwxrwxrwx"
 }
 after 100
+send -- "stty -echo\r"
+after 100
 
 send -- "diff -q dircopy.exp dest/dircopy.exp; echo done\r"
 expect {
diff --git a/test/fcopy/trailing.exp b/test/fcopy/trailing.exp
deleted file mode 100755
index 1bff4e6c8..000000000
--- a/test/fcopy/trailing.exp
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
-# License GPL v2
-
-#
-# copy directory src to dest
-#
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --private-etc=group,passwd,firejail/ ls /etc/firejail\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "0ad.profile"
-}
-after 100
-
-
-puts "\nall done\n"
diff --git a/test/features/1.1.exp b/test/features/1.1.exp
index 2273a3b98..fe1e0f132 100755
--- a/test/features/1.1.exp
+++ b/test/features/1.1.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # disable /boot
 #
diff --git a/test/features/1.10.exp b/test/features/1.10.exp
index b668f5cd1..5dd03ecef 100755
--- a/test/features/1.10.exp
+++ b/test/features/1.10.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # disable /selinux
 #
diff --git a/test/features/1.2.exp b/test/features/1.2.exp
index 81f9531cb..f7a55b445 100755
--- a/test/features/1.2.exp
+++ b/test/features/1.2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # new /proc
 #
diff --git a/test/features/1.4.exp b/test/features/1.4.exp
index de05536f0..66a8c1175 100755
--- a/test/features/1.4.exp
+++ b/test/features/1.4.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # mask other users
 #
diff --git a/test/features/1.5.exp b/test/features/1.5.exp
index 194c7859e..ba0aea220 100755
--- a/test/features/1.5.exp
+++ b/test/features/1.5.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # PID namespace
 #
diff --git a/test/features/1.6.exp b/test/features/1.6.exp
index 111aca3c8..89fa29de0 100755
--- a/test/features/1.6.exp
+++ b/test/features/1.6.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # new /var/log
 #
diff --git a/test/features/1.7.exp b/test/features/1.7.exp
index dc73ae529..3e9c0908f 100755
--- a/test/features/1.7.exp
+++ b/test/features/1.7.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # new /var/tmp
 #
diff --git a/test/features/1.8.exp b/test/features/1.8.exp
index 3bb43718e..15936c2fb 100755
--- a/test/features/1.8.exp
+++ b/test/features/1.8.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # disable /etc/firejail and ~/.config/firejail
 #
diff --git a/test/features/2.1.exp b/test/features/2.1.exp
index d560d1a36..6e741a1c2 100755
--- a/test/features/2.1.exp
+++ b/test/features/2.1.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # hostname
 #
diff --git a/test/features/2.2.exp b/test/features/2.2.exp
index 00ed20e1f..3f30d0bad 100755
--- a/test/features/2.2.exp
+++ b/test/features/2.2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # DNS
 #
diff --git a/test/features/2.3.exp b/test/features/2.3.exp
index 9d3320d78..6c520fdba 100755
--- a/test/features/2.3.exp
+++ b/test/features/2.3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # mac-vlan
 #
diff --git a/test/features/2.4.exp b/test/features/2.4.exp
index 6784e1add..74b7881f0 100755
--- a/test/features/2.4.exp
+++ b/test/features/2.4.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # bridge
 # - todo: ping test or equivalent on chroot
diff --git a/test/features/2.5.exp b/test/features/2.5.exp
index 2d4c7a9bc..bc3e44e8f 100755
--- a/test/features/2.5.exp
+++ b/test/features/2.5.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # interface
 #
diff --git a/test/features/2.6.exp b/test/features/2.6.exp
index 63a9b3b90..7c763e6f1 100755
--- a/test/features/2.6.exp
+++ b/test/features/2.6.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # default gateway
 #
diff --git a/test/features/3.1.exp b/test/features/3.1.exp
index 3178cda42..6ba56517a 100755
--- a/test/features/3.1.exp
+++ b/test/features/3.1.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # private
 #
diff --git a/test/features/3.10.exp b/test/features/3.10.exp
index d6d858322..4797c765b 100755
--- a/test/features/3.10.exp
+++ b/test/features/3.10.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # whitelist tmp
 #
diff --git a/test/features/3.11.exp b/test/features/3.11.exp
index 4e89aa372..b26d7b888 100755
--- a/test/features/3.11.exp
+++ b/test/features/3.11.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # mkdir
 #
diff --git a/test/features/3.2.exp b/test/features/3.2.exp
index 271bbdda1..df73b9786 100755
--- a/test/features/3.2.exp
+++ b/test/features/3.2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # read-only
 #
diff --git a/test/features/3.3.exp b/test/features/3.3.exp
index c662410dc..499718dbd 100755
--- a/test/features/3.3.exp
+++ b/test/features/3.3.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # blacklist
 #
diff --git a/test/features/3.4.exp b/test/features/3.4.exp
index 2e0f7cae7..e59ff8a38 100755
--- a/test/features/3.4.exp
+++ b/test/features/3.4.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # whitelist home
 #
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index abaf42a0e..8c37aebb3 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # private-dev
 #
diff --git a/test/features/3.6.exp b/test/features/3.6.exp
index 043a24121..0149a04cd 100755
--- a/test/features/3.6.exp
+++ b/test/features/3.6.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # private-etc
 #
diff --git a/test/features/3.7.exp b/test/features/3.7.exp
index bcd50c389..9d3e7265c 100755
--- a/test/features/3.7.exp
+++ b/test/features/3.7.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # private-tmp
 #
diff --git a/test/features/3.8.exp b/test/features/3.8.exp
index 4497b9f19..5546ef15b 100755
--- a/test/features/3.8.exp
+++ b/test/features/3.8.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # private-bin
 #
diff --git a/test/features/3.9.exp b/test/features/3.9.exp
index e6cefa0f6..6029160a6 100755
--- a/test/features/3.9.exp
+++ b/test/features/3.9.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # whitelist dev
 #
diff --git a/test/features/test.sh b/test/features/test.sh
index cf62d0a3d..392e6c159 100755
--- a/test/features/test.sh
+++ b/test/features/test.sh
@@ -1,4 +1,9 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+export LC_ALL=C
 OVERLAY="overlay"
 CHROOT="chroot"
 NETWORK="network"
diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp
new file mode 100755
index 000000000..f20326fe0
--- /dev/null
+++ b/test/filters/apparmor.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --name=test1 --apparmor\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send --  "firejail --name=test2 --apparmor\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send --  "firemon --apparmor\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "test1:firejail --name=test1 --apparmor"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "AppArmor: firejail-default enforce"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "test2:firejail --name=test2 --apparmor"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "AppArmor: firejail-default enforce"
+}
+after 100
+
+send -- "firejail --apparmor.print=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "AppArmor: firejail-default enforce"
+}
+after 100
+
+send -- "firejail --apparmor.print=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "AppArmor: firejail-default enforce"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp
new file mode 100755
index 000000000..4f3a2832d
--- /dev/null
+++ b/test/filters/caps-join.exp
@@ -0,0 +1,96 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+match_max 100000
+spawn $env(SHELL)
+set id1 $spawn_id
+spawn $env(SHELL)
+set id2 $spawn_id
+
+send -- "stty -echo\r"
+after 100
+
+#
+# regular run
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+sleep 1
+
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "fffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "CapAmb:"
+}
+sleep 1
+
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
+expect {
+        timeout {puts "TESTING ERROR20\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "CapBnd:        0000000000000009"
+}
+sleep 1
+
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+puts "all done\n"
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp
index 605041e22..e8465aee1 100755
--- a/test/filters/caps-print.exp
+++ b/test/filters/caps-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/caps.exp b/test/filters/caps.exp
index aff5f03c2..8776e83d4 100755
--- a/test/filters/caps.exp
+++ b/test/filters/caps.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/debug.exp b/test/filters/debug.exp
index d37353378..b2ca95191 100755
--- a/test/filters/debug.exp
+++ b/test/filters/debug.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index d59d9109b..a9f06b60a 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -1,19 +1,24 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 if [ -f /etc/debian_version ]; then
         libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)")
         export PATH="$PATH:$libdir"
-else
-        export PATH="$PATH:/usr/lib/firejail"
 fi
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 
-export PATH="$PATH:/usr/lib/firejail"
+if [ -f /sys/kernel/security/apparmor/profiles ]; then
+        echo "TESTING: apparmor (test/filters/apparmor.exp)"
+        ./apparmor.exp
+else
+        echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)"
+fi
 
 if [ "$(uname -m)" = "x86_64" ]; then
     echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)"
@@ -28,15 +33,29 @@ fi
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
 
+echo "TESTING: seccomp run files (test/filters/seccomp-run-files.exp)"
+./seccomp-run-files.exp
+
+echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
+./seccomp-postexec.exp
+
 echo "TESTING: noroot (test/filters/noroot.exp)"
 ./noroot.exp
 
-echo "TESTING: capabilities (test/filters/caps.exp)"
-./caps.exp
+
+if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
+        echo "TESTING: capabilities (test/filters/caps.exp)"
+        ./caps.exp
+else
+        echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
+fi
 
 echo "TESTING: capabilities print (test/filters/caps-print.exp)"
 ./caps-print.exp
 
+echo "TESTING: capabilities join (test/filters/caps-join.exp)"
+./caps-join.exp
+
 rm -f seccomp-test-file
 if [ "$(uname -m)" = "x86_64" ]; then
        echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
@@ -73,7 +92,7 @@ echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
 echo "TESTING: seccomp su (test/filters/seccomp-su.exp)"
 ./seccomp-su.exp
 
-which strace
+which strace 2>/dev/null
 if [ $? -eq 0 ]; then
         echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)"
         ./seccomp-ptrace.exp
@@ -92,9 +111,19 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod
 echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
 ./seccomp-empty.exp
 
+echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)"
+./seccomp-numeric.exp
+
 if [ "$(uname -m)" = "x86_64" ]; then
         echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
         ./seccomp-dualfilter.exp
 else
         echo "TESTING SKIP: seccomp dual, not running on x86_64"
 fi
+
+if [ "$(uname -m)" = "x86_64" ]; then
+       echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
+        ./seccomp-join.exp
+else
+        echo "TESTING SKIP: seccomp join test implemented only for x86_64"
+fi
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
index a71c35302..59f812d6d 100755
--- a/test/filters/fseccomp.exp
+++ b/test/filters/fseccomp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -31,104 +31,87 @@ expect {
 after 100
 send -- "fseccomp protocol build unix,inet seccomp-test-file\r"
 after 100
-send -- "fseccomp print seccomp-test-file\r"
+send -- "fsec-print seccomp-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 4.1\n";exit}
-        "WHITELIST 41 socket"
-}
-
-after 100
-send -- "fseccomp secondary 64 seccomp-test-file\r"
-after 100
-send -- "fseccomp print seccomp-test-file\r"
-expect {
-        timeout {puts "TESTING ERROR 5.1\n";exit}
-        "BLACKLIST 165 mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.2\n";exit}
-        "BLACKLIST 166 umount2"
-}
-expect {
-        timeout {puts "TESTING ERROR 5.3\n";exit}
-        "RETURN_ALLOW"
+        "jeq socket"
 }
 
 after 100
 send -- "fseccomp default seccomp-test-file\r"
 after 100
-send -- "fseccomp print seccomp-test-file\r"
+send -- "fsec-print seccomp-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
-        "BLACKLIST 165 mount"
+        "jeq mount"
 }
 expect {
         timeout {puts "TESTING ERROR 6.2\n";exit}
-        "BLACKLIST 166 umount2"
+        "jeq umount2"
 }
 expect {
         timeout {puts "TESTING ERROR 6.3\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 
 after 100
 send -- "fseccomp drop seccomp-test-file tmpfile chmod,chown\r"
 after 100
-send -- "fseccomp print seccomp-test-file\r"
+send -- "fsec-print seccomp-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 7.1\n";exit}
-        "BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit}
-        "BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit}
-        "BLACKLIST 90 chmod"
+        "jeq mount" {puts "TESTING ERROR 7.2\n";exit}
+        "jeq umount2" {puts "TESTING ERROR 7.3\n";exit}
+        "jeq chmod"
 }
 expect {
         timeout {puts "TESTING ERROR 7.4\n";exit}
-        "BLACKLIST 92 chown"
+        "jeq chown"
 }
 expect {
         timeout {puts "TESTING ERROR 7.5\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 
 after 100
 send -- "fseccomp default drop seccomp-test-file tmpfile chmod,chown\r"
 after 100
-send -- "fseccomp print seccomp-test-file\r"
+send -- "fsec-print seccomp-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 8.1\n";exit}
-        "BLACKLIST 165 mount"
+        "jeq mount"
 }
 expect {
         timeout {puts "TESTING ERROR 8.2\n";exit}
-        "BLACKLIST 166 umount2"
+        "jeq umount2"
 }
 expect {
         timeout {puts "TESTING ERROR 8.3\n";exit}
-        "BLACKLIST 90 chmod"
+        "jeq chmod"
 }
 expect {
         timeout {puts "TESTING ERROR 8.4\n";exit}
-        "BLACKLIST 92 chown"
+        "jeq chown"
 }
 expect {
         timeout {puts "TESTING ERROR 8.5\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 after 100
 send -- "fseccomp keep seccomp-test-file tmpfile chmod,chown\r"
 after 100
-send -- "fseccomp print seccomp-test-file\r"
+send -- "fsec-print seccomp-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 9.1\n";exit}
-        "WHITELIST 90 chmod"
+        "jeq chmod"
 }
 expect {
         timeout {puts "TESTING ERROR 9.2\n";exit}
-        "WHITELIST 92 chown"
+        "jeq chown"
 }
 expect {
         timeout {puts "TESTING ERROR 9.3\n";exit}
-        "KILL_PROCESS"
+        "ret KILL"
 }
 
 
diff --git a/test/filters/memwrexe b/test/filters/memwrexe
index 3a079672c..669f0d320 100755
--- a/test/filters/memwrexe
+++ b/test/filters/memwrexe
diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp
index af2159973..1aeaacc82 100755
--- a/test/filters/memwrexe-32.exp
+++ b/test/filters/memwrexe-32.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -29,6 +29,18 @@ expect {
         "mprotect successful" {puts "TESTING ERROR 12\n";exit}
         "Parent is shutting down"
 }
+after 100
+
+send --  "firejail --memory-deny-write-execute ./memwrexe-32 memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
 
 after 100
 puts "\nall done\n"
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index 7e14aa23d..4fbf05f78 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -1,3 +1,7 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2021 Firejail Authors
+// License GPL v2
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -6,12 +10,14 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <sys/mman.h>
+#include <sys/syscall.h>
 
 static void usage(void) {
         printf("memwrexe options\n");
         printf("where options is:\n");
         printf("\tmmap - mmap test\n");
         printf("\tmprotect - mprotect test\n");
+        printf("\tmemfd_create - memfd_create test\n");
 }
 
 int main(int argc, char **argv) {
@@ -20,7 +26,7 @@ int main(int argc, char **argv) {
                 usage();
                 return 1;
         }
-        
+
         if (strcmp(argv[1], "mmap") == 0) {
                 // open some file
                 int fd = open("memwrexe.c", O_RDONLY);
@@ -28,13 +34,13 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-        
+
                 int size = lseek(fd, 0, SEEK_END);
                 if (size == -1) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-                
+
                 void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
                 printf("mmap successful\n");
 
@@ -51,19 +57,19 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-        
+
                 int size = lseek(fd, 0, SEEK_END);
                 if (size == -1) {
                         fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
                         return 1;
                 }
-                
+
                 void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0);
-                if (!p) {
+                if (p == MAP_FAILED) {
                         fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n");
                         return 1;
                 }
-                
+
                 mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
                 printf("mprotect successful\n");
 
@@ -72,5 +78,18 @@ int main(int argc, char **argv) {
 
                 return 0;
         }
+
+        else if (strcmp(argv[1], "memfd_create") == 0) {
+                int fd = syscall(SYS_memfd_create, "memfd_create", 0);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: cannot run memfd_create test\n");
+                        return 1;
+                }
+                printf("memfd_create successful\n");
+
+                // wait for expect to timeout
+                sleep(100);
+
+                return 0;
+        }
 }
-        
\ No newline at end of file
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp
index 6a57b8a07..2b170803c 100755
--- a/test/filters/memwrexe.exp
+++ b/test/filters/memwrexe.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -29,6 +29,18 @@ expect {
         "mprotect successful" {puts "TESTING ERROR 12\n";exit}
         "Parent is shutting down"
 }
+after 100
+
+send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
 
 after 100
 puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
index 2c7218c87..64f72f610 100755
--- a/test/filters/noroot.exp
+++ b/test/filters/noroot.exp
@@ -1,160 +1,136 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r"
+send -- "firejail --name=test --noroot --noprofile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit}
         "Child process initialized"
 }
 sleep 1
 
+# check seccomp disabled and all caps enabled
 send -- "cat /proc/self/status\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "CapBnd:        0000000000000000"
-}
-expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Seccomp:"
+        "CapBnd:"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "2"
+        "ffffffff"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "Cpus_allowed:"
+        "Seccomp:"
 }
-puts "\n"
-
-send -- "ping 0\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Operation not permitted"
+        "0"
 }
-send -- "whoami\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        $env(USER)
+        "Cpus_allowed:"
 }
-send -- "sudo -s\r"
+puts "\n"
+
+send -- "whoami\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-        "Bad system call" { puts "OK\n";}
+        $env(USER)
 }
-send -- "cat /proc/self/uid_map | wc -l\r"
+send -- "sudo -s\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "1"
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
 }
-send -- "cat /proc/self/gid_map | wc -l\r"
+
+send -- "sudo su -\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
-        "5"
+        "effective uid is not 0" {puts "OK\n"}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
 }
 
-puts "\n"
-send -- "exit\r"
-sleep 2
-
-
-
-send -- "firejail --name=test --noroot --noprofile\r"
+send -- "sudo ls\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Child process initialized"
+        "effective uid is not 0" {puts "OK\n"}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
 }
-sleep 1
 
-send -- "cat /proc/self/status\r"
+send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
-        "CapBnd:"
+        "1"
 }
+send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
-        "ffffffff"
+        "5"
 }
+
+
+
+spawn $env(SHELL)
+send -- "firejail --debug --join=test\r"
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Seccomp:"
+        "User namespace detected"
 }
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
-        "0"
-}
-expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
-        "Cpus_allowed:"
+        "Joining user namespace"
 }
-puts "\n"
+sleep 1
 
-send -- "whoami\r"
-expect {
-        timeout {puts "TESTING ERROR 16\n";exit}
-        $env(USER)
-}
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 17\n";exit}
+        timeout {puts "TESTING ERROR 15\n";exit}
         "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
         "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-}
-send -- "ping 0\r"
-expect {
-        timeout {puts "TESTING ERROR 18\n";exit}
-        "Operation not permitted"
+        "Permission denied" { puts "OK\n";}
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 19\n";exit}
+        timeout {puts "TESTING ERROR 16\n";exit}
         "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 20\n";exit}
+        timeout {puts "TESTING ERROR 17\n";exit}
         "5"
 }
 
-
-
-spawn $env(SHELL)
-send -- "firejail --debug --join=test\r"
+# check seccomp disabled and all caps enabled
+send -- "cat /proc/self/status\r"
 expect {
-        timeout {puts "TESTING ERROR 21\n";exit}
-        "User namespace detected"
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "CapBnd:"
 }
 expect {
-        timeout {puts "TESTING ERROR 22\n";exit}
-        "Joining user namespace"
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "ffffffff"
 }
-sleep 1
-
-send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 23\n";exit}
-        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
-        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
-        "Permission denied" { puts "OK\n";}
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Seccomp:"
 }
-send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 24\n";exit}
-        "1"
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "0"
 }
-send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 25\n";exit}
-        "5"
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Cpus_allowed:"
 }
+puts "\n"
+
+
 after 100
 puts "\nall done\n"
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp
index 71f54b08a..071460e4c 100755
--- a/test/filters/protocol.exp
+++ b/test/filters/protocol.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
index 19e64ee84..5e7c8e1b5 100755
--- a/test/filters/seccomp-bad-empty.exp
+++ b/test/filters/seccomp-bad-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp
index 22615420d..5587e056c 100755
--- a/test/filters/seccomp-chmod-profile.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,8 +12,10 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 2
+sleep 1
 
+send -- "stty -echo\r"
+after 100
 send -- "cd ~; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -39,7 +41,7 @@ expect {
 send -- "chmod +x testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Bad system call"
+        "Operation not permitted"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
index 35c6f69c2..0d01d4ff2 100755
--- a/test/filters/seccomp-chmod.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,8 +12,10 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 2
+sleep 1
 
+send -- "stty -echo\r"
+after 100
 send -- "cd ~; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -39,7 +41,7 @@ expect {
 send -- "chmod +x testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Bad system call"
+        "Operation not permitted"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp
index 7d9da5e5a..0a19229b4 100755
--- a/test/filters/seccomp-chown.exp
+++ b/test/filters/seccomp-chown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp
index 098b309f5..677ca4e30 100755
--- a/test/filters/seccomp-debug-32.exp
+++ b/test/filters/seccomp-debug-32.exp
@@ -1,12 +1,15 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "stty -echo\r"
+after 100
+
 send --  "firejail --debug sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
index 4986a6bf6..852abf822 100755
--- a/test/filters/seccomp-debug.exp
+++ b/test/filters/seccomp-debug.exp
@@ -1,24 +1,23 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "stty -echo\r"
+after 100
+
 send --  "firejail --debug sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "SECCOMP Filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "BLACKLIST"
+        "seccomp entries in /run/firejail/mnt/seccomp/seccomp"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "open_by_handle_at"
+        "jeq open_by_handle_at"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -39,15 +38,15 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
@@ -59,15 +58,15 @@ after 100
 send --  "firejail --debug --ignore=seccomp sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 11\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 14\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 15\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 16\n";exit}
@@ -79,18 +78,18 @@ after 100
 send --  "firejail --debug --ignore=protocol sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 17\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 18\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 19\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 20\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 21\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 22\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 23\n";exit}
@@ -106,7 +105,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 25\n";exit}
-        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 26\n";exit}
@@ -118,18 +117,18 @@ expect {
 send --  "firejail --debug --seccomp.block-secondary sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 27\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 29\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 31\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
-        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
@@ -141,13 +140,13 @@ after 100
 send --  "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 33\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit}
         "Child process initialized"
 }
 expect {
         timeout {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
-        "Installing /run/firejail/mnt/seccomp seccomp filter"
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
 }
 expect {
         timeout {puts "TESTING ERROR 37\n";exit}
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
index abf093201..e655be848 100755
--- a/test/filters/seccomp-dualfilter.exp
+++ b/test/filters/seccomp-dualfilter.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 1
diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp
index 03e081b34..3baa7f0c6 100755
--- a/test/filters/seccomp-empty.exp
+++ b/test/filters/seccomp-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,11 @@ match_max 100000
 send --  "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "VALIDATE_ARCHITECTURE"
+        "seccomp entries in /run/firejail/mnt/seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.0\n";exit}
+        "ld  data.architecture"
 }
 expect {
         timeout {puts "TESTING ERROR 0.1\n";exit}
@@ -34,7 +38,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 0.6\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 expect {
         timeout {puts "TESTING ERROR 0.7\n";exit}
@@ -48,7 +52,11 @@ puts "\n"
 send --  "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "VALIDATE_ARCHITECTURE"
+        "seccomp entries in /run/firejail/mnt/seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.0\n";exit}
+        "ld  data.architecture"
 }
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
@@ -66,7 +74,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.6\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 expect {
         timeout {puts "TESTING ERROR 1.7\n";exit}
@@ -80,7 +88,11 @@ sleep 2
 send --  "firejail --debug --profile=seccomp.profile --private\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "VALIDATE_ARCHITECTURE"
+        "seccomp entries in /run/firejail/mnt/seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.0\n";exit}
+        "ld  data.architecture"
 }
 expect {
         timeout {puts "TESTING ERROR 2.1\n";exit}
@@ -104,7 +116,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2.6\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 expect {
         timeout {puts "TESTING ERROR 2.7\n";exit}
@@ -118,7 +130,11 @@ puts "\n"
 send --  "firejail --debug --profile=seccomp-empty.profile --private\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "VALIDATE_ARCHITECTURE"
+        "seccomp entries in /run/firejail/mnt/seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.0\n";exit}
+        "ld  data.architecture"
 }
 expect {
         timeout {puts "TESTING ERROR 3.1\n";exit}
@@ -136,7 +152,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3.6\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 expect {
         timeout {puts "TESTING ERROR 3.7\n";exit}
@@ -145,4 +161,4 @@ expect {
 sleep 2
 send -- "exit\r"
 after 100
-puts "\n"
+puts "all done\n"
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp
index eeb0824f2..6c7c63e88 100755
--- a/test/filters/seccomp-errno.exp
+++ b/test/filters/seccomp-errno.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -20,19 +20,23 @@ sleep 1
 send --  "firejail --seccomp=unlinkat:ENOENT --debug rm seccomp-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "unlinkat 2 ENOENT"
+        "seccomp entries in /run/firejail/mnt/seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "ret ERRNO(2)"
 }
 sleep 1
 
 send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
 }
 sleep 1
 send -- "rm seccomp-test-file\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "No such file or directory"
 }
 after 100
@@ -40,7 +44,7 @@ puts "\n"
 
 send -- "mkdir seccomp-test-dir\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "No such file or directory"
 }
 after 100
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp
new file mode 100755
index 000000000..9a8767ed7
--- /dev/null
+++ b/test/filters/seccomp-join.exp
@@ -0,0 +1,159 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+match_max 100000
+spawn $env(SHELL)
+set id1 $spawn_id
+spawn $env(SHELL)
+set id2 $spawn_id
+
+send -- "stty -echo\r"
+after 100
+
+#
+# regular run
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+sleep 1
+
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+
+
+#
+# block secondary
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --seccomp.block-secondary --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+sleep 1
+
+set spawn_id $id2
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+sleep 1
+
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+#
+# protocol
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --protocol=inet --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+sleep 1
+
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+#
+# memory deny write execute
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 32\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+sleep 1
+
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+puts "all done\n"
diff --git a/test/filters/seccomp-numeric.exp b/test/filters/seccomp-numeric.exp
new file mode 100755
index 000000000..59fc26884
--- /dev/null
+++ b/test/filters/seccomp-numeric.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "touch seccomp-test-file\r"
+after 100
+
+send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send --  "firejail --seccomp=\\\$263:ENOENT,mkdir:ENOENT rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send --  "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send --  "firejail --seccomp=unlinkat:ENOENT,\\\$83:ENOENT mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "rm seccomp-test-file\r"
+#send -- "rm -fr seccomp-test-dir\r"
+after 100
+puts "all done\n"
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp
new file mode 100755
index 000000000..18263520a
--- /dev/null
+++ b/test/filters/seccomp-postexec.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --debug --seccomp=execve\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "configuring postexec seccomp filter in"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "data.architecture"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "monitoring pid"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Sandbox monitor: waitpid"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+
+puts "all done\n"
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
index 2c6d9d25e..ec8ab615c 100755
--- a/test/filters/seccomp-ptrace.exp
+++ b/test/filters/seccomp-ptrace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp
new file mode 100755
index 000000000..1e3827f0f
--- /dev/null
+++ b/test/filters/seccomp-run-files.exp
@@ -0,0 +1,98 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "6"
+}
+send -- "exit\r"
+sleep 1
+
+send --  "firejail --ignore=seccomp --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter" {puts "TESTING ERROR 5\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.64 seccomp filter" {puts "TESTING ERROR 7\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "3"
+}
+send -- "exit\r"
+sleep 1
+
+send --  "firejail --ignore=protocol --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "monitoring"
+}
+after 100
+send -- "ls -l /run/firejail/mnt | grep -c seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "4"
+}
+send -- "exit\r"
+sleep 1
+
+send --  "firejail --memory-deny-write-execute --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "/run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+after 100
+send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "8"
+}
+send -- "exit\r"
+sleep 1
+
+puts "all done\n"
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp
index 62135abb8..4bd8b5e93 100755
--- a/test/filters/seccomp-su.exp
+++ b/test/filters/seccomp-su.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -28,13 +28,6 @@ expect {
         "Bad system call" {puts "OK\n"}
 }
 
-send -- "ping google.com\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Operation not permitted" {puts "OK\n"}
-        "unknown host" {puts "OK\n"}
-}
-
 send -- "exit\r"
 after 100
 puts "all done\n"
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c
index 641eb0c00..55ee31afb 100644
--- a/test/filters/syscall_test.c
+++ b/test/filters/syscall_test.c
@@ -1,5 +1,5 @@
 // This file is part of Firejail project
-// Copyright (C) 2014-2017 Firejail Authors
+// Copyright (C) 2014-2021 Firejail Authors
 // License GPL v2
 
 #include <stdlib.h>
@@ -69,7 +69,7 @@ int main(int argc, char **argv) {
         }
         else if (strcmp(argv[1], "mount") == 0) {
                 printf("before mount\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0) {
+                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0) {
                         perror("mount");
                 }
                 printf("after mount\n");
diff --git a/test/firemon-cgroup.exp b/test/firemon-cgroup.exp
deleted file mode 100755
index 482905bb3..000000000
--- a/test/firemon-cgroup.exp
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "firejail --name=bingo1 --cgroup=/sys/fs/cgroup/g1/tasks\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-spawn $env(SHELL)
-send --  "firejail --name=bingo2\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-
-spawn $env(SHELL)
-send -- "firemon --cgroup\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "bingo1"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        ":/g1"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "bingo2"
-}
-sleep 1
-
-puts "\n"
diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp
new file mode 100755
index 000000000..16e8ccb81
--- /dev/null
+++ b/test/fnetfilter/cmdline.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "fnetfilter\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Usage:"
+}
+after 100
+
+send -- "fnetfilter -h\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Usage:"
+}
+after 100
+
+send -- "fnetfilter -h a b c d\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Usage:"
+}
+after 100
+
+send -- "fnetfilter a b c d\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Usage:"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/firejail-in-firejail2.exp b/test/fnetfilter/copy.exp
index db64d59ed..6c672141f 100755
--- a/test/environment/firejail-in-firejail2.exp
+++ b/test/fnetfilter/copy.exp
@@ -1,51 +1,52 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --noprofile\r"
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter test1.net outfile\r"
+after 100
+
+send -- "cat outfile\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        "*filter"
 }
-sleep 1
-
-send --  "firejail\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Warning: an existing sandbox was detected"
+        "test1"
 }
-after 100
-
-send --  "exit\r"
-after 100
-
-send --  "firejail --force\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "INPUT -m state --state RELATED,ESTABLISHED"
 }
-after 100
-
-send --  "exit\r"
-after 100
-
-send --  "firejail --version\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "firejail version"
+        "disable STUN"
 }
 after 100
 
-send --  "firejail --version --force\r"
+send -- "fnetfilter foo outfile\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "firejail version"
+        "cannot open foo"
 }
 after 100
 
+send -- "fnetfilter test1.net outlocked\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "cannot open outlocked"
+}
+after 100
+
+send -- "rm outfile\r"
+after 100
+
 puts "\nall done\n"
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp
new file mode 100755
index 000000000..fee9fb5f3
--- /dev/null
+++ b/test/fnetfilter/default.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "*filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "disable STUN"
+}
+after 100
+
+send -- "fnetfilter test1.net,33\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "cannot open test1.net,33"
+}
+after 100
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh
new file mode 100755
index 000000000..9fac92d39
--- /dev/null
+++ b/test/fnetfilter/fnetfilter.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+if [ -f /etc/debian_version ]; then
+        libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
+        export PATH="$PATH:$libdir"
+fi
+
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
+
+chmod 400 outlocked
+
+echo "TESTING: fnetfilter cmdline (test/fnetfilter/cmdline.exp)"
+./cmdline.exp
+
+echo "TESTING: fnetfilter default (test/fnetfilter/default.exp)"
+./default.exp
+
+echo "TESTING: fnetfilter copy (test/fnetfilter/copy.exp)"
+./copy.exp
+
+echo "TESTING: fnetfilter template (test/fnetfilter/template.exp)"
+./template.exp
+
+rm -f outfile
diff --git a/test/fs/testdir1/.directory/file b/test/fnetfilter/outlocked
index e69de29bb..e69de29bb 100644
--- a/test/fs/testdir1/.directory/file
+++ b/test/fnetfilter/outlocked
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp
new file mode 100755
index 000000000..0ff09a024
--- /dev/null
+++ b/test/fnetfilter/template.exp
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request,3478,3479 outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "*filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "icmp-type echo-reply"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "icmp-type destination-unreachable"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "icmp-type time-exceeded"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "icmp-type echo-request"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "dport 3478"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "dport 3479"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "dport 3478"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "dport 3479"
+}
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "ARG5 on line 14 was not defined"
+}
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "cannot open test2.net,"
+}
+after 100
+
+send -- "fnetfilter test3.net,44 outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "invalid template argument on line 1"
+}
+after 100
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fnetfilter/test1.net b/test/fnetfilter/test1.net
new file mode 100644
index 000000000..ce21f20c2
--- /dev/null
+++ b/test/fnetfilter/test1.net
@@ -0,0 +1,18 @@
+*filter
+# test1
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# echo replay is handled by -m state RELATED/ESTABLISHED above
+#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+# disable STUN
+-A OUTPUT -p udp --dport 3478 -j DROP
+-A OUTPUT -p udp --dport 3479 -j DROP
+-A OUTPUT -p tcp --dport 3478 -j DROP
+-A OUTPUT -p tcp --dport 3479 -j DROP
+COMMIT
diff --git a/test/fnetfilter/test2.net b/test/fnetfilter/test2.net
new file mode 100644
index 000000000..f389cd16d
--- /dev/null
+++ b/test/fnetfilter/test2.net
@@ -0,0 +1,18 @@
+*filter
+# test2
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# echo replay is handled by -m state RELATED/ESTABLISHED above
+#-A INPUT -p icmp --$ARG1 echo-reply -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG2 -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG3 -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT
+# disable STUN
+-A OUTPUT -p udp --dport $ARG5 -j DROP
+-A OUTPUT -p udp --dport $ARG6 -j DROP
+-A OUTPUT -p tcp --dport $ARG5 -j DROP
+-A OUTPUT -p tcp --dport $ARG6 -j DROP
+COMMIT
diff --git a/test/fnetfilter/test3.net b/test/fnetfilter/test3.net
new file mode 100644
index 000000000..702cb06b3
--- /dev/null
+++ b/test/fnetfilter/test3.net
@@ -0,0 +1 @@
+asdfasdf $ARG asdfasdfdasf
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index e67ccc476..9c3310b31 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -1,53 +1,84 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+# These directories are required by some tests:
+mkdir -p ~/Desktop ~/Documents ~/Downloads ~/Music ~/Pictures ~/Videos
 
 rm -fr ~/_firejail_test_*
 echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)"
 ./mkdir_mkfile.exp
 rm -fr ~/_firejail_test_*
 
-mkdir ~/_firejail_test_dir
-touch ~/_firejail_test_dir/a
-mkdir ~/_firejail_test_dir/test1
-touch ~/_firejail_test_dir/test1/b
+echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
+./mkdir.exp
+rm -fr ~/_firejail_test_*
+rm -fr /tmp/_firejail_test_*
+
 echo "TESTING: read/write (test/fs/read-write.exp)"
 ./read-write.exp
-rm -fr ~/_firejail_test_*
+rm -fr ~/_firejail_test_dir
+
+echo "TESTING: whitelist readonly (test/fs/whitelist-readonly.exp)"
+./whitelist-readonly.exp
+rm -f ~/_firejail_test_dir
 
 echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
 ./sys_fs.exp
 
-echo "TESTING: kmsg access (test/fs/kmsg.exp)"
-./kmsg.exp
+if [ -c /dev/kmsg ]; then
+        echo "TESTING: kmsg access (test/fs/kmsg.exp)"
+        ./kmsg.exp
+else
+        echo "TESTING SKIP: /dev/kmsg not available"
+fi
 
 echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)"
 ./fs_var_tmp.exp
+rm -f /var/tmp/_firejail_test_file
 
 echo "TESTING: private-lib (test/fs/private-lib.exp)"
 ./private-lib.exp
 
 echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)"
 ./fs_var_lock.exp
+rm -f /var/lock/_firejail_test_file
 
-echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
-./fs_dev_shm.exp
+if [ -w /dev/shm ]; then
+    echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)"
+    ./fs_dev_shm.exp
+    rm -f /dev/shm/_firejail_test_file
+else
+    echo "TESTING SKIP: /dev/shm not writable"
+fi
 
 echo "TESTING: private (test/fs/private.exp)"
 ./private.exp
 
 echo "TESTING: private home (test/fs/private-home.exp)"
 ./private-home.exp
+rm -f ~/_firejail_test_file1
+rm -f ~/_firejail_test_file2
+rm -fr ~/_firejail_test_dir1
+rm -f ~/_firejail_test_link1
+rm -f ~/_firejail_test_link2
 
 echo "TESTING: private home dir (test/fs/private-home-dir.exp)"
 ./private-home-dir.exp
+rm -fr ~/_firejail_test_dir1
 
 echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)"
 ./private-homedir.exp
+rm -f ~/_firejail_test_file1
+rm -f ~/_firejail_test_file2
+rm -fr ~/_firejail_test_dir1
+rm -f ~/_firejail_test_link1
+rm -f ~/_firejail_test_link2
 
 echo "TESTING: private-etc (test/fs/private-etc.exp)"
 ./private-etc.exp
@@ -58,15 +89,28 @@ echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
 echo "TESTING: private-bin (test/fs/private-bin.exp)"
 ./private-bin.exp
 
+echo "TESTING: private-cache (test/fs/private-cache.exp)"
+./private-cache.exp
+rm -f ~/.cache/abcdefg
+
+echo "TESTING: private-cwd (test/fs/private-cwd.exp)"
+./private-cwd.exp
+
+echo "TESTING: macros (test/fs/macro.exp)"
+./macro.exp
+
 echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)"
 ./whitelist-empty.exp
+rm -f ~/Videos/_firejail_test_fil
+rm -f ~/Pictures/_firejail_test_file
+rm -f ~/Music/_firejail_test_file
+rm -f ~/Downloads/_firejail_test_file
+rm -f ~/Documents/_firejail_test_file
+rm -f ~/Desktop/_firejail_test_file
 
 echo "TESTING: private whitelist (test/fs/private-whitelist.exp)"
 ./private-whitelist.exp
 
-echo "TESTING: whitelist ~/Downloads (test/fs/whitelist-downloads.exp)"
-./whitelist-downloads.exp
-
 echo "TESTING: invalid filename (test/fs/invalid_filename.exp)"
 ./invalid_filename.exp
 
@@ -75,30 +119,45 @@ echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)"
 
 echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)"
 ./option_blacklist_file.exp
+rm -fr ~/_firejail_test_dir
 
 echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)"
 ./option_blacklist_glob.exp
+rm -fr ~/_firejail_test_dir
+
+echo "TESTING: noblacklist blacklist noexec (test/fs/noblacklist-blacklist-noexec.exp)"
+./noblacklist-blacklist-noexec.exp
+
+echo "TESTING: noblacklist blacklist readonly (test/fs/noblacklist-blacklist-readonly.exp)"
+./noblacklist-blacklist-readonly.exp
 
 echo "TESTING: bind as user (test/fs/option_bind_user.exp)"
 ./option_bind_user.exp
 
-echo "TESTING: recursive mkdir (test/fs/mkdir.exp)"
-./mkdir.exp
-
 echo "TESTING: double whitelist (test/fs/whitelist-double.exp)"
 ./whitelist-double.exp
+rm -f /tmp/_firejail_test_file
 
 echo "TESTING: whitelist (test/fs/whitelist.exp)"
 ./whitelist.exp
+rm -fr ~/_firejail_test_*
 
 echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)"
 ./whitelist-dev.exp
 
+echo "TESTING: whitelist noexec (test/fs/whitelist-noexec.exp)"
+./whitelist-noexec.exp
+
+echo "TESTING: whitelist with whitespaces (test/fs/whitelist-whitespace.exp)"
+./whitelist-whitespace.exp
+
 echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)"
 ./fscheck-bindnoroot.exp
 
 echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)"
 ./fscheck-tmpfs.exp
+rm -fr ~/_firejail_test_dir
+rm -fr /tmp/_firejail_test_dir
 
 echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)"
 ./fscheck-private.exp
@@ -107,10 +166,4 @@ echo "TESTING: fscheck --read-only= (test/fs/fscheck-readonly.exp)"
 ./fscheck-readonly.exp
 
 #cleanup
-rm -fr ~/fjtest-dir
-rm -fr ~/fjtest-dir-lnk
-rm -f ~/fjtest-file
-rm -f ~/fjtest-file-lnk
-rm -f /tmp/fjtest-file
-rm -fr /tmp/fjtest-dir
-rm -fr ~/_firejail_test_*
+rm -fr ~/_firejail_test*
diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp
index 1d810084c..5f0503494 100755
--- a/test/fs/fs_dev_shm.exp
+++ b/test/fs/fs_dev_shm.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,15 +13,16 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
-send -- "echo mytest > /dev/shm/ttt;echo done\r"
+send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
@@ -31,20 +32,19 @@ expect {
         "done"
 }
 
-send -- "rm /dev/shm/ttt;echo done\r"
+send -- "rm /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "mytest" {puts "TESTING ERROR 6\n";exit}
         "done"
 }
-
-sleep 1
+after 100
 send -- "exit\r"
 sleep 1
 
@@ -54,15 +54,16 @@ expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
-send -- "echo mytest > /dev/shm/ttt;echo done\r"
+send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
@@ -72,13 +73,13 @@ expect {
         "done"
 }
 
-send -- "rm /dev/shm/ttt;echo done\r"
+send -- "rm /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "done"
 }
 
-send -- "cat /dev/shm/ttt;echo done\r"
+send -- "cat /dev/shm/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
         "mytest" {puts "TESTING ERROR 13\n";exit}
diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp
index 919b75f34..3ea98c3e3 100755
--- a/test/fs/fs_var_lock.exp
+++ b/test/fs/fs_var_lock.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,7 +13,8 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
 send -- "echo mytest > /var/lock/ttt;echo done\r"
 expect {
@@ -44,7 +45,7 @@ expect {
         "done"
 }
 
-sleep 1
+after 100
 send -- "exit\r"
 sleep 1
 
@@ -54,7 +55,8 @@ expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
 send -- "echo mytest > /var/lock/ttt;echo done\r"
 expect {
diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp
index 50679db6d..c7d4b0c20 100755
--- a/test/fs/fs_var_tmp.exp
+++ b/test/fs/fs_var_tmp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,15 +13,16 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
-send -- "echo mytest > /var/tmp/ttt;echo done\r"
+send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "mytest"
@@ -31,20 +32,20 @@ expect {
         "done"
 }
 
-send -- "rm /var/tmp/ttt;echo done\r"
+send -- "rm /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "mytest" {puts "TESTING ERROR 6\n";exit}
         "done"
 }
 
-sleep 1
+after 100
 send -- "exit\r"
 sleep 1
 
@@ -54,15 +55,16 @@ expect {
         timeout {puts "TESTING ERROR 7\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
-send -- "echo mytest > /var/tmp/ttt;echo done\r"
+send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
         "mytest"
@@ -72,13 +74,13 @@ expect {
         "done"
 }
 
-send -- "rm /var/tmp/ttt;echo done\r"
+send -- "rm /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "done"
 }
 
-send -- "cat /var/tmp/ttt;echo done\r"
+send -- "cat /var/tmp/_firejail_test_file;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 12\n";exit}
         "mytest" {puts "TESTING ERROR 13\n";exit}
diff --git a/test/fs/fscheck-bindnoroot.exp b/test/fs/fscheck-bindnoroot.exp
index 431092f05..53a3922ee 100755
--- a/test/fs/fscheck-bindnoroot.exp
+++ b/test/fs/fscheck-bindnoroot.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/fs/fscheck-private.exp b/test/fs/fscheck-private.exp
index 1972a683b..ab39b43e1 100755
--- a/test/fs/fscheck-private.exp
+++ b/test/fs/fscheck-private.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/fs/fscheck-readonly.exp b/test/fs/fscheck-readonly.exp
index 4d7528e50..5d4821dea 100755
--- a/test/fs/fscheck-readonly.exp
+++ b/test/fs/fscheck-readonly.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index f8901e336..78b6efb76 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -1,13 +1,55 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-# ..
-send -- "firejail --tmpfs=fscheck-dir\r"
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 100
+send -- "mkdir /tmp/fjtest-dir\r"
+after 100
+
+if { ! [file exists ~/fjtest-dir/fjtest-dir] } {
+        puts "TESTING ERROR 1\n"
+        exit
+}
+if { ! [file exists /tmp/fjtest-dir] } {
+        puts "TESTING ERROR 2\n"
+        exit
+}
+
+send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 500
+
+send -- "ls ~/fjtest-dir/fjtest-dir\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
 }
+after 500
+
+send -- "exit\r"
+after 500
+
+send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Warning: you are not allowed to mount a tmpfs"
+}
+after 500
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
+after 100
+send -- "rm -fr /tmp/fjtest-dir\r"
 after 100
+
+
+puts "\nall done\n"
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp
index 3d734e852..7c4797976 100755
--- a/test/fs/invalid_filename.exp
+++ b/test/fs/invalid_filename.exp
@@ -1,17 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --blacklist=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 1.2\n";exit}
         "Error:"
@@ -22,11 +18,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --cgroup=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 2.2\n";exit}
         "Error:"
@@ -37,12 +29,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Checking filename bla&&bla" {puts "normal system\n"}
-        "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit}
-}
+send -- "firejail --noprofile --chroot=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 3.2\n";exit}
         "Error:"
@@ -53,11 +40,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 4.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --netfilter=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 4.2\n";exit}
         "Error:"
@@ -68,22 +51,14 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 5.2\n";exit}
-        "Error:"
-}
+send -- "firejail --noprofile --output=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 5.3\n";exit}
         "is an invalid filename"
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 6.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 6.2\n";exit}
         "Error:"
@@ -94,11 +69,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 7.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private-bin=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 7.2\n";exit}
         "Error:"
@@ -109,11 +80,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 8.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private-home=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 8.2\n";exit}
         "Error:"
@@ -124,11 +91,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 9.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --noprofile --private-etc=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 9.2\n";exit}
         "Error:"
@@ -139,11 +102,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 10.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --profile=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 10.2\n";exit}
         "Error:"
@@ -154,11 +113,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 11.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --read-only=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 11.2\n";exit}
         "Error:"
@@ -169,11 +124,7 @@ expect {
 }
 after 100
 
-send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 12.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --shell=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 12.2\n";exit}
         "Error:"
@@ -185,11 +136,7 @@ expect {
 after 100
 
 
-send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r"
-expect {
-        timeout {puts "TESTING ERROR 14.1\n";exit}
-        "Checking filename bla&&bla"
-}
+send -- "firejail --whitelist=\"bla&&bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 14.2\n";exit}
         "Error:"
diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp
index 8dd13b129..209cb8d3b 100755
--- a/test/fs/kmsg.exp
+++ b/test/fs/kmsg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/macro-blacklist.profile b/test/fs/macro-blacklist.profile
new file mode 100644
index 000000000..2421d1b7c
--- /dev/null
+++ b/test/fs/macro-blacklist.profile
@@ -0,0 +1,6 @@
+blacklist ${VIDEOS}
+blacklist ${DOCUMENTS}
+blacklist ${MUSIC}
+blacklist ${DOWNLOADS}
+blacklist ${PICTURES}
+blacklist ${DESKTOP}
diff --git a/test/fs/macro-readonly.profile b/test/fs/macro-readonly.profile
new file mode 100644
index 000000000..2f3d5bd78
--- /dev/null
+++ b/test/fs/macro-readonly.profile
@@ -0,0 +1,6 @@
+read-only ${VIDEOS}
+read-only ${DOCUMENTS}
+read-only ${MUSIC}
+read-only ${DOWNLOADS}
+read-only ${PICTURES}
+read-only ${DESKTOP}
diff --git a/test/fs/macro-whitelist.profile b/test/fs/macro-whitelist.profile
new file mode 100644
index 000000000..fed7f76fc
--- /dev/null
+++ b/test/fs/macro-whitelist.profile
@@ -0,0 +1,6 @@
+whitelist ${VIDEOS}
+whitelist ${DOCUMENTS}
+whitelist ${MUSIC}
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+whitelist ${DESKTOP}
diff --git a/test/fs/macro.exp b/test/fs/macro.exp
new file mode 100755
index 000000000..45e892088
--- /dev/null
+++ b/test/fs/macro.exp
@@ -0,0 +1,174 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --profile=macro-whitelist.profile ls ~\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Desktop"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Documents"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Downloads"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Music"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Pictures"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Videos"
+}
+sleep 1
+
+send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r"
+expect {
+        timeout {puts "TESTING ERROR 9n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r"
+expect {
+        timeout {puts "TESTING ERROR 11n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 12n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Permission denied"
+}
+sleep 1
+
+send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Read-only file system"
+}
+sleep 1
+
+send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Read-only file system"
+}
+sleep 1
+
+send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "Read-only file system"
+}
+sleep 1
+
+send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "Read-only file system"
+}
+sleep 1
+
+send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 28\n";exit}
+        "Read-only file system"
+}
+sleep 1
+
+send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "Read-only file system"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 81df7cd86..da04a431c 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -1,27 +1,49 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2016 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 3
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+
+send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit}
-        "No such file or directory" { puts "TESTING ERROR 1.3\n";exit}
-        ".firejail_test/a/b/c/d.txt"
+        "_firejail_test_dir/_firejail_test_file"
 }
-send -- "rm -rf ~/.firejail_test\r"
+send -- "rm -rf ~/_firejail_test_dir\r"
 after 100
 
-send -- "firejail --profile=mkdir2.profile\r"
+send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "only directories in user home or /tmp"
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "_firejail_test_dir/_firejail_test_file"
 }
+send -- "rm -rf /tmp/_firejail_test_dir\r"
 after 100
 
+set UID [exec id -u]
+set fexist [file exist /run/user/$UID]
+if { $fexist } {
+        send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "_firejail_test_dir/_firejail_test_file"
+        }
+        send -- "rm -rf /run/user/$UID/_firejail_test_dir\r"
+        after 100
+
+
+        send -- "firejail --profile=mkdir2.profile\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "only files or directories in user home, /tmp, or /run/user/<UID>"
+        }
+        after 100
+}
+
 puts "\nall done\n"
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
index 61b44c9ac..fba93f466 100644
--- a/test/fs/mkdir.profile
+++ b/test/fs/mkdir.profile
@@ -1,2 +1,6 @@
-mkdir ~/.firejail_test/a/b/c
-mkfile ~/.firejail_test/a/b/c/d.txt
+mkdir ~/_firejail_test_dir
+mkfile ~/_firejail_test_dir/_firejail_test_file
+mkdir /tmp/_firejail_test_dir
+mkfile /tmp/_firejail_test_dir/_firejail_test_file
+mkdir ${RUNUSER}/_firejail_test_dir
+mkfile ${RUNUSER}/_firejail_test_dir/_firejail_test_file
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
index 1faa913e0..eddc6ebfb 100755
--- a/test/fs/mkdir_mkfile.exp
+++ b/test/fs/mkdir_mkfile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -22,23 +22,23 @@ expect {
         "_firejail_test_dir"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "_firejail_test_dir/dir1"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "_firejail_test_dir/dir1/dir2"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "_firejail_test_dir/dir1/dir2/dir3"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "_firejail_test_dir/dir1/dir2/dir3/file1"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "_firejail_test_file"
 }
 after 100
@@ -47,8 +47,8 @@ after 100
 
 send -- "firejail --profile=mkfile.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "only files in user home or /tmp"
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "only files or directories in user home, /tmp"
 }
 after 100
 
diff --git a/test/fs/noblacklist-blacklist-noexec.exp b/test/fs/noblacklist-blacklist-noexec.exp
new file mode 100755
index 000000000..9f5794a7d
--- /dev/null
+++ b/test/fs/noblacklist-blacklist-noexec.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set PWD $env(PWD)
+
+
+send -- "firejail --noprofile --noblacklist=$PWD --blacklist=$PWD --noexec=$PWD\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls $PWD\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "noblacklist-blacklist-noexec.exp"
+}
+after 100
+
+send -- "$PWD/noblacklist-blacklist-noexec.exp\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/option_readonly.exp b/test/fs/noblacklist-blacklist-readonly.exp
index d776ed823..558d3ac9c 100755
--- a/test/option_readonly.exp
+++ b/test/fs/noblacklist-blacklist-readonly.exp
@@ -1,25 +1,35 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --read-only=tmpreadonly\r"
+
+send -- "firejail --noprofile --noblacklist=~ --blacklist=~ --read-only=~\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "touch tmpreadonly;pwd\r"
+send -- "ls ~\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Read-only file system"
+        "Downloads"
 }
+after 100
+
+send -- "echo World > ~/Hello\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
+        "Read-only file system"
 }
+after 100
+
+send -- "exit\r"
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp
index 7ec55d82f..08b892121 100755
--- a/test/fs/option_bind_user.exp
+++ b/test/fs/option_bind_user.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp
index bf2a57999..48dfcc069 100755
--- a/test/fs/option_blacklist.exp
+++ b/test/fs/option_blacklist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -12,7 +12,8 @@ expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
+send -- "stty -echo\r"
 
 send -- "ls -l /var;echo done\r"
 expect {
@@ -34,4 +35,4 @@ expect {
 }
 after 100
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp
index 6f789a792..247e69121 100755
--- a/test/fs/option_blacklist_file.exp
+++ b/test/fs/option_blacklist_file.exp
@@ -1,10 +1,18 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --blacklist=/etc/passwd\r"
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+
+send -- "firejail --blacklist=/etc/passwd --blacklist=~/_firejail_test_dir\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -14,6 +22,16 @@ sleep 1
 send -- "cat /etc/passwd;echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
+        "No such file or directory"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "done"
+}
+after 100
+send -- "cat ~/_firejail_test_dir/a;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
         "Permission denied"
 }
 expect {
@@ -22,4 +40,10 @@ expect {
 }
 after 100
 
-puts "\n"
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp
index 3de1f736d..a4be4a97d 100755
--- a/test/fs/option_blacklist_glob.exp
+++ b/test/fs/option_blacklist_glob.exp
@@ -1,32 +1,47 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --blacklist=testdir1/*\r"
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
+
+send -- "firejail --blacklist=~/_firejail_test_dir/*\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
-send -- "cd testdir1\r"
+send -- "cd ~/_firejail_test_dir\r"
 sleep 1
 
-send -- "cat .file\r"
+send -- "cat a\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Permission denied"
 }
 
-send -- "ls .directory\r"
+send -- "ls test1\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Permission denied"
 }
 after 100
 
-puts "\n"
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp
index 8403b8442..b5d205780 100755
--- a/test/fs/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -68,19 +68,19 @@ send -- "exit\r"
 after 100
 
 
-send -- "firejail --debug --private-bin=/etc/shadow \r"
+send -- "firejail --private-bin=/etc/shadow\r"
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
-        "Warning: file /etc/shadow not found"
+        "Warning: invalid private-bin path /etc/shadow"
 }
-after 100
+after 300
 
 send -- "firejail --private-bin=\"bla;bla\"\r"
 expect {
         timeout {puts "TESTING ERROR 14\n";exit}
         "is an invalid filename"
 }
-after 100
+after 300
 
 send -- "firejail --private-etc=../bin/ls\r"
 expect {
@@ -88,5 +88,5 @@ expect {
         "is an invalid filename"
 }
 
-after 100
+after 300
 puts "\nall done\n"
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp
new file mode 100755
index 000000000..3244c21c1
--- /dev/null
+++ b/test/fs/private-cache.exp
@@ -0,0 +1,42 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "mkdir --mode=700 ~/.cache\r"
+after 100
+
+send -- "touch ~/.cache/abcdefg\r"
+after 100
+
+if { ! [file exists ~/.cache/abcdefg] } {
+        puts "TESTING ERROR 0\n"
+        exit
+}
+
+send -- "firejail --noprofile --private-cache\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~/.cache\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "total 0"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+# cleanup
+send -- "rm ~/.cache/abcdefg\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp
new file mode 100755
index 000000000..54804a6a6
--- /dev/null
+++ b/test/fs/private-cwd.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "cd /tmp\r"
+after 100
+
+# testing profile and private
+send -- "firejail --private-cwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "$env(HOME)"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "cd /\r"
+after 100
+
+# testing profile and private
+send -- "firejail --private-cwd=/tmp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/tmp"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+puts "all done\n"
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
index b91da07f3..9be18f9bd 100755
--- a/test/fs/private-etc-empty.exp
+++ b/test/fs/private-etc-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp
index a2223b593..7d0e9f619 100755
--- a/test/fs/private-etc.exp
+++ b/test/fs/private-etc.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -64,9 +64,6 @@ expect {
 }
 after 100
 
-
-
-
-
+send -- "exit\r"
 after 100
 puts "\nall done\n"
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 9c97ff4ea..bd8cab16f 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -21,13 +21,13 @@ if {[file exists ~/.Xauthority]} {
         send -- "touch ~/.Xauthority\r"
 }
 after 100
-send -- "rm -fr ~/_firejail_test_dir_\r"
+send -- "rm -fr ~/_firejail_test_dir1_\r"
 after 100
-send -- "mkdir ~/_firejail_test_dir_\r"
+send -- "mkdir ~/_firejail_test_dir1_\r"
 sleep 1
 
 # testing profile and private
-send -- "firejail --private=~/_firejail_test_dir_\r"
+send -- "firejail --private=~/_firejail_test_dir1_\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -64,41 +64,15 @@ sleep 1
 send -- "firejail --private=/etc\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "private directory should be owned by the current user"
+        "private directory is not owned by the current user"
 }
 sleep 1
-send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+send -- "mkdir ~/_firejail_test_dir1_/test_dir_2\r"
 after 100
-send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+send -- "touch ~/_firejail_test_dir1_/test_dir_2/testfile\r"
 sleep 1
 
-send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Not blacklist"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "test_dir_2"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
-}
-
-sleep 1
-
-send -- "find ~\r"
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "testfile"
-}
-after 100
-
-send -- "exit\r"
-sleep 1
-
-send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir1_\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
         "Disable"
@@ -124,7 +98,8 @@ after 100
 send "exit\r"
 sleep 1
 
-send -- "rm -fr ~/_firejail_test_dir_\r"
+send -- "rm -fr ~/_firejail_test_dir1\r"
 after 100
 
+
 puts "\nall done\n"
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp
index 11fd52563..6fbe8b0f6 100755
--- a/test/fs/private-home.exp
+++ b/test/fs/private-home.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -95,8 +95,19 @@ expect {
         "broken symbolic link"
 }
 send -- "exit\r"
+sleep 1
 
-send -- "rm -f ~/_firejail_test*\r"
+send -- "echo cleanup\r"
+after 100
+send -- "rm -f ~/_firejail_test_file1\r"
+after 100
+send -- "rm -f ~/_firejail_test_file2\r"
+after 100
+send -- "rm -fr ~/_firejail_test_dir1\r"
+after 100
+send -- "rm -f ~/_firejail_test_link1\r"
+after 100
+send -- "rm -f ~/_firejail_test_link2\r"
 after 100
 
 puts "\nall done\n"
diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp
index 78dfdc1c4..78fb705ec 100755
--- a/test/fs/private-homedir.exp
+++ b/test/fs/private-homedir.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp
index dd418da0f..f32affabb 100755
--- a/test/fs/private-lib.exp
+++ b/test/fs/private-lib.exp
@@ -1,38 +1,42 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
+
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo \r"
+send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo,stty \r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
 after 100
+send -- "stty -echo\r"
+after 100
 
-send -- "find /bin; echo done\r"
+send -- "cd /bin; find .\; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
+#       "grep" {puts "TESTING ERROR 3\n";exit}
         "rm" {puts "TESTING ERROR 3\n";exit}
         "cp" {puts "TESTING ERROR 4\n";exit}
         "done"
 }
 after 100
 
-send -- "find /lib; echo done\r"
+send -- "cd /lib; find .\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "modules" {puts "TESTING ERROR 6\n";exit}
-        "firmware" {puts "TESTING ERROR 7\n";exit}
+        "./modules" {puts "TESTING ERROR 6\n";exit}
+        "./firmware" {puts "TESTING ERROR 7\n";exit}
         "libc.so"
 }
 after 100
 
-send -- "find /usr/lib; echo done\r"
+send -- "cd /usr/lib; find .\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "grub" {puts "TESTING ERROR 9\n";exit}
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp
index bbb1a757c..1879a3d54 100755
--- a/test/fs/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/private.exp b/test/fs/private.exp
index e522ca5a1..d4f7fc893 100755
--- a/test/fs/private.exp
+++ b/test/fs/private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp
index c648f83dd..6c0f755da 100755
--- a/test/fs/read-write.exp
+++ b/test/fs/read-write.exp
@@ -1,12 +1,20 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
 
 send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r"
 expect {
@@ -32,4 +40,9 @@ expect {
 }
 
 after 100
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
 puts "\nall done\n"
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
index 23ae410be..de7fadf6c 100755
--- a/test/fs/sys_fs.exp
+++ b/test/fs/sys_fs.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file
deleted file mode 100644
index e69de29bb..000000000
--- a/test/fs/testdir1/.file
+++ /dev/null
diff --git a/test/fs/testfile1 b/test/fs/testfile1
deleted file mode 100644
index e69de29bb..000000000
--- a/test/fs/testfile1
+++ /dev/null
diff --git a/test/fs/user-dirs.dirs b/test/fs/user-dirs.dirs
deleted file mode 100644
index ea3a3a4c2..000000000
--- a/test/fs/user-dirs.dirs
+++ /dev/null
@@ -1,15 +0,0 @@
-# This file is written by xdg-user-dirs-update
-# If you want to change or add directories, just edit the line you're
-# interested in. All local changes will be retained on the next run
-# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
-# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
-# absolute path. No other format is supported.
-#
-XDG_DESKTOP_DIR="$HOME/Desktop"
-XDG_DOWNLOAD_DIR="$HOME/Downloads"
-XDG_TEMPLATES_DIR="$HOME/Templates"
-XDG_PUBLICSHARE_DIR="$HOME/Public"
-XDG_DOCUMENTS_DIR="$HOME/Documents"
-XDG_MUSIC_DIR="$HOME/Music"
-XDG_PICTURES_DIR="$HOME/Pictures"
-XDG_VIDEOS_DIR="$HOME/Videos"
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index b6ae6319f..d0466bbeb 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,26 +14,26 @@ expect {
 }
 sleep 1
 
-send -- "find /dev | wc -l\r"
+send -- "ls /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "2"
+        "1"
 }
 after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"
+send -- "firejail --whitelist=/dev/null --whitelist=/dev/random\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "find /dev | wc -l\r"
+send -- "ls /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "4"
+        "2"
 }
 after 100
 send -- "exit\r"
@@ -46,9 +46,11 @@ expect {
 }
 sleep 1
 
-send -- "ls -l /dev | wc -l\r"
+send -- "ls /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
+        "10" {puts "OK\n"}
+        "11" {puts "OK\n"}
         "12" {puts "OK\n"}
         "13" {puts "OK\n"}
         "14" {puts "OK\n"}
@@ -56,6 +58,12 @@ expect {
         "16" {puts "OK\n"}
         "17" {puts "OK\n"}
         "18" {puts "OK\n"}
+        "19" {puts "OK\n"}
+        "20" {puts "OK\n"}
+        "21" {puts "OK\n"}
+        "22" {puts "OK\n"}
+        "23" {puts "OK\n"}
+        "24" {puts "OK\n"}
 }
 after 100
 
diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp
index ac6adc165..e653517a6 100755
--- a/test/fs/whitelist-double.exp
+++ b/test/fs/whitelist-double.exp
@@ -1,23 +1,23 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "echo 123 > /tmp/firejal-deleteme\r"
+send -- "echo 123 > /tmp/_firejail_test_file\r"
 sleep 1
 
-send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r"
+send -- "firejail --whitelist=/tmp/_firejail_test_file --whitelist=/tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
 }
 sleep 1
 
-send -- "cat /tmp/firejal-deleteme\r"
+send -- "cat /tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "123"
@@ -26,13 +26,13 @@ expect {
 send -- "exit\r"
 sleep 1
 
-send -- "cat /tmp/firejal-deleteme\r"
+send -- "cat /tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "123"
 }
 
-send -- "rm -v /tmp/firejal-deleteme\r"
+send -- "rm -v /tmp/_firejail_test_file\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "removed"
diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp
deleted file mode 100755
index ab411ca08..000000000
--- a/test/fs/whitelist-downloads.exp
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "cp user-dirs.dirs /tmp/.\r"
-after 100
-
-send -- "firejail --private --noprofile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-after 100
-
-send -- "firejail --force --ignore=shell --profile=/etc/firejail/firefox.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "cannot whitelist Downloads directory"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Child process initialized"
-}
-after 100
-
-send -- "exit\r"
-after 100
-
-send -- "cp /tmp/user-dirs.dirs ~/.config/.\r"
-after 100
-
-send -- "firejail --force --ignore=shell --profile=/etc/firejail/firefox.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "cannot whitelist Downloads directory"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Child process initialized"
-}
-after 100
-
-puts "\nall done\n"
diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp
index 9e4406263..dbc04cf30 100755
--- a/test/fs/whitelist-empty.exp
+++ b/test/fs/whitelist-empty.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 30
diff --git a/test/fs/whitelist-noexec.exp b/test/fs/whitelist-noexec.exp
new file mode 100755
index 000000000..e1c39b66f
--- /dev/null
+++ b/test/fs/whitelist-noexec.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set PWD $env(PWD)
+
+
+send -- "firejail --noprofile --whitelist=$PWD --noexec=$PWD\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls $PWD\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "whitelist-noexec.exp"
+}
+after 100
+
+send -- "$PWD/whitelist-noexec.exp\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/fs/whitelist-readonly.exp b/test/fs/whitelist-readonly.exp
new file mode 100755
index 000000000..f9d78b7c0
--- /dev/null
+++ b/test/fs/whitelist-readonly.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "mkdir ~/_firejail_test_dir\r"
+after 100
+send -- "touch ~/_firejail_test_dir/a\r"
+after 100
+send -- "mkdir ~/_firejail_test_dir/test1\r"
+after 100
+send -- "touch ~/_firejail_test_dir/test1/b\r"
+after 100
+
+send -- "firejail --noprofile --whitelist=~/_firejail_test_dir --read-only=~\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "echo mytest > ~/_firejail_test_dir/a\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Read-only file system"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir\r"
+after 100
+puts "\nall done\n"
diff --git a/test/fs/whitelist-whitespace.exp b/test/fs/whitelist-whitespace.exp
new file mode 100755
index 000000000..1b1c4c1cb
--- /dev/null
+++ b/test/fs/whitelist-whitespace.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "touch ~/filewith\\\ \\\ many\\\ whitespaces\\\ \r"
+after 100
+
+send -- "firejail --noprofile --whitelist=~/filewith\\\ \\\ many\\\ whitespaces\\\ \r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls ~\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "filewith  many whitespaces "
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "rm -v ~/filewith\\\ \\\ many\\\ whitespaces\\\ \r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "removed"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
index 2988209d3..dcc2276b8 100755
--- a/test/fs/whitelist.exp
+++ b/test/fs/whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -16,10 +16,7 @@ send -- "rm ~/fjtest-file\r"
 after 200
 send -- "rm ~/fjtest-file-lnk\r"
 after 200
-send -- "rm /tmp/fjtest-file\r"
-after 200
-send -- "rm -fr /tmp/fjtest-dir\r"
-after 200
+
 
 
 # simple files and directories
@@ -149,63 +146,7 @@ expect {
 send -- "exit\r"
 sleep 1
 
-# symlinks outside home to a file we don't own
-send -- "rm ~/fjtest-file-lnk\r"
-after 200
-send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r"
-after 200
-send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 30\n";exit}
-        "invalid whitelist path"
-}
-expect {
-        timeout {puts "TESTING ERROR 31\n";exit}
-        "cannot sync with peer"
-}
-sleep 1
-
-# symlinks outside home to a file we own
-send -- "rm -fr ~/fjtest-dir-lnk\r"
-after 200
-send -- "rm ~/fjtest-file-lnk\r"
-after 200
-send -- "echo 123 > /tmp/fjtest-file\r"
-after 200
-send -- "mkdir /tmp/fjtest-dir\r"
-after 200
-send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r"
-after 200
-send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r"
-after 200
-send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r"
-after 200
-send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 40\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -l ~/ | grep -v total | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 41\n";exit}
-        "2"
-}
 
-send -- "cat ~/fjtest-file-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 42\n";exit}
-        "123"
-}
-
-send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
-expect {
-        timeout {puts "TESTING ERROR 43\n";exit}
-        "123"
-}
-send -- "exit\r"
-sleep 1
 
 # cleanup
 send -- "rm -fr ~/fjtest-dir\r"
@@ -216,10 +157,5 @@ send -- "rm ~/fjtest-file\r"
 after 200
 send -- "rm ~/fjtest-file-lnk\r"
 after 200
-send -- "rm /tmp/fjtest-file\r"
-after 200
-send -- "rm -fr /tmp/fjtest-dir\r"
-after 200
-
 
 puts "\nall done\n"
diff --git a/test/fs_chroot_asroot.exp b/test/fs_chroot_asroot.exp
deleted file mode 100755
index 000ce96f7..000000000
--- a/test/fs_chroot_asroot.exp
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail  --chroot=/tmp/chroot\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "cd /home;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "home"
-}
-sleep 1
-send -- "bash\r"
-sleep 1
-send -- "ls /; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        "this-is-my-chroot"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.3\n";exit}
-        "home"
-}
-
-send -- "umount /boot; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        "Bad system call"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.5\n";exit}
-        "home"
-}
-
-send -- "/unchroot; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.6\n";exit}
-        "Bad system call"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.7\n";exit}
-        "home"
-}
-
-
-
-
-
-send -- "ps aux; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "/bin/bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "ps aux"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 1
-
-
-send -- "ps aux |wc -l; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "6"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
-}
-sleep 1
-
-
-
-
-puts "all done\n"
diff --git a/test/fs_sys.exp b/test/fs_sys.exp
deleted file mode 100755
index 05023994c..000000000
--- a/test/fs_sys.exp
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --net=br0\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "find /sys | grep --color=never eth0;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "/sys/class/net/eth0"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "home"
-}
-sleep 1
-
-send -- "find /sys | grep --color=never br0;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "/sys/class/net/br0" {puts "TESTING ERROR 5\n";exit}
-        "home"
-}
-sleep 1
-
-puts "\n"
diff --git a/test/fscheck-blacklist.exp b/test/fscheck-blacklist.exp
deleted file mode 100755
index c71d1fdfd..000000000
--- a/test/fscheck-blacklist.exp
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-send -- "firejail --net=br0 --blacklist=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/fscheck-chroot.exp b/test/fscheck-chroot.exp
deleted file mode 100755
index 00013e462..000000000
--- a/test/fscheck-chroot.exp
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-#send -- "firejail --net=br0 --chroot=fscheck-dir\r"
-#expect {
-#       timeout {puts "TESTING ERROR 0\n";exit}
-#       "Error"
-#}
-#after 100
-
-# ..
-send -- "firejail --net=br0 --chroot=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
-}
-after 100
-
-# dir link
-send -- "firejail --net=br0 --chroot=fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --chroot=../test/fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Error"
-}
-after 100
-
-# file link
-send -- "firejail --net=br0 --chroot=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# file
-send -- "firejail --net=br0 --chroot=fscheck-file\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --chroot=../test/fscheck-file\r"
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Error"
-}
-after 100
-
-# no file
-send -- "firejail --net=br0 --chroot=../test/nodir\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-
-# same owner
-#send -- "firejail --net=br0 --chroot=/etc\r"
-#expect {
-#       timeout {puts "TESTING ERROR 4\n";exit}
-#       "Error"
-#}
-#after 100
diff --git a/test/fscheck-netfilter.exp b/test/fscheck-netfilter.exp
deleted file mode 100755
index d2339c8b9..000000000
--- a/test/fscheck-netfilter.exp
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-send -- "firejail --net=br0 --netfilter=fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --netfilter=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
-}
-after 100
-
-# dir link
-send -- "firejail --net=br0 --netfilter=fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --netfilter=../test/fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Error"
-}
-after 100
-
-# file link
-send -- "firejail --net=br0 --netfilter=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --netfilter=../test/fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# no file
-send -- "firejail --net=br0 --netfilter=../test/nofile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-
-# real GID/UID
-send -- "firejail --net=br0 --netfilter=/etc/shadow\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/fscheck-output.exp b/test/fscheck-output.exp
deleted file mode 100755
index 0b444d6ba..000000000
--- a/test/fscheck-output.exp
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-send -- "firejail --net=br0 --output=fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --output=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
-}
-after 100
-
-# dir link
-send -- "firejail --net=br0 --output=fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --output=../test/fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Error"
-}
-after 100
-
-# file link
-send -- "firejail --net=br0 --output=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --output=../test/fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Error"
-}
-after 100
-
-# hard link1
-send -- "firejail --net=br0 --output=fscheck-file-hard1\r"
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Error"
-}
-after 100
-
-# hard link2
-send -- "firejail --net=br0 --output=fscheck-file-hard2\r"
-expect {
-        timeout {puts "TESTING ERROR 2.3\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --output=../test/fscheck-file-hard1\r"
-expect {
-        timeout {puts "TESTING ERROR 2.4\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --output=../test/fscheck-file-hard2\r"
-expect {
-        timeout {puts "TESTING ERROR 2.5\n";exit}
-        "Error"
-}
-after 100
-
-
-
-
-# no file
-send -- "firejail --net=br0 --output=../test/nofile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-
-# real GID/UID
-send -- "firejail --net=br0 --output=/etc/shadow\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/fscheck-privatekeep.exp b/test/fscheck-privatekeep.exp
deleted file mode 100755
index 6cbf98d96..000000000
--- a/test/fscheck-privatekeep.exp
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-#send -- "firejail --net=br0 --private-home=fscheck-dir\r"
-#expect {
-#       timeout {puts "TESTING ERROR 0\n";exit}
-#       "Error"
-#}
-#after 100
-
-# ..
-send -- "firejail --net=br0 --private-home=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
-}
-after 100
-
-# dir link
-send -- "firejail --net=br0 --private-home=fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --private-home=../test/fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Error"
-}
-after 100
-
-# file link
-send -- "firejail --net=br0 --private-home=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# file
-#send -- "firejail --net=br0 --private-home=fscheck-file\r"
-#expect {
-#       timeout {puts "TESTING ERROR 2.1\n";exit}
-#       "Error"
-#}
-#after 100
-
-# ..
-send -- "firejail --net=br0 --private-home=../test/fscheck-file\r"
-expect {
-        timeout {puts "TESTING ERROR 2.2\n";exit}
-        "Error"
-}
-after 100
-
-# no dir
-send -- "firejail --net=br0 --private-home=../test/nodir\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-
-# no file
-send -- "firejail --net=br0 --private-home=../test/nofile\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Error"
-}
-after 100
-
-# same owner
-send -- "firejail --net=br0 --private=/etc\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
-
-# same owner
-send -- "firejail --net=br0 --private=/etc/shadow\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/fscheck-profile.exp b/test/fscheck-profile.exp
deleted file mode 100755
index d7d7c7cd1..000000000
--- a/test/fscheck-profile.exp
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-send -- "firejail --net=br0 --profile=fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --profile=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "Error"
-}
-after 100
-
-# dir link
-send -- "firejail --net=br0 --profile=fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --profile=../test/fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Error"
-}
-after 100
-
-# file link
-send -- "firejail --net=br0 --profile=fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --profile=../test/fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# no file
-send -- "firejail --net=br0 --profile=../test/nofile\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-
-# real GID/UID
-send -- "firejail --net=br0 --profile=/etc/shadow\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/fscheck-shell.exp b/test/fscheck-shell.exp
deleted file mode 100755
index 6a3b5829c..000000000
--- a/test/fscheck-shell.exp
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# dir
-send -- "firejail --net=br0 --shell=fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --shell=../test/fscheck-dir\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "Error"
-}
-after 100
-
-# dir link
-send -- "firejail --net=br0 --shell=fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Error"
-}
-after 100
-
-# ..
-send -- "firejail --net=br0 --shell=../test/fscheck-dir-link\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Error"
-}
-after 100
-
-# file link
-#send -- "firejail --net=br0 --shell=fscheck-file-link\r"
-#expect {
-#       timeout {puts "TESTING ERROR 4\n";exit}
-#       "Error"
-#}
-#after 100
-
-# ..
-send -- "firejail --net=br0 --shell=../test/fscheck-file-link\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Error"
-}
-after 100
-
-# no file
-send -- "firejail --net=br0 --shell=../test/nofile\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Error"
-}
-after 100
-
-# real GID/UID
-send -- "firejail --net=br0 --shell=/etc/shadow\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "Error"
-}
-after 100
diff --git a/test/fscheck.sh b/test/fscheck.sh
deleted file mode 100755
index 009f33043..000000000
--- a/test/fscheck.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-
-mkdir fscheck-dir
-ln -s fscheck-dir fscheck-dir-link
-touch fscheck-file
-ln -s fscheck-file fscheck-file-link
-touch fscheck-file-hard1
-ln fscheck-file-hard1 fscheck-file-hard2
-
-echo "TESTING: fscheck netfilter"
-./fscheck-netfilter.exp
-echo "TESTING: fscheck shell"
-./fscheck-shell.exp
-echo "TESTING: fscheck private"
-./fscheck-private.exp
-echo "TESTING: fscheck private keep"
-./fscheck-privatekeep.exp
-echo "TESTING: fscheck profile"
-./fscheck-profile.exp
-echo "TESTING: fscheck chroot"
-./fscheck-chroot.exp
-echo "TESTING: fscheck output"
-./fscheck-output.exp
-echo "TESTING: fscheck bind nonroot"
-./fscheck-bindnoroot.exp
-echo "TESTING: fscheck tmpfs"
-./fscheck-tmpfs.exp
-echo "TESTING: fscheck readonly"
-./fscheck-readonly.exp
-echo "TESTING: fscheck blacklist"
-./fscheck-blacklist.exp
-
-
-rm -fr fscheck-dir
-rm -fr fscheck-dir-link
-rm -fr fscheck-file-link
-rm -fr fscheck-file
-rm -fr fscheck-file-hard1
-rm -fr fscheck-file-hard2
diff --git a/test/hidepid-howto b/test/hidepid-howto
new file mode 100644
index 000000000..0fa1e5d86
--- /dev/null
+++ b/test/hidepid-howto
@@ -0,0 +1,25 @@
+1. Find an unused user group for hidepid exception:
+
+$ id
+uid=1000(netblue) gid=100(users) groups=100(users),10(wheel),90(network),
+92(audio),93(optical),95(storage),98(power)
+
+From /etc/group I pick up a group I am not part of:
+
+$ cat /etc/group
+[...]
+xmms2:x:618:
+rtkit:x:133:
+vboxsf:x:109:
+git:x:617:
+[...]
+
+I'll use group 618 (xmms2)
+
+2. Set hidepid and allow xmms2 users to bypass hidepid
+
+$ sudo mount -o remount,rw,hidepid=2,gid=618 /proc
+$ cat /proc/mounts | grep proc
+proc /proc proc rw,nosuid,nodev,noexec,relatime,gid=618,hidepid=2 0 0
+
+3. Test "firejail --list", "firejail --top", "firejail --tree", "firejail --netstats"
diff --git a/test/login_ssh.exp b/test/login_ssh.exp
deleted file mode 100755
index db0721d25..000000000
--- a/test/login_ssh.exp
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "ssh bingo@0\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "password:" {
-                puts "\nTESTING: please enter SSH password"
-                set oldmode [stty -echo -raw]
-                expect_user -re "(.*)\n"
-                send_user "\n"
-                eval stty $oldmode
-#               stty echo
-                set pass $expect_out(1,string)
-                send -- "$pass\r"
-                puts "TESTING: password sent to the server"
-        }
-        "Child process initialized"
-}
-sleep 1
-
-# test default gw
-send -- "bash\r"
-sleep 1
-send -- "ps aux; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "/bin/bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "bash"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "ps aux"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "home"
-}
-sleep 1
-
-
-send -- "ps aux |wc -l; pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "6"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "home"
-}
-sleep 1
-
-puts "\nall done\n"
diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp
index 88b06ee3d..d608128f8 100755
--- a/test/network/4bridges_arp.exp
+++ b/test/network/4bridges_arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp
index e7308c106..586dfcba9 100755
--- a/test/network/4bridges_ip.exp
+++ b/test/network/4bridges_ip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/README b/test/network/README
index 4404c53b0..1e215b41e 100644
--- a/test/network/README
+++ b/test/network/README
@@ -1,7 +1,7 @@
 Warning: this test requires root access to configure a number of bridge, mac
 and vlan devices. Please take a look at configure file. By the time you are
 finished testing, you'll probably have to reboot the computer to get your
-networking subsytem back to normal.
+networking subsystem back to normal.
 
 Limitations - to be investigated and fixed:
         - the test is assuming an eth0 wired interface to be present
diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp
index 25845c728..d73669ebe 100755
--- a/test/network/bandwidth.exp
+++ b/test/network/bandwidth.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -50,10 +50,13 @@ sleep 1
 send -- "firejail --bandwidth=test clear br0\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Removing bandwith limits"
+        "Removing bandwidth limits"
 }
 sleep 1
 
+send -- "stty -echo\r"
+after 100
+
 send -- "firejail --bandwidth=test status; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
diff --git a/test/network/configure b/test/network/configure
index 9d47fe69e..f75e9b23f 100755
--- a/test/network/configure
+++ b/test/network/configure
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2016 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 brctl addbr br0
@@ -10,6 +10,8 @@ iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE
 # port forwarding
 # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80
 
+brctl addbr br-unconfigured
+ifconfig br-unconfigured up
 brctl addbr br1
 ifconfig br1 10.10.30.1/24 up
 brctl addbr br2
diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp
index 9cdc14a6d..5ee4c0d19 100755
--- a/test/network/dns-print.exp
+++ b/test/network/dns-print.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp
index 71fa1660f..8e0a0b1b0 100755
--- a/test/network/firemon-arp.exp
+++ b/test/network/firemon-arp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp
index f70d64dce..494496a26 100755
--- a/test/network/firemon-interfaces.exp
+++ b/test/network/firemon-interfaces.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp
index 19a705778..a1ded08c1 100755
--- a/test/network/firemon-route.exp
+++ b/test/network/firemon-route.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/network/hostname.exp b/test/network/hostname.exp
index 0acb6a5ac..825f1f6cf 100755
--- a/test/network/hostname.exp
+++ b/test/network/hostname.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,6 +13,8 @@ expect {
         "Child process initialized"
 }
 sleep 1
+send -- "stty -echo\r"
+after 100
 
 send -- "ping -c 3 bingo; echo done\r"
 expect {
diff --git a/test/network/interface.exp b/test/network/interface.exp
index f631b805b..78178e233 100755
--- a/test/network/interface.exp
+++ b/test/network/interface.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 #
 # interface
 #
diff --git a/test/network/ip6.exp b/test/network/ip6.exp
index 26780e167..ed29964c6 100755
--- a/test/network/ip6.exp
+++ b/test/network/ip6.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Installing network filter"
+        "Installing IPv6 firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -46,10 +46,12 @@ send -- "exit\r"
 sleep 2
 
 
+
+
 send -- "firejail --debug --profile=ip6.profile\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Installing network filter"
+        "Installing IPv6 firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
@@ -82,7 +84,17 @@ expect {
 }
 
 send -- "exit\r"
+sleep 2
 
+send -- "firejail --debug --netfilter6=ipv6.net\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Installing IPv6 firewall" {puts "TESTING ERROR 12\n";exit}
+        "Child process initialized"
+}
 after 100
+send -- "exit\r"
 
+
+after 100
 puts "\nall done\n"
diff --git a/test/network/iprange.exp b/test/network/iprange.exp
index c8a96b560..2690a128a 100755
--- a/test/network/iprange.exp
+++ b/test/network/iprange.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -29,9 +29,9 @@ expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
 send -- "exit\r"
-sleep 2
+sleep 1
 
 send -- "firejail --profile=iprange.profile\r"
 expect {
@@ -55,9 +55,9 @@ expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
 send -- "exit\r"
-sleep 2
+sleep 1
 
 
 
diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp
index 98ed8d9f1..84912cddd 100755
--- a/test/network/net_arp.exp
+++ b/test/network/net_arp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp
index 54f1858ca..b09f4d192 100755
--- a/test/network/net_badip.exp
+++ b/test/network/net_badip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp
index 1eee2c252..19dd94dbd 100755
--- a/test/network/net_defaultgw.exp
+++ b/test/network/net_defaultgw.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp
index 58f8f9edd..4f5864822 100755
--- a/test/network/net_defaultgw2.exp
+++ b/test/network/net_defaultgw2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp
index 7762e98d6..dc3589c3c 100755
--- a/test/network/net_defaultgw3.exp
+++ b/test/network/net_defaultgw3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp
index a8cf08a86..098eed758 100755
--- a/test/network/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_local.exp b/test/network/net_local.exp
index b724ce5d4..d5d4170e8 100755
--- a/test/network/net_local.exp
+++ b/test/network/net_local.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp
index d2aa19503..e067f604f 100755
--- a/test/network/net_mac.exp
+++ b/test/network/net_mac.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp
index 334eb448e..1f67f059e 100755
--- a/test/network/net_macvlan2.exp
+++ b/test/network/net_macvlan2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp
index 9436f5cc5..439e05334 100755
--- a/test/network/net_mtu.exp
+++ b/test/network/net_mtu.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp
index 52fd3bf11..8a949c22b 100755
--- a/test/network/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Installing network filter"
+        "Installing firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -51,7 +51,7 @@ sleep 1
 send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Installing network filter"
+        "Installing firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
@@ -71,7 +71,7 @@ sleep 1
 send -- "firejail --debug --net=br0 --ip=10.10.20.5 --profile=netfilter.profile\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Installing network filter"
+        "Installing firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 7.1\n";exit}
diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp
index 9a73f618a..53b719f6c 100755
--- a/test/network/net_noip.exp
+++ b/test/network/net_noip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -18,6 +18,9 @@ sleep 1
 send -- "bash\r"
 sleep 1
 
+send -- "stty -echo\r"
+after 100
+
 # no default gateway configured
 send -- "netstat -rn;echo done\r"
 expect {
@@ -36,6 +39,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
+        "10.10.20" {puts "TESTING ERROR 7\n";exit}
         "done"
 }
 send -- "exit\r"
diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp
index c01f2e4f4..aa74d6ba8 100755
--- a/test/network/net_noip2.exp
+++ b/test/network/net_noip2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -17,6 +17,8 @@ expect {
 sleep 1
 send -- "bash\r"
 sleep 1
+send -- "stty -echo\r"
+after 100
 
 # no default gateway configured
 send -- "netstat -rn;echo done\r"
@@ -36,6 +38,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
+        "10.10.30" {puts "TESTING ERROR 7\n";exit}
         "done"
 }
 send -- "exit\r"
diff --git a/test/network/net_none.exp b/test/network/net_none.exp
index 0d3701f22..c8787c342 100755
--- a/test/network/net_none.exp
+++ b/test/network/net_none.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -19,6 +19,9 @@ sleep 1
 # test default gw
 send -- "bash\r"
 sleep 1
+send -- "stty -echo\r"
+after 100
+
 send -- "netstat -rn; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp
index 801fc4dfa..e7c6530df 100755
--- a/test/network/net_profile.exp
+++ b/test/network/net_profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp
index 84893cf9c..b9260925a 100755
--- a/test/network/net_scan.exp
+++ b/test/network/net_scan.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/net_unconfigured.exp b/test/network/net_unconfigured.exp
new file mode 100755
index 000000000..d2b60d73c
--- /dev/null
+++ b/test/network/net_unconfigured.exp
@@ -0,0 +1,244 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# check ip address
+send -- "firejail --noprofile --net=br-unconfigured --ip=none\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "eth0" {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "bash\r"
+sleep 1
+
+send -- "stty -echo\r"
+after 100
+
+# no default gateway configured
+send -- "netstat -rn;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "0.0.0.0" {puts "TESTING ERROR 3\n";exit}
+        "eth0" {puts "TESTING ERROR 4\n";exit}
+        "done"
+}
+sleep 1
+
+# eth0 configured
+send -- "/sbin/ifconfig;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+send -- "exit\r"
+after 100
+
+
+
+# check ip address
+send -- "firejail --noprofile --net=br-unconfigured\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "eth0" {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "bash\r"
+sleep 1
+
+send -- "stty -echo\r"
+after 100
+
+# no default gateway configured
+send -- "netstat -rn;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "0.0.0.0" {puts "TESTING ERROR 10\n";exit}
+        "eth0" {puts "TESTING ERROR 11\n";exit}
+        "done"
+}
+sleep 1
+
+# eth0 configured
+send -- "/sbin/ifconfig;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+send -- "exit\r"
+after 100
+
+
+# check ip address
+send -- "firejail --noprofile --net=br-unconfigured --defaultgw=10.10.80.1\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "eth0" {puts "TESTING ERROR 15\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "bash\r"
+sleep 1
+
+send -- "stty -echo\r"
+after 100
+
+# no default gateway configured
+send -- "netstat -rn;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "0.0.0.0" {puts "TESTING ERROR 17\n";exit}
+        "eth0" {puts "TESTING ERROR 18\n";exit}
+        "done"
+}
+sleep 1
+
+# eth0 configured
+send -- "/sbin/ifconfig;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+send -- "exit\r"
+after 100
+
+
+# check ip address
+send -- "firejail --noprofile --net=br-unconfigured --ip=10.10.80.1 --defaultgw=10.10.80.1\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "eth0" {puts "TESTING ERROR 22\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "bash\r"
+sleep 1
+
+send -- "stty -echo\r"
+after 100
+
+# no default gateway configured
+send -- "netstat -rn;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "0.0.0.0" {puts "TESTING ERROR 24\n";exit}
+        "eth0" {puts "TESTING ERROR 25\n";exit}
+        "done"
+}
+sleep 1
+
+# eth0 configured
+send -- "/sbin/ifconfig;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+send -- "exit\r"
+after 100
+
+
+# check ip address
+send -- "firejail --noprofile --net=br-unconfigured --ip=10.10.80.1 --netmask=255.255.255.0 --defaultgw=10.10.80.1\r"
+expect {
+        timeout {puts "TESTING ERROR 28\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "10.10.80.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "bash\r"
+sleep 1
+
+send -- "stty -echo\r"
+after 100
+
+# no default gateway configured
+send -- "netstat -rn;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "0.0.0.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 32\n";exit}
+        "10.10.80.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 34\n";exit}
+        "10.10.80.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 35\n";exit}
+        "0.0.0.0"
+}
+expect {
+        timeout {puts "TESTING ERROR 36\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 37\n";exit}
+        "done"
+}
+sleep 1
+
+# eth0 configured
+send -- "/sbin/ifconfig;echo done\r"
+expect {
+        timeout {puts "TESTING ERROR 38\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 39\n";exit}
+        "10.10.80.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 40\n";exit}
+        "done"
+}
+send -- "exit\r"
+after 100
+send -- "exit\r"
+after 100
+
+
+puts "all done\n"
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp
index 62e41fcfc..cd4e64e24 100755
--- a/test/network/net_veth.exp
+++ b/test/network/net_veth.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp
new file mode 100755
index 000000000..dadea1430
--- /dev/null
+++ b/test/network/netfilter-template.exp
@@ -0,0 +1,67 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "invalid network filter file"
+}
+sleep 1
+
+send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5555 ./tcpserver 5555\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "firejail --netfilter.print=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "Chain INPUT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "Chain FORWARD"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3\n";exit}
+        "Chain OUTPUT"
+}
+sleep 1
+
+send -- "telnet 10.10.30.10 5555\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Connected to 10.10.30.10"
+}
+sleep 1
+
+send "sdfklsjadfl;ksadjfl;sdkfj\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "response"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Connection closed"
+}
+sleep 1
+
+send -- "telnet 10.10.30.10 5556\r"
+expect {
+        timeout {puts "OK\n"}
+        "Connected to 10.10.30.10" {puts "TESTING ERROR 6\n";exit}
+        "dikasdfjasdjf"
+}
+
+after 100
+puts "all done\n"
diff --git a/test/network/netns.exp b/test/network/netns.exp
index 9475cf958..9ef4ed554 100755
--- a/test/network/netns.exp
+++ b/test/network/netns.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
index e9ca4e027..e15e2f42d 100755
--- a/test/network/netstats.exp
+++ b/test/network/netstats.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/network/network.sh b/test/network/network.sh
index 739644c8e..9f2b9e1cd 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -1,13 +1,23 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 sudo ./configure
 
+echo "TESTING: unconfigured network (net_unconfigured.exp)"
+./net_unconfigured.exp
+
+echo "TESTING: netfilter template (netfilter-template.exp)"
+rm -f ./tcpserver
+gcc -o tcpserver tcpserver.c
+./netfilter-template.exp
+rm ./tcpserver
+
 echo "TESTING: firemon interface (firemon-interfaces.exp)"
 sudo ./firemon-interfaces.exp
 
diff --git a/test/network/tcpserver.c b/test/network/tcpserver.c
new file mode 100644
index 000000000..72730b674
--- /dev/null
+++ b/test/network/tcpserver.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <string.h>
+
+
+int main(int argc, char **argv) {
+        int fd, newfd, client_len;
+        struct sockaddr_in serv_addr, client_addr;
+        int n, pid;
+
+        if (argc < 2) {
+                printf("Usage: ./server port-number\n");
+                return 1;
+        }
+        int portno = atoi(argv[1]);
+
+        // init socket
+        fd = socket(AF_INET, SOCK_STREAM, 0);
+        if (fd < 0) {
+                perror("ERROR opening socket");
+                return 1;
+        }
+
+        // Initialize socket structure
+        memset(&serv_addr, 0, sizeof(serv_addr));
+
+        serv_addr.sin_family = AF_INET;
+        serv_addr.sin_addr.s_addr = INADDR_ANY;
+        serv_addr.sin_port = htons(portno);
+
+        // bind
+        if (bind(fd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
+                perror("bind");
+                return 1;
+        }
+
+        // listen - 5 pending conncections
+        if (listen(fd, 5) < 0) {
+                perror("listen");
+                return 1;
+        }
+        client_len = sizeof(client_addr);
+
+        while (1) {
+                newfd = accept(fd, (struct sockaddr *) &client_addr, &client_len);
+
+                if (newfd < 0) {
+                        perror("accept");
+                        return 1;
+                }
+
+                /* Create child process */
+                pid = fork();
+
+                if (pid < 0) {
+                        perror("fork");
+                        return 1;
+                }
+
+                if (pid == 0) {
+                        // child
+                        close(fd);
+#define MAXBUF 4096
+                        char buf[MAXBUF];
+                        memset(buf, 0, MAXBUF);
+
+                        int rcv = read(newfd, buf, MAXBUF - 1);
+                        if (rcv < 0) {
+                                perror("read");
+                                exit(1);
+                        }
+
+                        int sent = write(newfd, "response\n", 9);
+                        if (sent < 9) {
+                                perror("write");
+                                return 1;
+                        }
+
+                        exit(0);
+                }
+                else
+                        close(newfd);
+        }
+
+        return 0;
+}
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp
index a9aeac9ae..1790381e3 100755
--- a/test/network/veth-name.exp
+++ b/test/network/veth-name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/option_chroot_overlay.exp b/test/option_chroot_overlay.exp
deleted file mode 100755
index 08ffb1b43..000000000
--- a/test/option_chroot_overlay.exp
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send --  "firejail --chroot=/tmp/chroot --overlay\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "mutually exclusive" {puts "normal system\n"}
-        "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit}
-}
-sleep 1
-
-send --  "firejail --overlay --chroot=/tmp/chroot\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "mutually exclusive"
-}
-sleep 1
-
-puts "\n"
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp
index efbe0e4d7..ecb9288b0 100755
--- a/test/overlay/firefox-x11-xorg.exp
+++ b/test/overlay/firefox-x11-xorg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp
index f8b0740af..5b7b1bec3 100755
--- a/test/overlay/firefox-x11.exp
+++ b/test/overlay/firefox-x11.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp
index 1e719f86d..25c6e5e07 100755
--- a/test/overlay/firefox.exp
+++ b/test/overlay/firefox.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp
index 2519a8ede..df1dfc244 100755
--- a/test/overlay/fs-named.exp
+++ b/test/overlay/fs-named.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -12,6 +15,8 @@ expect {
         "Child process initialized" {puts "found\n"}
 }
 sleep 1
+send -- "stty -echo\r"
+after 100
 
 send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
 expect {
@@ -51,6 +56,8 @@ expect {
 }
 sleep 1
 
+send -- "stty -echo\r"
+after 100
 send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
diff --git a/test/overlay/fs-tmpfs.exp b/test/overlay/fs-tmpfs.exp
index 7c1b5d1df..5bd2b25fc 100755
--- a/test/overlay/fs-tmpfs.exp
+++ b/test/overlay/fs-tmpfs.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -21,6 +24,8 @@ expect {
         "Child process initialized" {puts "found\n"}
 }
 sleep 1
+send -- "stty -echo\r"
+after 100
 
 send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
 expect {
@@ -29,6 +34,8 @@ expect {
 }
 after 100
 
+send -- "stty -echo\r"
+after 100
 send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -43,6 +50,8 @@ after 100
 send -- "exit\r"
 sleep 1
 
+send -- "stty -echo\r"
+after 100
 send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp
index f8478e78b..3314e849d 100755
--- a/test/overlay/fs.exp
+++ b/test/overlay/fs.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -13,6 +16,8 @@ expect {
 }
 sleep 1
 
+send -- "stty -echo\r"
+after 100
 send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -20,6 +25,8 @@ expect {
 }
 after 100
 
+send -- "stty -echo\r"
+after 100
 send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -34,6 +41,8 @@ after 100
 send -- "exit\r"
 sleep 2
 
+send -- "stty -echo\r"
+after 100
 send -- "cat  ~/_firejail_test_file; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh
index 94ad6a3cd..f1daba935 100755
--- a/test/overlay/overlay.sh
+++ b/test/overlay/overlay.sh
@@ -1,10 +1,11 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 echo "TESTING: overlay fs (test/overlay/fs.exp)"
 rm -fr ~/_firejail_test_*
@@ -21,7 +22,7 @@ rm -fr ~/_firejail_test_*
 ./fs-tmpfs.exp
 rm -fr ~/_firejail_test_*
 
-which firefox
+which firefox 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: overlay firefox"
@@ -30,7 +31,7 @@ else
         echo "TESTING SKIP: firefox not found"
 fi
 
-which firefox
+which firefox 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: overlay firefox x11 xorg"
@@ -41,13 +42,13 @@ fi
 
 
 # check xpra/xephyr
-which xpra
+which xpra 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "xpra found"
 else
         echo "xpra not found"
-        which Xephyr
+        which Xephyr 2>/dev/null
         if [ "$?" -eq 0 ];
         then
                 echo "Xephyr found"
@@ -57,7 +58,7 @@ else
         fi
 fi
 
-which firefox
+which firefox 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: overlay firefox x11"
diff --git a/test/private-keep.profile b/test/private-keep.profile
deleted file mode 100644
index a968c4ce2..000000000
--- a/test/private-keep.profile
+++ /dev/null
@@ -1 +0,0 @@
-private-home .mozilla,.config/firejail
diff --git a/test/private-lib/atril.exp b/test/private-lib/atril.exp
new file mode 100755
index 000000000..679799f02
--- /dev/null
+++ b/test/private-lib/atril.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail atril\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/atril.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "atril"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail atril"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail atril"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/dig.exp b/test/private-lib/dig.exp
new file mode 100755
index 000000000..39f3f6d49
--- /dev/null
+++ b/test/private-lib/dig.exp
@@ -0,0 +1,17 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail dig 1.1.1.1\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Query time"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp
new file mode 100755
index 000000000..ac6ecfff7
--- /dev/null
+++ b/test/private-lib/eog.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail eog\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/eog.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "eog"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail eog"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail eog"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp
new file mode 100755
index 000000000..47e749712
--- /dev/null
+++ b/test/private-lib/eom.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail eom\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/eom.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "eom"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail eom"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail eom"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/apps/evince.exp b/test/private-lib/evince.exp
index 5eada5fdf..1e270a2ef 100755
--- a/test/apps/evince.exp
+++ b/test/private-lib/evince.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/private-lib/galculator.exp b/test/private-lib/galculator.exp
new file mode 100755
index 000000000..68ff9f834
--- /dev/null
+++ b/test/private-lib/galculator.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail galculator\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/galculator.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "galculator"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail galculator"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail galculator"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp
new file mode 100755
index 000000000..67be5c215
--- /dev/null
+++ b/test/private-lib/gedit.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail /usr/bin/gedit\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gedit.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gedit"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail /usr/bin/gedit"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail /usr/bin/gedit"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp
new file mode 100755
index 000000000..67712bd67
--- /dev/null
+++ b/test/private-lib/gnome-calculator.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# gnome-calculator uses quiet at the top of the profile
+# we need to use --ignore
+send -- "firejail --ignore=quiet gnome-calculator\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gnome-calculator.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gnome-calculator"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail --ignore=quiet gnome-calculator"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail --ignore=quiet gnome-calculator"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/gnome-logs.exp b/test/private-lib/gnome-logs.exp
new file mode 100755
index 000000000..f671effe4
--- /dev/null
+++ b/test/private-lib/gnome-logs.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gnome-logs\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gnome-logs.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gnome-logs"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail gnome-logs"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gnome-logs"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/gnome-nettool.exp b/test/private-lib/gnome-nettool.exp
new file mode 100755
index 000000000..a68084776
--- /dev/null
+++ b/test/private-lib/gnome-nettool.exp
@@ -0,0 +1,84 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gnome-nettool\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gnome-nettool.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gnome-nettool"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+#seccomp is not configured
+#send -- "firemon --seccomp\r"
+#expect {
+#       timeout {puts "TESTING ERROR 5\n";exit}
+#       "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+#       ":firejail gnome-nettool"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+#       "Seccomp:       2"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 5.1\n";exit}
+#       "name=blablabla"
+#}
+#after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gnome-nettool"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000002000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/gnome-system-log.exp b/test/private-lib/gnome-system-log.exp
new file mode 100755
index 000000000..c3b1f2377
--- /dev/null
+++ b/test/private-lib/gnome-system-log.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gnome-system-log\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gnome-system-log.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gnome-system-log"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail gnome-system-log"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gnome-system-log"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp
new file mode 100755
index 000000000..b438c6de3
--- /dev/null
+++ b/test/private-lib/gpicview.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail gpicview\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/gpicview.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "gpicview"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail gpicview"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail gpicview"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/leafpad.exp b/test/private-lib/leafpad.exp
new file mode 100755
index 000000000..fbe8e284c
--- /dev/null
+++ b/test/private-lib/leafpad.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail leafpad\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/leafpad.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "leafpad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/mousepad.exp b/test/private-lib/mousepad.exp
new file mode 100755
index 000000000..f47dfe464
--- /dev/null
+++ b/test/private-lib/mousepad.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail mousepad\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/mousepad.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "mousepad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail mousepad"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail mousepad"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/pavucontrol.exp b/test/private-lib/pavucontrol.exp
new file mode 100755
index 000000000..7b8883ade
--- /dev/null
+++ b/test/private-lib/pavucontrol.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail pavucontrol\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/pavucontrol.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "pavucontrol"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail pavucontrol"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail pavucontrol"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp
new file mode 100755
index 000000000..99d4299fb
--- /dev/null
+++ b/test/private-lib/pluma.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail pluma\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/pluma.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "pluma"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail pluma"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail pluma"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh
new file mode 100755
index 000000000..a70c3fad6
--- /dev/null
+++ b/test/private-lib/private-lib.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3g
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
+
+
+for app in $LIST; do
+        which $app 2>/dev/null
+        if [ "$?" -eq 0 ];
+        then
+                echo "TESTING: private-lib $app"
+                ./$app.exp
+        else
+                echo "TESTING SKIP: $app not found"
+        fi
+done
diff --git a/test/apps/transmission-gtk.exp b/test/private-lib/transmission-gtk.exp
index 4df1f7892..3c5402c81 100755
--- a/test/apps/transmission-gtk.exp
+++ b/test/private-lib/transmission-gtk.exp
@@ -1,18 +1,22 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail transmission-gtk\r"
+send -- "firejail --ignore=quiet transmission-gtk\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/transmission-gtk.profile"
+}
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "Child process initialized"
 }
-sleep 5
+sleep 3
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -33,6 +37,7 @@ expect {
         "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
         "cannot open" {puts "grsecurity not present\n"}
 }
+
 send -- "firejail --name=blablabla\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
@@ -45,7 +50,7 @@ send -- "firemon --seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-        ":firejail transmission-gtk"
+        ":firejail --ignore=quiet transmission-gtk"
 }
 expect {
         timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -59,11 +64,11 @@ after 100
 send -- "firemon --caps\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail transmission-gtk"
+        ":firejail --ignore=quiet transmission-gtk"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
-        "CapBnd"
+        "CapBnd:"
 }
 expect {
         timeout {puts "TESTING ERROR 6.2\n";exit}
diff --git a/test/private-lib/whois.exp b/test/private-lib/whois.exp
new file mode 100755
index 000000000..83dc54c76
--- /dev/null
+++ b/test/private-lib/whois.exp
@@ -0,0 +1,17 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail whois debian.org\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Domain Name"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/private-lib/xcalc.exp b/test/private-lib/xcalc.exp
new file mode 100755
index 000000000..7cd74d3bd
--- /dev/null
+++ b/test/private-lib/xcalc.exp
@@ -0,0 +1,83 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail xcalc\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/xcalc.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 3
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xcalc"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail xcalc"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail xcalc"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/private.profile b/test/private.profile
deleted file mode 100644
index 1b947b6f7..000000000
--- a/test/private.profile
+++ /dev/null
@@ -1 +0,0 @@
-private ./dirprivate
diff --git a/test/private_dir.exp b/test/private_dir.exp
deleted file mode 100755
index a4beeba27..000000000
--- a/test/private_dir.exp
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# testing private
-send -- "firejail --private=./dirprivate\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "bashrc"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        "home"
-}
-send -- "ls -al;pwd\r"
-expect {
-        timeout {
-                # OpenSUSE doesn't use .Xauthority from user home directory
-                send -- "env | grep XAUTHORITY\r"
-
-                expect {
-                        timeout {puts "TESTING ERROR 0.3\n";exit}
-                        "/run/lightdm/netblue/xauthority"
-                }
-        }
-        ".Xauthority"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        [lindex $argv 0]
-}
-
-send -- "ls -al | wc -l;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "6" {puts "normal system\n";}
-        "5" {puts "OpenSUSE\n";}
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
-}
-
-puts "\n"
diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp
deleted file mode 100755
index 7ba18aa69..000000000
--- a/test/private_dir_profile.exp
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-# testing private
-send -- "firejail --profile=private.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -al;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "bashrc"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.2\n";exit}
-        "home"
-}
-send -- "ls -al;pwd\r"
-expect {
-        timeout {
-                # OpenSUSE doesn't use .Xauthority from user home directory
-                send -- "env | grep XAUTHORITY\r"
-
-                expect {
-                        timeout {puts "TESTING ERROR 0.3\n";exit}
-                        "/run/lightdm/netblue/xauthority"
-                }
-        }
-        ".Xauthority"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.4\n";exit}
-        [lindex $argv 0]
-}
-
-send -- "ls -al | wc -l;pwd\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "6" {puts "normal system\n";}
-        "5" {puts "OpenSUSE\n";}
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "home"
-}
-
-puts "\nall done\n"
diff --git a/test/profiles/comment.profile b/test/profiles/comment.profile
new file mode 100644
index 000000000..4a907a408
--- /dev/null
+++ b/test/profiles/comment.profile
@@ -0,0 +1,3 @@
+# this is a comment
+net none # this is another comment
+private # some other comment
diff --git a/test/profiles/cond1.profile b/test/profiles/cond1.profile
new file mode 100644
index 000000000..207914d66
--- /dev/null
+++ b/test/profiles/cond1.profile
@@ -0,0 +1 @@
+?HAS_NODBUS: private
diff --git a/test/profiles/cond2.profile b/test/profiles/cond2.profile
new file mode 100644
index 000000000..078efe161
--- /dev/null
+++ b/test/profiles/cond2.profile
@@ -0,0 +1 @@
+?HAS_NODBUSprivate
diff --git a/test/profiles/cond3.profile b/test/profiles/cond3.profile
new file mode 100644
index 000000000..7cc9ac1e0
--- /dev/null
+++ b/test/profiles/cond3.profile
@@ -0,0 +1 @@
+?HAS_NODBUS
diff --git a/test/profiles/conditional.exp b/test/profiles/conditional.exp
new file mode 100755
index 000000000..b06b983c1
--- /dev/null
+++ b/test/profiles/conditional.exp
@@ -0,0 +1,47 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --debug --nodbus --profile=cond1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "conditional HAS_NODBUS, private"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --debug --profile=cond1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "conditional HAS_NODBUS, private" {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=cond2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "invalid conditional syntax"
+}
+after 100
+
+send -- "firejail --profile=cond3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "invalid conditional syntax"
+}
+after 100
+
+puts "\nall done\n"
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp
index cdb38e97b..e7f210a46 100755
--- a/test/profiles/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -19,7 +19,7 @@ expect {
         BLACKLIST {puts "TESTING ERROR 2\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
 send -- "exit\r"
 sleep 1
 
@@ -28,23 +28,58 @@ expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
 }
-sleep 1
+after 100
 
 send -- "ps aux | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "5"
 }
+after 100
+send -- "exit\r"
 sleep 1
+
+send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "ps aux | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "5"
+}
+after 100
 send -- "exit\r"
 sleep 1
 
 send -- "firejail --debug --profile=ignore2.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        BLACKLIST {puts "TESTING ERROR 6\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
+        BLACKLIST {puts "TESTING ERROR 8\n";exit}
         "Child process initialized"
 }
 
 after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "ps aux | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "5"
+}
+after 100
+send -- "exit\r"
+after 100
+
 puts "\nall done\n"
diff --git a/test/profiles/ignore2.profile b/test/profiles/ignore2.profile
index 49fcd8324..c85cd9544 100644
--- a/test/profiles/ignore2.profile
+++ b/test/profiles/ignore2.profile
@@ -1,3 +1,5 @@
 ignore seccomp
+ignore shell
 private
 seccomp
+shell none
diff --git a/test/profiles/ignore3.profile b/test/profiles/ignore3.profile
new file mode 100644
index 000000000..f0c9699e1
--- /dev/null
+++ b/test/profiles/ignore3.profile
@@ -0,0 +1,4 @@
+quiet
+private
+seccomp
+shell none
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp
new file mode 100755
index 000000000..240a44697
--- /dev/null
+++ b/test/profiles/profile_appname.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=firefox\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/firefox.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile /etc/firejail/firefox-common.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "shell=none configured, but no program specified"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/profiles/profile_comment.exp b/test/profiles/profile_comment.exp
new file mode 100755
index 000000000..a2be510c1
--- /dev/null
+++ b/test/profiles/profile_comment.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm -fr /tmp/firejailtest*\r"
+send -- "rm -fr /tmp/firejail-strace*\r"
+send -- "rm -fr /tmp/firejail-trace*\r"
+sleep 1
+
+send -- "firejail --profile=comment.profile /usr/bin/true\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+sleep 2
+
+send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r"
+sleep 1
+
+send -- "cat /tmp/firejailtest.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "seccomp"
+}
+after 100
+
+send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 100
+
+send -- "rm -fr /tmp/firejailtest*\r"
+send -- "rm -fr /tmp/firejail-strace*\r"
+send -- "rm -fr /tmp/firejail-trace*\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp
index eb3d04852..0500eac35 100755
--- a/test/profiles/profile_followlnk.exp
+++ b/test/profiles/profile_followlnk.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp
index b3b031cb2..609364389 100755
--- a/test/profiles/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -7,7 +10,7 @@ match_max 100000
 send -- "firejail --profile=/etc/shadow\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "cannot access profile"
+        "inaccessible profile file"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp
index c1c9544a6..2046cc297 100755
--- a/test/profiles/profile_readonly.exp
+++ b/test/profiles/profile_readonly.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp
new file mode 100755
index 000000000..c761a1039
--- /dev/null
+++ b/test/profiles/profile_recursivity.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=test3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile test3.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile test3.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "maximum profile include level was reached"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp
index 74b0d5a53..a2cccb0d4 100755
--- a/test/profiles/profile_syntax.exp
+++ b/test/profiles/profile_syntax.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -22,7 +22,7 @@ expect {
 }
 
 sleep 1
-send -- "ls -l /etc/shadow\r"
+send -- "ls -l /dev/console\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "root root"
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 5726c0408..e2ec20ca5 100755
--- a/test/profiles/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -1,13 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug --profile=test2.profile\r"
+send -- "firejail --profile=test2.profile\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Reading profile test2.profile"
@@ -18,33 +18,8 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "Mounting a new /home directory"
+        "cannot access profile file"
 }
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Disable /bin/rmdir" {puts "Most Linux platforms\n"}
-        "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Drop CAP_SYS_MODULE"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "SECCOMP Filter"
-}
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "BLACKLIST"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
-}
-send -- "exit\r"
+
 after 100
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 3be10bedd..cbc6fa4d9 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -1,18 +1,23 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
-for PROFILE in $PROFILES
-do
-        echo "TESTING: $PROFILE"
-        ./test-profile.exp $PROFILE
-done
+echo "TESTING: profile comments (test/profiles/profilecomment.exp)"
+./profile_comment.exp
+
+echo "TESTING: profile conditional (test/profiles/conditional.exp)"
+./conditional.exp
+
+echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)"
+./profile_recursivity.exp
+
+echo "TESTING: profile application name (test/profiles/profile_appname.exp)"
+./profile_appname.exp
 
 echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
 ./profile_syntax.exp
@@ -32,3 +37,18 @@ echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
 echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
 ./profile_noperm.exp
 
+# GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles.
+UID=`id -u`
+if [ -d "/run/user/$UID" ]; then
+        PROFILES=`ls /etc/firejail/*.profile`
+        echo "TESTING: default profiles installed in /etc"
+else
+        PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
+        echo "TESTING: small number of default profiles installed in /etc"
+fi
+
+for PROFILE in $PROFILES
+do
+        echo "TESTING: $PROFILE"
+        ./test-profile.exp $PROFILE
+done
diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp
index 63fb3a150..625cb6511 100755
--- a/test/profiles/test-profile.exp
+++ b/test/profiles/test-profile.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -13,10 +13,13 @@ if { $argc != 1 } {
         exit
 }
 
+send -- "stty -echo\r"
+after 100
 send -- "firejail --profile=$argv echo done\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "done"
+        "done" {puts "all fine"}
+        "no suitable echo executable found" {puts "echo not found"}
 }
-after 100
+#after 100
 puts "\n"
diff --git a/test/profiles/test.profile b/test/profiles/test.profile
index 1d69cc960..27cb99606 100644
--- a/test/profiles/test.profile
+++ b/test/profiles/test.profile
@@ -1,5 +1,5 @@
-   blacklist /sbin/iptables
-blacklist                /etc/shadow
-        blacklist               /bin/rmdir
+blacklist /sbin/iptables
+blacklist /dev/console
+blacklist /bin/rmdir
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount
diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile
index e219d800d..9fbd5219a 100644
--- a/test/profiles/test2.profile
+++ b/test/profiles/test2.profile
@@ -1,4 +1,6 @@
-caps    
+caps
 seccomp
   private
   include test.profile
+  include test.local
+  include test25.profile
diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile
new file mode 100644
index 000000000..5a70bd829
--- /dev/null
+++ b/test/profiles/test3.profile
@@ -0,0 +1 @@
+include test3.profile
diff --git a/test/root/apache2.exp b/test/root/apache2.exp
index 0b102bad5..0b4b65dc7 100755
--- a/test/root/apache2.exp
+++ b/test/root/apache2.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 5
 spawn $env(SHELL)
@@ -16,18 +19,18 @@ spawn $env(SHELL)
 send -- "firejail --tree\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "root:/usr/sbin/apache2"
+        "root:apache:firejail --name=apache /etc/init.d/apache2"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "www-data:/usr/sbin/apache2"
+        "www-data::/usr/sbin/apache2"
 }
 sleep 2
 
 
 send -- "rm index.html\r"
 sleep 1
-send -- "wget 0\r"
+send -- "wget 127.0.0.1\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "saved"
diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp
index 4b07183a1..d24a39d07 100755
--- a/test/root/cgroup.exp
+++ b/test/root/cgroup.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp
index e17e9cda2..9a4c666e1 100755
--- a/test/root/checkcfg.exp
+++ b/test/root/checkcfg.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -107,6 +107,8 @@ send --  "echo \"xvfb-screen 800x600x24\" >> /etc/firejail/firejail.config\r"
 after 100
 send --  "echo \"xvfb-extra-params blablabla\" >> /etc/firejail/firejail.config\r"
 sleep 1
+send -- "stty -echo\r"
+after 100
 send --  "firejail --noprofile echo done\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp
index 8210496bb..65ecefe5d 100755
--- a/test/root/firecfg.exp
+++ b/test/root/firecfg.exp
@@ -1,22 +1,24 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firecfg\r"
+send -- "firecfg --debug\r"
 sleep 1
 
-send --  "firecfg --clean\r"
+send --  "firecfg --debug --clean\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "/usr/local/bin/firefox removed"
+        "less removed"
 }
 sleep 1
 
+send -- "stty -echo\r"
+after 100
 send -- "file /usr/local/bin/firefox; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -25,14 +27,14 @@ expect {
 }
 sleep 1
 
-send --  "firecfg\r"
+send --  "firecfg --debug\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "firefox created"
+        "less created"
 }
 sleep 1
 
-send -- "file /usr/local/bin/firefox\r"
+send -- "file /usr/local/bin/less\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "symbolic link to /usr/bin/firejail"
@@ -42,7 +44,7 @@ sleep 1
 send -- "firecfg --list\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "/usr/local/bin/firefox"
+        "/usr/local/bin/less"
 }
 sleep 1
 
diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp
index 8f6dd583b..7bf51e2c8 100755
--- a/test/root/firemon-events.exp
+++ b/test/root/firemon-events.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/root/git.exp b/test/root/git.exp
deleted file mode 100755
index c5ddeee89..000000000
--- a/test/root/git.exp
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-
-
-send -- "firejail --version\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "git install support is disabled" { puts "TESTING: git support not available in current build\n"; exit}
-        "git install support is enabled" { puts "git support available\n"}
-}
-
-set timeout 120
-send -- "firejail --git-install\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Cloning into"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Configuration options"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "src/fseccomp/fseccomp default seccomp"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "Mainline git Firejail version was installed in"
-}
-after 100
-
-send -- "firejail --git-uninstall\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Cloning into"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "Configuration options"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Firejail mainline git version uninstalled from"
-}
-after 100
-
-puts "\nall done\n"
diff --git a/test/root/isc-dhcp.exp b/test/root/isc-dhcp.exp
index 24243d6bb..4c468c3e8 100755
--- a/test/root/isc-dhcp.exp
+++ b/test/root/isc-dhcp.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 5
 spawn $env(SHELL)
diff --git a/test/root/join.exp b/test/root/join.exp
index c70fff93d..d995d8aa5 100755
--- a/test/root/join.exp
+++ b/test/root/join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/login_nobody.exp b/test/root/login_nobody.exp
new file mode 100755
index 000000000..42d8fe013
--- /dev/null
+++ b/test/root/login_nobody.exp
@@ -0,0 +1,35 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+
+send --  "su - nobody -s /usr/bin/firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "cat /proc/self/status | grep Seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+after 100
+
+send -- "cat /proc/self/status | grep CapBnd\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0000000000000000"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/root/nginx.exp b/test/root/nginx.exp
index 82ebe0ee7..924ee8afd 100755
--- a/test/root/nginx.exp
+++ b/test/root/nginx.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 5
 spawn $env(SHELL)
@@ -16,18 +19,18 @@ spawn $env(SHELL)
 send -- "firejail --tree\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "root:nginx"
+        "root::nginx: master process /usr/sbin/nginx"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "www-data:nginx"
+        "www-data::nginx: worker process"
 }
 sleep 2
 
 
 send -- "rm index.html\r"
 sleep 1
-send -- "wget 0\r"
+send -- "wget 127.0.0.1\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "saved"
diff --git a/test/root/option_bind_directory.exp b/test/root/option_bind_directory.exp
index 2156c7dfa..ac6421593 100755
--- a/test/root/option_bind_directory.exp
+++ b/test/root/option_bind_directory.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/root/option_bind_file.exp b/test/root/option_bind_file.exp
index 107d8bccb..6ead284a8 100755
--- a/test/root/option_bind_file.exp
+++ b/test/root/option_bind_file.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp
index 3d492dfdb..67a678c68 100755
--- a/test/root/option_tmpfs.exp
+++ b/test/root/option_tmpfs.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
@@ -37,4 +40,3 @@ after 100
 
 
 puts "\nall done\n"
-
diff --git a/test/root/private.exp b/test/root/private.exp
index 479d7afb1..373bd6cef 100755
--- a/test/root/private.exp
+++ b/test/root/private.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -54,6 +54,21 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "find /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 
 
 send -- "touch /srv/firejail-test-file\r"
@@ -77,14 +92,20 @@ expect {
 after 100
 send -- "exit\r"
 sleep 1
+send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "Child process initialized"
+}
+sleep 1
 
-
-
-
-
-
-
-
-
+send -- "find /srv | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "4"
+}
+after 100
+send -- "exit\r"
+sleep 1
 
 puts "\nall done\n"
diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp
index bcb632c20..8a46d666e 100755
--- a/test/root/profile_tmpfs.exp
+++ b/test/root/profile_tmpfs.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/root/root.sh b/test/root/root.sh
index 912ae23f0..d6b60cb23 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -1,8 +1,27 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 # set a new firejail config file
 #cp firejail.config /etc/firejail/firejail.config
 
+export LC_ALL=C
+
+#********************************
+# firecfg
+#********************************
+which less 2>/dev/null
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firecfg (test/root/firecfg.exp)"
+        mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store
+        ./firecfg.exp
+        mv /home/netblue/.local/share/applications-store /home/netblue/.local/share/applications
+else
+        echo "TESTING SKIP: firecfg, less not found"
+fi
+
 #********************************
 # servers
 #********************************
@@ -62,8 +81,8 @@ echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)"
 echo "TESTING: join (test/root/join.exp)"
 ./join.exp
 
-echo "TESTING: git-install (test/root/git.exp)"
-./git.exp
+echo "TESTING: login-nobody (test/root/login_nobody.exp)"
+./login_nobody.exp
 
 #********************************
 # seccomp
@@ -107,17 +126,6 @@ rm -f tmpfile
 echo "TESTING: firemon events (test/root/firemon-events.exp)"
 ./firemon-events.exp
 
-#********************************
-# firecfg
-#********************************
-which firefox
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: firecfg (test/root/firecfg.exp)"
-        ./firecfg.exp
-else
-        echo "TESTING SKIP: firecfg, firefox not found"
-fi
 
 # restore the default config file
 #cp ../../etc/firejail.config /etc/firejail/firejail.config
diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp
index 35c6f69c2..d6f8b8bcc 100755
--- a/test/root/seccomp-chmod.exp
+++ b/test/root/seccomp-chmod.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,6 +14,8 @@ expect {
 }
 sleep 2
 
+send -- "stty -echo\r"
+after 100
 send -- "cd ~; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp
index 174a35ffe..daf3a5d06 100755
--- a/test/root/seccomp-chown.exp
+++ b/test/root/seccomp-chown.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -14,6 +14,8 @@ expect {
 }
 sleep 2
 
+send -- "stty -echo\r"
+after 100
 send -- "touch testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp
index 90e240e74..0a7310fdd 100755
--- a/test/root/seccomp-umount.exp
+++ b/test/root/seccomp-umount.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/root/snmpd.exp b/test/root/snmpd.exp
index 610fdb13a..d1fc49967 100755
--- a/test/root/snmpd.exp
+++ b/test/root/snmpd.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 5
 spawn $env(SHELL)
diff --git a/test/root/unbound.exp b/test/root/unbound.exp
index 9c496306a..710a95bf4 100755
--- a/test/root/unbound.exp
+++ b/test/root/unbound.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 5
 spawn $env(SHELL)
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp
index 1ba711c63..429a4153e 100755
--- a/test/root/whitelist.exp
+++ b/test/root/whitelist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/ssh/login.exp b/test/ssh/login.exp
new file mode 100755
index 000000000..6a5086a77
--- /dev/null
+++ b/test/ssh/login.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "ssh firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized" {puts "OK\n"}
+        "an existing sandbox was detected" {puts "OK\n"}
+}
+sleep 1
+
+send -- "ps aux | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "5"
+}
+after 100
+
+send -- "ls -l /home | grep drw | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "1"
+}
+after 100
+
+send -- "cat /proc/self/status | grep Seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+after 100
+
+send -- "cat /proc/self/status | grep CapBnd\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0000000000000000"
+}
+after 100
+
+# preparing scp/sftp tests
+send -- "rm testfile\r"
+
+send -- "exit\r"
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/ssh/scp.exp b/test/ssh/scp.exp
new file mode 100755
index 000000000..bca6a124f
--- /dev/null
+++ b/test/ssh/scp.exp
@@ -0,0 +1,66 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "ssh firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized" {puts "OK\n"}
+        "an existing sandbox was detected" {puts "OK\n"}
+}
+sleep 1
+
+send -- "rm -f testfile\r"
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "echo 12345 > testfile\r"
+after 100
+send -- "scp testfile firejail-test@0:~/testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "100%"
+}
+sleep 1
+
+
+send -- "ssh firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized" {puts "OK\n"}
+        "an existing sandbox was detected" {puts "OK\n"}
+}
+sleep 1
+send -- "cat testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "12345"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "rm testfile\r"
+after 100
+send -- "scp firejail-test@0:~/testfile testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "100%"
+}
+sleep 1
+send -- "cat testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "12345"
+}
+after 100
+send -- "rm testfile\r"
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/ssh/sftp.exp b/test/ssh/sftp.exp
new file mode 100755
index 000000000..09d3c119e
--- /dev/null
+++ b/test/ssh/sftp.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "ssh firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized" {puts "OK\n"}
+        "an existing sandbox was detected" {puts "OK\n"}
+}
+sleep 1
+
+send -- "rm -f testfile\r"
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "echo 12345 > testfile\r"
+after 100
+send -- "sftp firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Connected to 0"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "sftp>"
+}
+after 100
+send -- "put testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "100%"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+send -- "ssh firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized" {puts "OK\n"}
+        "an existing sandbox was detected" {puts "OK\n"}
+}
+sleep 1
+send -- "cat testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "12345"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "rm testfile\r"
+after 100
+send -- "sftp firejail-test@0\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Connected to 0"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "sftp>"
+}
+after 100
+send -- "get testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "100%"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "cat testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "12345"
+}
+after 100
+send -- "rm testfile\r"
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/ssh/ssh.sh b/test/ssh/ssh.sh
new file mode 100755
index 000000000..bdad8cf87
--- /dev/null
+++ b/test/ssh/ssh.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+echo "TESTING: ssh login (test/ssh/login.exp)"
+./login.exp
+
+echo "TESTING: sftp (test/ssh/sftp.exp)"
+./sftp.exp
+
+echo "TESTING: scp (test/ssh/scp.exp)"
+./scp.exp
diff --git a/test/stress/blacklist.exp b/test/stress/blacklist.exp
index abf6c985f..fae874b25 100755
--- a/test/stress/blacklist.exp
+++ b/test/stress/blacklist.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/stress/env.exp b/test/stress/env.exp
index b327ba498..d69558114 100755
--- a/test/stress/env.exp
+++ b/test/stress/env.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp
index 33a95b885..a535afa2a 100755
--- a/test/stress/net_macvlan.exp
+++ b/test/stress/net_macvlan.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/stress/stress.sh b/test/stress/stress.sh
index 57a8cae56..d32ffe907 100755
--- a/test/stress/stress.sh
+++ b/test/stress/stress.sh
@@ -1,10 +1,11 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
 
 # blacklist testing
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
index e7e69df45..4230ba375 100755
--- a/test/sysutils/cpio.exp
+++ b/test/sysutils/cpio.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp
index c220ab82e..b97c0c283 100755
--- a/test/sysutils/file.exp
+++ b/test/sysutils/file.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
index b56c27ceb..be2222f06 100755
--- a/test/sysutils/gzip.exp
+++ b/test/sysutils/gzip.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 29781c21a..265b0e474 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,6 +10,7 @@ match_max 100000
 send -- "firejail less sysutils.sh\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
+        "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
         "MALLOC_CHECK"
 }
 expect {
diff --git a/test/sysutils/ping.exp b/test/sysutils/ping.exp
new file mode 100755
index 000000000..fac4b2ac3
--- /dev/null
+++ b/test/sysutils/ping.exp
@@ -0,0 +1,23 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "ping -c 3 yahoo.com\r"
+expect {
+        timeout {puts "TESTING SKIP: no internet connection\n";exit}
+        "3 packets transmitted, 3 received"
+}
+after 100
+
+send -- "firejail ping -c 3 yahoo.com\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "3 packets transmitted, 3 received"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
index 0d18b8079..7c91fb78a 100755
--- a/test/sysutils/strings.exp
+++ b/test/sysutils/strings.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
index 859d782c6..96962d324 100755
--- a/test/sysutils/sysutils.sh
+++ b/test/sysutils/sysutils.sh
@@ -1,12 +1,13 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
-which cpio
+which cpio 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: cpio"
@@ -24,7 +25,7 @@ fi
 #       echo "TESTING SKIP: strings not found"
 #fi
 
-which gzip
+which gzip 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: gzip"
@@ -33,7 +34,7 @@ else
         echo "TESTING SKIP: gzip not found"
 fi
 
-which xzdec
+which xzdec 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: xzdec"
@@ -42,7 +43,7 @@ else
         echo "TESTING SKIP: xzdec not found"
 fi
 
-which xz
+which xz 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: xz"
@@ -51,7 +52,7 @@ else
         echo "TESTING SKIP: xz not found"
 fi
 
-which less
+which less 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: less"
@@ -60,7 +61,7 @@ else
         echo "TESTING SKIP: less not found"
 fi
 
-which file
+which file 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: file"
@@ -69,7 +70,7 @@ else
         echo "TESTING SKIP: file not found"
 fi
 
-which tar
+which tar 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: tar"
@@ -77,3 +78,12 @@ then
 else
         echo "TESTING SKIP: tar not found"
 fi
+
+which ping 2>/dev/null
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: ping"
+        ./ping.exp
+else
+        echo "TESTING SKIP: ping not found"
+fi
diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp
index 989f9ada2..60e05f847 100755
--- a/test/sysutils/tar.exp
+++ b/test/sysutils/tar.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
index 13ae6007b..4c6fcea9d 100755
--- a/test/sysutils/xz.exp
+++ b/test/sysutils/xz.exp
@@ -1,9 +1,9 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
-set timeout 10
+set timeout 60
 spawn $env(SHELL)
 match_max 100000
 
@@ -13,6 +13,9 @@ sleep 1
 send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r"
 sleep 1
 
+send -- "md5sum firejail_t1 firejail_t2; ls -l firejail_t1 firejail_t2\r"
+sleep 1
+
 send -- "diff -s firejail_t1 firejail_t2\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
index 0f3b3ba08..737517d54 100755
--- a/test/sysutils/xzdec.exp
+++ b/test/sysutils/xzdec.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/test.rv b/test/test.rv
deleted file mode 100644
index 98a04fba2..000000000
--- a/test/test.rv
+++ /dev/null
@@ -1,49 +0,0 @@
-# run it as:
-#     ../src/tools/rvtest test.rv 2>/dev/null | grep TESTING
-#
-
-
-# invalid options
-1 firejail -blablabla
-1 firejail --blablabla
-1 firejail --debug --blablabla
-
-# misc options
-0 firejail --help
-0 firejail --list
-
-# network testing
-0 firejail --net=none exit
-1 firejail --ip=none --net=none exit # noip requires at least one network
-0 firejail --net=br0 exit
-1 firejail --net=none --net=br0 exit # --net and --net=none are mutually exclusive
-1 firejail --ip=none exit # noip requires at least one network
-1 firejail --defaultgw=10.10.20.1 # no bridge configured
-0 firejail --net=br0 --ip=10.10.20.6 exit
-1 firejail --net=br0 --ip=192.168.5.6 exit # interface range
-1 firejail --net=br0 --ip=10.10 # bad ip
-1 firejail --net=br0 --ip=asdf   #bad ip
-1 firejail --ip=asdf  # no bridge configured
-0 firejail --net=br0 --defaultgw=10.10.20.1 exit
-1 firejail --net=br0 --defaultgw=10.10.20 exit # invalid ip address
-1 firejail --net=br0 --defaultgw=asdf exit # invalid ip address
-0 firejail --net=br0 --ip=10.10.20.2 --defaultgw=10.10.20.1 exit
-0 firejail --net=br0 --net=br1 --net=br2 --net=br3 exit
-1 firejail --net
-1 firejail --net=
-1 firejail --net=bingo
-1 firejail --net=loopback
-1 firejail --net=lo     #invalid network device
-1 firejail --net=/br0 exit
-1 firejail --net=br0 --net=br1 --net=br2 --net=br3 --net=br4 exit # only 4 networks allowed
-0 firejail --net=eth0 exit
-1 firejail --net=/dev/eth0 exit
-1 firejail --net=br0 --net=br1 --net=/dev/eth0 exit
-0 firejail --net=br0 --net=br0 exit # same device twice
-0 firejail --net=eth0 --net=br2 --net=br3 --net=eth0 exit # same device twice
-0 firejail --net=eth0 --net=br0 exit
-
-# private mode
-0 firejail --private exit
-1 firejail --private=/etc sleep 1
-1 firejail --private=bingo sleep 1
diff --git a/test/test.sh b/test/test.sh
deleted file mode 100755
index 2693cb702..000000000
--- a/test/test.sh
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/bash
-# This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
-# License GPL v2
-
-./chk_config.exp
-
-./fscheck.sh
-
-echo "TESTING: tty (tty.exp)"
-./tty.exp
-
-sleep 1
-rm -fr dir\ with\ space
-mkdir dir\ with\ space
-echo "TESTING: blacklist (blacklist.exp)"
-./blacklist.exp
-sleep 1
-rm -fr dir\ with\ space
-
-ln -s auto auto2
-ln -s /bin auto3
-ln -s /usr/bin auto4
-echo "TESTING: blacklist directory link (blacklist-link.exp)"
-./blacklist-link.exp
-rm -fr auto2
-rm -fr auto3
-rm -fr auto4
-
-echo "TESTING: chroot overlay (option_chroot_overlay.exp)"
-./option_chroot_overlay.exp
-
-echo "TESTING: chroot as user (fs_chroot.exp)"
-./fs_chroot.exp
-
-echo "TESTING: /sys (fs_sys.exp)"
-./fs_sys.exp
-
-echo "TESTING: readonly (option_readonly.exp)"
-ls -al > tmpreadonly
-./option_readonly.exp
-sleep 5
-rm -f tmpreadonly
-
-
-
-echo "TESTING: private directory (private_dir.exp)"
-rm -fr dirprivate
-mkdir dirprivate
-./private_dir.exp
-rm -fr dirprivate
-
-echo "TESTING: private directory profile (private_dir_profile.exp)"
-rm -fr dirprivate
-mkdir dirprivate
-./private_dir_profile.exp
-rm -fr dirprivate
-
-echo "TESTING: overlayfs (fs_overlay.exp)"
-./fs_overlay.exp
-
-echo "TESTING: login SSH (login_ssh.exp)"
-./login_ssh.exp
-
-echo "TESTING: firemon --arp (firemon-arp.exp)"
-./firemon-arp.exp
-
-echo "TESTING: firemon --route (firemon-route.exp)"
-./firemon-route.exp
diff --git a/test/utils/audit.exp b/test/utils/audit.exp
deleted file mode 100755
index f0c1906a0..000000000
--- a/test/utils/audit.exp
+++ /dev/null
@@ -1,79 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --audit\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Firejail Audit"
-}
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "is running in a PID namespace"
-}
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "container/sandbox firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "seccomp BPF enabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "all capabilities are disabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "dev directory seems to be fully populated"
-}
-after 100
-
-
-send -- "firejail --audit\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "Firejail Audit"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "is running in a PID namespace"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "container/sandbox firejail"
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "seccomp BPF enabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "all capabilities are disabled"
-}
-expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "dev directory seems to be fully populated"
-}
-after 100
-
-send -- "firejail --audit=blablabla\r"
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "cannot find the audit program"
-}
-after 100
-
-send -- "firejail --audit=\r"
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "invalid audit program"
-}
-after 100
-
-puts "\nall done\n"
diff --git a/test/utils/build.exp b/test/utils/build.exp
new file mode 100755
index 000000000..104ac037c
--- /dev/null
+++ b/test/utils/build.exp
@@ -0,0 +1,112 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "echo testing > ~/_firejail-test-file\r"
+after 100
+
+send -- "firejail --build cat ~/_firejail-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "allow $\{HOME\}/_firejail-test-file"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "include whitelist-common.inc"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "include whitelist-usr-share-common.inc"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "include whitelist-var-common.inc"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "caps.drop all"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "ipc-namespace"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "netfilter"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "nonewprivs"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "noroot"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "net none"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "shell none"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "private-bin cat,"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "private-dev"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "private-etc none"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "private-tmp"
+}
+after 100
+
+send -- "rm -f ~/_firejail-test-file\r"
+after 100
+
+send -- "firejail --build cat /etc/passwd\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "private-etc passwd,"
+}
+after 100
+
+send -- "rm firejail-test-file-4388\r"
+after 100
+send -- "firejail --build=firejail-test-file-4388 cat /etc/passwd\r"
+after 100
+send -- "cat firejail-test-file-4388\r"
+expect {
+        timeout {puts "TESTING ERROR 10.1\n";exit}
+        "private-etc passwd,"
+}
+after 100
+
+send -- "firejail --build wget --output-document=~ debian.org\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "protocol"
+}
+expect {
+        timeout {puts "TESTING ERROR 13.1\n";exit}
+        "inet"
+}
+after 100
+
+puts "all done\n"
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp
index d9d48bd50..6b6090476 100755
--- a/test/utils/caps-print.exp
+++ b/test/utils/caps-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/caps2.profile b/test/utils/caps2.profile
index cb2258c52..e760d4cb5 100644
--- a/test/utils/caps2.profile
+++ b/test/utils/caps2.profile
@@ -1 +1 @@
-caps.keep chown,kill
\ No newline at end of file
+caps.keep chown,kill
diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh
index 62a1801cc..28e646ddb 100755
--- a/test/utils/catchsignal-master.sh
+++ b/test/utils/catchsignal-master.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 ./catchsignal.sh &
 ./catchsignal.sh &
diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh
index 87a1d0adf..f7a501011 100755
--- a/test/utils/catchsignal.sh
+++ b/test/utils/catchsignal.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 _term() {
   echo "Caught Signal"
diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh
index 424350397..9ba939ef4 100755
--- a/test/utils/catchsignal2.sh
+++ b/test/utils/catchsignal2.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 _term() {
   echo "Caught Signal"
diff --git a/test/utils/command.exp b/test/utils/command.exp
new file mode 100755
index 000000000..6cb52a7fa
--- /dev/null
+++ b/test/utils/command.exp
@@ -0,0 +1,23 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --quiet --private-etc=passwd,group -c ls -al /etc\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "cron" {puts "TESTING ERROR 2\n";exit}
+        "group"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "passwd"
+}
+
+
+after 100
+puts "\nall done\n"
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp
index f639f7c9f..e7d709cee 100755
--- a/test/utils/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -16,7 +16,11 @@ sleep 1
 send -- "cat /proc/self/status | grep Cpus\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "Cpus_allowed_list:     0"
+        "Cpus"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "_allowed_list: 0"
 }
 after 100
 send -- "exit\r"
@@ -25,7 +29,7 @@ sleep 1
 
 send -- "firejail --name=test --cpu=1\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "Child process initialized"
 }
 sleep 1
@@ -33,8 +37,12 @@ sleep 1
 spawn $env(SHELL)
 send -- "firejail --cpu.print=test\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "Cpus_allowed_list:     1"
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Cpus"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "_allowed_list: 1"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp
index 461231735..b3b732bee 100755
--- a/test/utils/dns-print.exp
+++ b/test/utils/dns-print.exp
@@ -1,13 +1,13 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --name=test --dns=1.2.3.4\r"
+send -- "firejail --name=test --dns=1.2.3.4 --dns=::2\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -20,5 +20,9 @@ expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "nameserver 1.2.3.4"
 }
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "nameserver ::2"
+}
 after 100
 puts "\nall done\n"
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp
index 67bf853fe..837d08271 100755
--- a/test/utils/firemon-caps.exp
+++ b/test/utils/firemon-caps.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp
index 43dfc4107..3976b0c50 100755
--- a/test/utils/firemon-cgroup.exp
+++ b/test/utils/firemon-cgroup.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp
index adc6b3d45..b410c764e 100755
--- a/test/utils/firemon-cpu.exp
+++ b/test/utils/firemon-cpu.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp
index 4c976b42f..0c358d129 100755
--- a/test/utils/firemon-interface.exp
+++ b/test/utils/firemon-interface.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp
index 37bfdd3b0..57729d662 100755
--- a/test/utils/firemon-name.exp
+++ b/test/utils/firemon-name.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp
index 56727a0be..d35027827 100755
--- a/test/utils/firemon-seccomp.exp
+++ b/test/utils/firemon-seccomp.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp
index 94f72e454..8e4e33ec0 100755
--- a/test/utils/firemon-version.exp
+++ b/test/utils/firemon-version.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp
index 11b4c9b7e..4b6eac391 100755
--- a/test/utils/fs-print.exp
+++ b/test/utils/fs-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -22,11 +22,12 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "blacklist /dev/kmsg"
+        "blacklist /proc/kmsg"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "blacklist /proc/kmsg"
+        "blacklist /usr/bin/su" {puts "Arch Linux";}
+        "blacklist /bin/su" {puts "Debian"}
 }
 after 100
 puts "\nall done\n"
diff --git a/test/utils/help.exp b/test/utils/help.exp
index 435f8e061..71bb5788c 100755
--- a/test/utils/help.exp
+++ b/test/utils/help.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp
index 716bd2947..d6fcc50d7 100755
--- a/test/utils/join-profile.exp
+++ b/test/utils/join-profile.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/utils/join.exp b/test/utils/join.exp
index d5c421676..25dd31922 100755
--- a/test/utils/join.exp
+++ b/test/utils/join.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join2.exp b/test/utils/join2.exp
index 0c1fa6684..dada97158 100755
--- a/test/utils/join2.exp
+++ b/test/utils/join2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join3.exp b/test/utils/join3.exp
index 968aa3008..305000e92 100755
--- a/test/utils/join3.exp
+++ b/test/utils/join3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join4.exp b/test/utils/join4.exp
index 27f52fd56..8c5e91d68 100755
--- a/test/utils/join4.exp
+++ b/test/utils/join4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/join5.exp b/test/utils/join5.exp
new file mode 100755
index 000000000..3d365944d
--- /dev/null
+++ b/test/utils/join5.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --name=test123 --profile=join5.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --join=test123\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+
+send -- "exit\r"
+after 100
+
+send --  "firejail --protocol.print=test123\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Switching to pid"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "unix"
+}
+
+puts "\nall done\n"
diff --git a/test/utils/join5.profile b/test/utils/join5.profile
new file mode 100644
index 000000000..e9eb37a4f
--- /dev/null
+++ b/test/utils/join5.profile
@@ -0,0 +1,4 @@
+dbus-user filter
+dbus-system none
+seccomp
+protocol unix
diff --git a/test/utils/list.exp b/test/utils/list.exp
index 5b34b4866..d7d39357d 100755
--- a/test/utils/list.exp
+++ b/test/utils/list.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/ls.exp b/test/utils/ls.exp
index ff6867c51..080bfdad2 100755
--- a/test/utils/ls.exp
+++ b/test/utils/ls.exp
@@ -1,4 +1,7 @@
 #!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
 
 set timeout 10
 spawn $env(SHELL)
diff --git a/test/utils/man.exp b/test/utils/man.exp
index 71dc703aa..41f5a2ff8 100755
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -10,6 +10,7 @@ match_max 100000
 send -- "man firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
+        "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
         "Linux namespaces sandbox program"
 }
 after 100
diff --git a/test/utils/name.exp b/test/utils/name.exp
new file mode 100755
index 000000000..9e5367ba7
--- /dev/null
+++ b/test/utils/name.exp
@@ -0,0 +1,157 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        ":ftest:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        ":ftest-"
+}
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        ":ftest-"
+}
+sleep 1
+puts "all done\n"
diff --git a/test/utils/profile_print.exp b/test/utils/profile_print.exp
new file mode 100755
index 000000000..f8f6708bb
--- /dev/null
+++ b/test/utils/profile_print.exp
@@ -0,0 +1,27 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --name=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --profile.print=ftest\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/etc/firejail/default.profile"
+}
+
+
+after 100
+puts "all done\n"
diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp
index 12ad98a41..1ed92ddd6 100755
--- a/test/utils/protocol-print.exp
+++ b/test/utils/protocol-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp
index b3ab5e13c..86f1e9845 100755
--- a/test/utils/seccomp-print.exp
+++ b/test/utils/seccomp-print.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
@@ -18,19 +18,19 @@ spawn $env(SHELL)
 send -- "firejail --seccomp.print=test\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "EXAMINE_SYSCAL"
+        "ld  data.syscall-number"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "delete_module"
+        "jeq delete_module"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "init_module"
+        "jeq init_module"
 }
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "RETURN_ALLOW"
+        "ret ALLOW"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp
index eb87c5d4f..35d2750db 100755
--- a/test/utils/shutdown.exp
+++ b/test/utils/shutdown.exp
@@ -1,9 +1,9 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
-set timeout 10
+set timeout 15
 cd /home
 spawn $env(SHELL)
 match_max 100000
@@ -16,9 +16,11 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
+send -- "stty -echo\r"
+after 100
 send --  "firejail --shutdown=shutdowntesting; echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
         "done"
 }
 sleep 5
@@ -26,20 +28,20 @@ sleep 5
 spawn $env(SHELL)
 send --  "firejail --list;echo done\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "shutdowntesting" {puts "TESTING ERROR 6\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "shutdowntesting" {puts "TESTING ERROR 3\n";exit}
         "done"
 }
 sleep 1
 
 send --  "firejail --shutdown=sutdowntesting\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "cannot find sandbox sutdowntesting"
 }
 after 100
 
-send --  "firejail --shutdown=10\r"
+send --  "firejail --shutdown=1\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "this is not a firejail sandbox"
diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp
index f92c8b2b1..7eb3d516b 100755
--- a/test/utils/shutdown2.exp
+++ b/test/utils/shutdown2.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp
index 4c2c616b2..a543bb9e5 100755
--- a/test/utils/shutdown3.exp
+++ b/test/utils/shutdown3.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp
index 7d3c27164..a9a3978ea 100755
--- a/test/utils/shutdown4.exp
+++ b/test/utils/shutdown4.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/top.exp b/test/utils/top.exp
index 73903d11f..150011bba 100755
--- a/test/utils/top.exp
+++ b/test/utils/top.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index 614580016..3ed09565b 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 30
diff --git a/test/utils/tree.exp b/test/utils/tree.exp
index a64c98bca..ff834bec6 100755
--- a/test/utils/tree.exp
+++ b/test/utils/tree.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index a59a9544f..e3e24bd9a 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -1,13 +1,31 @@
 #!/bin/bash
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
 
-echo "TESTING: audit (test/utils/audit.exp)"
-./audit.exp
+if [ -f /etc/debian_version ]; then
+        libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
+        export PATH="$PATH:$libdir"
+fi
+export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
+
+echo "TESTING: build (test/utils/build.exp)"
+./build.exp
+rm -f ~/_firejail-test-file
+rm -f _firejail-test-file
+
+echo "TESTING: name (test/utils/name.exp)"
+./name.exp
+
+echo "TESTING: command (test/utils/command.exp)"
+./command.exp
+
+echo "TESTING: profile.print (test/utils/profile_print.exp)"
+./profile_print.exp
 
 echo "TESTING: version (test/utils/version.exp)"
 ./version.exp
@@ -15,7 +33,7 @@ echo "TESTING: version (test/utils/version.exp)"
 echo "TESTING: help (test/utils/help.exp)"
 ./help.exp
 
-which man
+which man 2>/dev/null
 if [ "$?" -eq 0 ];
 then
         echo "TESTING: man (test/utils/man.exp)"
@@ -74,9 +92,12 @@ echo "TESTING: join2 (test/utils/join2.exp)"
 echo "TESTING: join3 (test/utils/join3.exp)"
 ./join3.exp
 
-echo "TESTING: join3 (test/utils/join4.exp)"
+echo "TESTING: join4 (test/utils/join4.exp)"
 ./join4.exp
 
+echo "TESTING: join5 (test/utils/join5.exp)"
+./join5.exp
+
 echo "TESTING: join profile (test/utils/join-profile.exp)"
 ./join-profile.exp
 
@@ -91,11 +112,19 @@ echo "TESTING: top (test/utils/top.exp)"
 echo "TESTING: file transfer (test/utils/ls.exp)"
 ./ls.exp
 
-echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
-./firemon-seccomp.exp
+if grep -q "^Seccomp.*0" /proc/self/status; then
+        echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
+        ./firemon-seccomp.exp
+else
+        echo "TESTING SKIP: seccomp already active (test/utils/firemon-seccomp.exp)"
+fi
 
-echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
-./firemon-caps.exp
+if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
+        echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
+        ./firemon-caps.exp
+else
+        echo "TESTING SKIP: other capabilities than expected (test/utils/firemon-caps.exp)"
+fi
 
 echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
 ./firemon-cpu.exp
diff --git a/test/utils/version.exp b/test/utils/version.exp
index 35dfc1c86..be0d152b8 100755
--- a/test/utils/version.exp
+++ b/test/utils/version.exp
@@ -1,6 +1,6 @@
 #!/usr/bin/expect -f
 # This file is part of Firejail project
-# Copyright (C) 2014-2017 Firejail Authors
+# Copyright (C) 2014-2021 Firejail Authors
 # License GPL v2
 
 set timeout 10
diff --git a/video.png b/video.png
deleted file mode 100644
index f9642f466..000000000
--- a/video.png
+++ /dev/null